Accessing old index

tatuh · February 25, 2020, 3:49pm

Hi,

I need to access older data on Graylog, is there a way to read older indexes? Currently we have only one week visible in Graylog. We have configuration for elasticsearch_max_docs_per_index = 20000000, and if I have understood correctly after this limit is reached new index is created for storing log data.

I found several files in /var/lib/elasticsearch/nodes/0/indices -folder, are these possibly the old index files, or how/where are they stored? Dates of files in /indices folder are not so clear, as files are updated on same days…)
Also how can I check the backup/rotation policy for indexes?

Graylog version: Graylog 2.3.2

Kind regards,
Tatuh

jrunu · February 26, 2020, 9:24am

Hi Tatuh,

here you can find information on the index set design, for your version. It also goes into the configuration of the retention policy.

Janosch

macko003 · March 1, 2020, 9:08pm

the graylog config file’s setting is only for the first start. Check your web UI.
if you just close the index, reopen it.
If you delete the old indexes:
Restore your data from your backup.
Before it dont forget to increase the retention period.
If you have problem with the restore, open your disaster recovery documents.
No other method to restore deleted files/logs.
If you dont have backup, and disaster recovery docs, I suggest to make good.

system · March 15, 2020, 9:21pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding old data from a graylog 3 to a new Graylog 3 Graylog Central (peer support)	4	689	May 12, 2020
Set graylog2 to keep log in 1 week Graylog Central (peer support)	9	5296	August 14, 2017
Old indexes have new data Graylog Central (peer support)	8	1002	October 8, 2018
Confused on why I'm not storing as much as I expected Graylog Central (peer support)	3	499	September 5, 2017
Log Retention Strategy Graylog Central (peer support)	5	1902	March 5, 2020

Accessing old index

Related topics