A quick one about retention of indices

i4admin · July 5, 2020, 4:50am

Hi All,

We intent to keep data for a year for archive purposes.
Based on the statistics saying on average it takes half a year to discover you have been hacked. We intent therefore to keep data for a year so we are better able to respond to the GDPR needs of 72 hours report back time in case of a data breach.

Now since we only need this for arching and we intent only to look back live for 1 month. Then in order not to stress the system to much, wouldn’t it be wise to set indices rotation to P1M with a Max number of indices of 12.
That way each index would hold 1 month of data which would give us a faster search time but we will be able to go back a year if need be.

is this assumption correct?

billlee · July 6, 2020, 12:50am

Hi @i4admin,

Yes, the assumption is correct. However, you should monitor how much storage is used by the 1 month of data.

Depending on your environment setup and resources, it is recommended not to go above 40-50GB per index.

Thank you.

Regards,
Bill

system · July 20, 2020, 12:50am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indices in Graylog Graylog Central (peer support)	8	4034	August 8, 2021
Data retention for the whole Year Graylog Central (peer support)	6	401	November 9, 2023
Log Retention Strategy Graylog Central (peer support)	5	2049	March 5, 2020
Understanding the need for archiving Graylog Central (peer support)	5	462	August 18, 2020
Configuring Indices to store logs to make search easy Graylog Central (peer support)	18	1681	December 18, 2017

A quick one about retention of indices

Related topics