How to apply log retention policies to Elastic SIEM

anon67583212 · February 25, 2020, 8:42am

Good morning,

I am doing some tests with the product and I have just come across something, at least inconsistent: you cannot apply granular log retention policies. I mean, if you want to apply a 30-day retention policy for logs coming from sourceA and 20-day, for example, for logs coming from sourceB, this is not possible because a single index (filebeat-release-date) is used. Am I right?

Exists some procedure or tip to apply diferent retention policy depending which is the source?

Many thanks.

vinu89 · February 25, 2020, 9:19am

hi,

is the source A and source B shares the same logstash configuration..

anon67583212 · February 25, 2020, 9:46am

No, they are different log sources .....

Ramicoh · March 1, 2020, 10:06am

If each source is written to its own index life cycle management policy, then each of them can have its own retention period.

Both should use the same prefix in their pattern, so that they would be visible to the SIEM app.

system · March 29, 2020, 10:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Saving documents in multiple indexes/Retention policy based on documents fields (Looking for ideas) Elasticsearch	1	183	April 8, 2022
Kibana SIEM and custom indexes SIEM	4	789	February 1, 2022
Specific retention duration for logs (Index Lifecycle Policy) Beats winlogbeat	2	406	December 7, 2021
Index lifecycle policy does not apply to newly created timeseries indexes Elasticsearch ilm-index-lifecycle-management	18	1923	August 11, 2021
Best practices for dynamic expiration Logstash	2	241	August 16, 2022

How to apply log retention policies to Elastic SIEM

Related topics