Hello Everyone we have been testing a configuration for Winlogbeat for windows event log ingestion and with the out of the box configuration of about 60 machines we have noticed that we have over 70GB of data per month now we have 3 month retention and i create an ILM policy that deletes all indexes older than 3 months but what i have also noticed as behavior is that once the index is deleted Winlogbeat re-ingests old data (im assuming that is by design) and would just like some advise on how to approach the configuration to limit the old data being ingested
Version used is Winlogbeat-oss-07.12
configuration is below:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: ForwardedEvents
tags: [forwarded]
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.template.name: "winlogbeat"
setup.template.pattern: "winlogbeat-*"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["{{ elasticsearch_server }}:9200"]
index: "winlogbeat-%{[agent.version]}-%{+yyyy.MM}"
# Protocol - either `http` (default) or `https`.
protocol: "https"
Any assistance would be most appreciated