Rules folder location

I am using Docker ELK and I keep Elasticsearch data permanently by using the following on .yml


  • /path/to/storage:/usr/share/Elasticsearch/data

But how can i save my EQL, KQL rules in security application?
Where can i find this folder?

Do I miss something?

Thanks in advance

Hi @Dalador According to the docs, if you export your rules, you can specify a file to store them to in .ndjson format. Once exported, you'll be able to import them again at a later stage.
I'm not sure what the default folder is for Docker or if there is one but you could also configure a repository to store cluster snapshots in. Snapshots are a convenient way to backup your data in the event that your cluster goes down (ether intentionally or otherwise).
I hope that helps a bit.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.