How to apply log retention policies to Elastic SIEM

anon67583212 · February 25, 2020, 8:42am

Good morning,

I am doing some tests with the product and I have just come across something, at least inconsistent: you cannot apply granular log retention policies. I mean, if you want to apply a 30-day retention policy for logs coming from sourceA and 20-day, for example, for logs coming from sourceB, this is not possible because a single index (filebeat-release-date) is used. Am I right?

Exists some procedure or tip to apply diferent retention policy depending which is the source?

Many thanks.

vinu89 · February 25, 2020, 9:19am

hi,

is the source A and source B shares the same logstash configuration..

anon67583212 · February 25, 2020, 9:46am

No, they are different log sources .....

Ramicoh · March 1, 2020, 10:06am

If each source is written to its own index life cycle management policy, then each of them can have its own retention period.

Both should use the same prefix in their pattern, so that they would be visible to the SIEM app.

system · March 29, 2020, 10:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.