Log Retention Issue - Only 10 Days of Logs Kept, Need Assistance

Elastic Stack Logstash
1

Hi everyone,

I am facing an issue with log retention in my Elastic Stack setup and could use some help in troubleshooting it. Currently, my system is only retaining logs for 10 days, and after that, the logs are being deleted. I have checked several factors, including logrotate, crontab, and any external scripts that might be causing this behavior, but everything seems fine.

Here are some details about my environment:

  • Elastic Version: 8.6.2
  • Kibana Version: 8.6.2
  • Logstash Version: 8.6.2
  • Operating System: CentOS 8

My Logstash container configuration (docker-compose.yml):

  ...
  logstash:
    container_name: ip_logstash
    image: logstash:8.6.2
    ports:
      - '514:514/udp'
    environment:
      - xpack.monitoring.enabled= true
    volumes:
      - type: bind
        source: ./logstash/pipeline
        target: /usr/share/logstash/pipeline
        read_only: true
      - type: bind
        source: /tmp/devices_output_logs
        target: /var/log/syslog
        read_only: false
    ...

Any suggestions or insights into what might be causing the log retention issue would be highly appreciated. Has anyone encountered a similar problem or have any specific troubleshooting steps I can try?

Thank you in advance for your help!

Best regards

2

By logs you mean Elasticsearch indices or the logs from the services?

3

Thank you for your response!

By "logs" I am referring to the logs generated by my services. These logs are processed by Logstash and are stored in both Elasticsearch and a designated folder inside the Logstash container.

The folder path within the Logstash container where the logs are stored is /var/log/syslog. Additionally, I have mounted this folder with a local host folder, /tmp/devices_output_logs, so that the logs are also accessible on my CentOS 8 host.

Below is a snippet of my logstash.conf file:

input {
    // ... (input configuration)
}

output {
    elasticsearch {
        hosts => "elasticsearch:9200"
        index => "devices-logs-%{+YYYY-MM-dd}"
    }
    file {
        path => "/var/log/syslog/devices_output_logs-%{+YYYY-MM-dd}.log"
    }
}

I edited a little bit also the first post related to the code of the logstash service, added the volume settings.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.