Hourly rotation of ArcSight Indexes

Hi! We are trying the Logstash ArcSight Module, and we are seeing it creates indexes like arcsight-yyyy.mm.dd, where yyyy-mm-dd is extracted from the deviceReceiveTime field of the CEF event.

Is there any way to configure it to index like arcsight-yyyy.mm.dd.hh, to have one index per hour per day?

We can't find the logstash output configuration, as it's embedded in the Module...

Thanks!

Why would you want to do that? How much data do you have being indexed per hour? Be aware that having lots of small indices and shards in the cluster is very inefficient.

Hi! Thanks for your quick answer, we expected aprox 50 GB per day, could be that with a daily index rotation will be enought, but we want also understand how Logstash ArcSight module works. Is there any way to tune it, outside the well know parameters documented?

Thanks!

50GB data per day should work with a single daily index with one or two primary shards.

This is a very broad question. Are you experiencing any performance problems?

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.