Hi everyone,
I recently experienced a DDoS attack on my Apache server. The logs are sent to Elasticsearch, so my last indices are around 70Gb/day. I have not configured ILM on my ELK stack yet but I would like to reduce the storage these "DDoS indices" take while keeping it.
I read the docs about freeze but I see two things : "freeze index" page where they tell it has been deprecated because of improvements in heap utilization and "frozen data tier" page that does not contain any deprecation warning. The way I understand it, "freeze index" concerns the button in "Stack Mangement > Index Management > Manage" and the freeze API, while frozen data tier concerns ILM. But when i try to create an Index Policy on Kibana UI, I can see Hot, Warm and Cold tiers but not Frozen tier.
So, my questions are : Are those two pages two different things? Are they both deprecated? What's the difference between the two of them? How do i configure Frozen tier for ILM if I don't see it in Kibana's UI ? But most importantly what should I use to reduce the storage taken by these indices? I am running ELK stack on version 7.17.9 btw.
Thanks.