How to apply log retention policies to Elastic SIEM

Good morning,

I am doing some tests with the product and I have just come across something, at least inconsistent: you cannot apply granular log retention policies. I mean, if you want to apply a 30-day retention policy for logs coming from sourceA and 20-day, for example, for logs coming from sourceB, this is not possible because a single index (filebeat-release-date) is used. Am I right?

Exists some procedure or tip to apply diferent retention policy depending which is the source?

Many thanks.


is the source A and source B shares the same logstash configuration..

No, they are different log sources .....

If each source is written to its own index life cycle management policy, then each of them can have its own retention period.

Both should use the same prefix in their pattern, so that they would be visible to the SIEM app.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.