I just setup Graylog + Elasticsearch for my first time. I'm trying to change the default location that ingested logs are saved. Currently, the default filepath is the OS drive, which will fill up in no time.
Looking at the documentation, I see that there are two filepaths to change in the config file, one for data and one for logs. However, I'm confused by the two. Are logs (/var/logs/elasticsearch) Elasticsearch's own logs, or ingested logs? Or are ingested logs considered data?
In addition to changing the filepath in the .yml file, is there anything else I need to do to make this all work? Anything in Graylog, etc?
Logs that are ingested into Elasticsearch end up in Indices in Elasticsearch that data is stored in path.data example /var/data/elasticsearch
The Logs that Elasticsearch generates in the course of operating are stored in path.logs example /var/log/elasticsearch
You can set those 2 paths to whichever paths make sense for your deployment.
And of course to complete the equation if you want to ingest the logs generated by elasticsearch back into elasticsearch you would use Filebeat and set the path to harvest the elasticsearch logs from where you pointed the elasticsearch logs to ... i.e. path.logs. We actually have a filebeat module for that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
