We have the following configuration in our elasticsearch.yml file. Is there any way we can limit the audit logs to be stored only for the last 2 weeks.
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
ES version: 7.3.2
X-pack tier: Platinum pack
Here is an approach that can provide a solution. you have to index the data in a daily index. 1 index per day. Then, either you use the curator tool to define a retention date of 2 weeks (either 2 * 7 days = 14 days), or you create a script that will do this job.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.