We have the following configuration in our
elasticsearch.yml file. Is there any way we can limit the audit logs to be stored only for the last 2 weeks.
xpack.security.audit.outputs: [ index, logfile ]
ES version: 7.3.2
X-pack tier: Platinum pack
Here is an approach that can provide a solution. you have to index the data in a daily index. 1 index per day. Then, either you use the curator tool to define a retention date of 2 weeks (either 2 * 7 days = 14 days), or you create a script that will do this job.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.