I have setup a deployment for elasticsearch and I been able to make it work with winlogbeat to capture specific events, But I'm not sure how to rotate the logs with the index lifecycle management policies I'm not sure how to make it work and be able to rotate logs after certain amount of data, I don't even know if I'm doing this correctly. I don't know if anyone can point me to the right direction.
This is the one I'm editing, I'm capturing 6 months of data and my idea is to overwrite the index when the limit is reached not cold phase or archiving.
The hot phase with rollover is how large your indices / shards should be when you trigger the "rotation". The default of 50GB is a good starting point per shard.
In the delete phase you would specify the 180 days (that is 180 days after the rollover).
Optionally you could add additional phases (warm, cold, frozen) in between to optimize the shards (shrink the number of primary shards might make sense) or move the data to different hardware profiles; on the new and hot data you'll do all your index operations and probably most of your searches, while older data only gets reads every now and then — there you could keep more data per node or have spinning disk instead of SSDs (if your cluster is large enough to make sense for this).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
