Log Retention Issue - Only 10 Days of Logs Kept, Need Assistance

7a6b6f · July 26, 2023, 12:15pm

Hi everyone,

I am facing an issue with log retention in my Elastic Stack setup and could use some help in troubleshooting it. Currently, my system is only retaining logs for 10 days, and after that, the logs are being deleted. I have checked several factors, including logrotate, crontab, and any external scripts that might be causing this behavior, but everything seems fine.

Here are some details about my environment:

Elastic Version: 8.6.2
Kibana Version: 8.6.2
Logstash Version: 8.6.2
Operating System: CentOS 8

My Logstash container configuration (docker-compose.yml):

  ...
  logstash:
    container_name: ip_logstash
    image: logstash:8.6.2
    ports:
      - '514:514/udp'
    environment:
      - xpack.monitoring.enabled= true
    volumes:
      - type: bind
        source: ./logstash/pipeline
        target: /usr/share/logstash/pipeline
        read_only: true
      - type: bind
        source: /tmp/devices_output_logs
        target: /var/log/syslog
        read_only: false
    ...

Any suggestions or insights into what might be causing the log retention issue would be highly appreciated. Has anyone encountered a similar problem or have any specific troubleshooting steps I can try?

Thank you in advance for your help!

Best regards

leandrojmp · July 26, 2023, 12:41pm

By logs you mean Elasticsearch indices or the logs from the services?

7a6b6f · July 26, 2023, 1:16pm

Thank you for your response!

By "logs" I am referring to the logs generated by my services. These logs are processed by Logstash and are stored in both Elasticsearch and a designated folder inside the Logstash container.

The folder path within the Logstash container where the logs are stored is /var/log/syslog. Additionally, I have mounted this folder with a local host folder, /tmp/devices_output_logs, so that the logs are also accessible on my CentOS 8 host.

Below is a snippet of my logstash.conf file:

input {
    // ... (input configuration)
}

output {
    elasticsearch {
        hosts => "elasticsearch:9200"
        index => "devices-logs-%{+YYYY-MM-dd}"
    }
    file {
        path => "/var/log/syslog/devices_output_logs-%{+YYYY-MM-dd}.log"
    }
}

I edited a little bit also the first post related to the code of the logstash service, added the volume settings.

system · August 23, 2023, 1:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do you store logs persistently Elasticsearch docker	1	359	March 25, 2020
Questions about elk-docker and logs disappearing Elasticsearch	1	628	February 15, 2017
Missing logs Elasticsearch docker	7	441	July 15, 2021
Logstash docker image keeps resetting elasticsearch URL Logstash	7	2617	October 2, 2017
Proper maintenance of the Elastic Stack Elasticsearch	4	273	September 16, 2022

Log Retention Issue - Only 10 Days of Logs Kept, Need Assistance

Related Topics