I got the task to configure graylog to keep log files for 2 months. Please what do i change in my System/indices web page to be able to store the logs and how do i go about it?
Thanks.
Please refer to the documentation about rotation and retention in index sets:
I read the documentation and tried a couple of things but still cant fetch for previous dates. u can view the screenshots below to check if i did anything wrong.
What exactly do you mean with “cant fetch for previous dates”?
The aim is to get logs and save logs for 2 months. so what i mean is: i still havent fulfilled what i intended. I cant search through old logs.
Please elaborate on that.
What logs are you trying to query?
What exactly are you doing to accomplish that?
What do you expect as a result?
What’s the actual result?
I am trying to query logs that are at least a day old and at most 2 weeks old.
I pasted snapshots of what i did. please go through to check whats wrong.
I expect to see result from previous date
I can only see present logs as they come in and not logs that’s past 2hrs.
Sorry, but that’s no answer to the questions…
But that was what i did to achieve what i wanted. i read what was posted in the links u sent.
Okay, going forward; what is it that am to do to achieve what i want to.
Thanks.
You could start by describing how you are querying these logs…
for example: searching for a particular destination Address, i use d syntax below:
dst_ip: xx.xx.xx.xx
The above query would fetch me logs relating to xx.xx.xx.xx address. BUT the logs it fetches wont contain a day or 2 days old logs. I hope you understand now J?
That’s insufficient.
What’s the exact query? What’s the exact time range you’ve selected?
How many and which indices were queried (printed on the result page in the sidebar on the left)?
What’s the covered time range of the indices in your Default Index Set?
dst_ip: xx.xx.xx.xx
The time range selected dosent change anything. by default, its on 5 minutes. the number of result it fetches on 5 minutes is still d same number it would fetch if i put it for a month - exactly my problem.
What was the time range for that specific query?
What’s the stored index range of the queried index (check in System / Indices in the index set details)?
Please don’t leave out the responses to some questions. They’re all important and playing ping-pong with you about details isn’t fun.
what more question haven’t i answered.
For the time range, i put 5 minutes. and i remember i said the time range didnt even make any difference as the result it brings out is the same.
You selected the last 5 minutes and the only index containing messages for the last 5 minutes was used for your search request.
As far as I see, everything is working as advertised.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.