How to apply log retention policies to Elastic SIEM

anon67583212 · February 25, 2020, 8:42am

Good morning,

I am doing some tests with the product and I have just come across something, at least inconsistent: you cannot apply granular log retention policies. I mean, if you want to apply a 30-day retention policy for logs coming from sourceA and 20-day, for example, for logs coming from sourceB, this is not possible because a single index (filebeat-release-date) is used. Am I right?

Exists some procedure or tip to apply diferent retention policy depending which is the source?

Many thanks.

vinu89 · February 25, 2020, 9:19am

hi,

is the source A and source B shares the same logstash configuration..

anon67583212 · February 25, 2020, 9:46am

No, they are different log sources .....

Ramicoh · March 1, 2020, 10:06am

If each source is written to its own index life cycle management policy, then each of them can have its own retention period.

Both should use the same prefix in their pattern, so that they would be visible to the SIEM app.

Topic		Replies	Views
Increased log retention for set of logs within an index Elasticsearch	4	466	September 5, 2022
Policy based on a term Elasticsearch	3	325	April 10, 2020
Saving documents in multiple indexes/Retention policy based on documents fields (Looking for ideas) Elasticsearch	1	194	April 8, 2022
If I have syslogs from multiple types of devices and multiple ILM policies, how should I structure these? Elasticsearch	1	349	October 14, 2019
Using Elasticsearch as a Data Lake and forwarding logs to SIEM based on the use cases implemented Elasticsearch	4	1320	December 11, 2022

How to apply log retention policies to Elastic SIEM

Related topics