Hello community!
My first try with Elastic, still learning and reading the documentation. But decided to ask a question in parallel to my studies.
I got a task to collect events from ~100 windows servers.
I’ve installed Elastic and Kibana on server, and Winlogbeat as an agent on windows vm.
In the default installation I got the data stream "winlogbeat-8.13.2" and Index Lifecycle Policies "winlogbeat".
At this point everything is work perfect right out of the box.
Now the tricky part. I want to be able to manage Lifecycle Policies per monitoring vm/group of vm.
For example:
server01 – store events for 7 days and then delete them
server02 – store events for 30 days and then delete them
group of servers server03-server10 – store events for 90 days and then delete them.
etc.
And I want to have a dashboard which will show how many disks space all events consume per server, so maybe I need separate Data Stream for each vm.
Can you suggest how to achieve this kind of configuration?