Hi,
Lifecycle policies for logs (name: Logs) are managed by Fleet. It is recommended not too edit this policy. But data in the logs will stay forever (see screenshot) and not deleted after x days, as usual.
So eventually every logs will grow too big.
What to do?
Thanks,
Herman
I think if you scroll down it will show a delete action?
Hi Mark,
Thanks for your answer.
Yes, normally there is a delete action, but only after changing the toggle in the hot phase section. And changing the toggle or the delete section mean a change and that's not recommended for this (fleet managed) policy, see in top of the screenshot.
Herman
I'm dealing with this issue for the first time as well, as I'm in the process of migrating to fleet. I've created a new policy, but how do I apply the policy to my logs-* data streams?
Thx.
Hi Doug,
Yes, for logs that's different, I don't know why.
You can find it easy:
Stack Management->Index Management->Data Streams and select one of ther logs-*. In the right corner you'll see the policy.
Herman
I found instructions for applying a policy to a specific data stream here. It's a pain, but it works well. One thing I did not do was create an individual component template for each data stream (step 2), I created generic logs-settings-default@custom and metrics-settings-default@custom component templates and applied them with a new index template (step 3).
I made certain to remove fleet_managed: true from everything, so Fleet shouldn't zap it. There's no reason it shouldn't work, but we'll see the first time I have to upgrade the agent. 
The one thing I'll need to be careful of when agents update is that where the new template specifies a pipeline, the pipeline is versioned, so I'll probably need to go through and update pipeline versions in the templates I've updated.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.