Winlogbeat and metricbeat taking high storage space

Hi All,
I am using ELK version 8.0.0, with winlogbeat and metricbeat version 8.0.0 we are monitoring around 200 environments for event logs and metrics from winlog and metricbeat respectively. BUt not sure why the winlogbeat is taking around 70 GB space in 2-3 days and metricbeat 10 GB space daily which is a lot of space as we want to save 30 days data and also want to store SLM for 10 days due to this much space used by winlogbeat it is quite hard for us to save data for 30 days.

Can someone suggest is this space used by winlog and metricbeat is this normal or we are missing something.

We have already ILM in placed for hot, warm and cold phase.

Please someone suggest if this is what the beats usually take space.

How many hosts do you have? By 200 environments you mean 200 hosts with Winlogbeat and Metricbeat?

Both Winlogbeat and Metricbeat will generate a lot of data, I don't see nothing wrong with those volume for 200 hosts.

But if you want to reduce the storage usage you can change some configurations.

For metricbeat for example you can change the period from 10s to a higher interval, like 30s.

For winlogbeat you can limit the event_logs, providers or event ids to collect as explained in this documentation.

@leandrojmp Yes 200 hosts yes we can reduce the period but wanted to know if this is what winlog and metricbeat consume the storage space. But as you say both takes lot of data so looks like we have to reduce the ILM policy days. Thank you again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.