Delete logs Graylog

ale1 · 2018-06-13 08:05:02 UTC

Hello,

I would like to delete logs in Graylog server. Because for the moment I collect many messages put I didn’t use them because it’s for test. So, I would like to delete them to avoid unnecessary loading of the hard disk before putting into production.

How long the logs are kept by default.

Thanks

jan · 2018-06-13 08:09:02 UTC

please check your index configuration over at ‘System > indices’ that will reveal your local settings. In addition you are able to change them.

ale1 · 2018-06-13 08:14:15 UTC

thanks

I’ve already see the system>indices part, but we don’t have duration. For example, stock the logs 1 week

jochen · 2018-06-13 08:25:03 UTC

You could also manually delete all indices you don’t want to keep anymore on the System/Indices page and sub-pages.

ale1 · 2018-06-13 09:01:44 UTC

yes but, it’s possible to store the logs for one week, or one year ?

jochen · 2018-06-13 09:35:40 UTC

Yes, you can configure this in the rotation and retention strategy for each index set.
http://docs.graylog.org/en/2.4/pages/configuration/index_model.html

ale1 · 2018-06-13 09:46:46 UTC

thanks, I have found the parameter for stock the log for a year.

But, don’t understand the role of the index set, because it’s possible to create many index and we don’t choose the strategy for logs

jochen · 2018-06-13 09:51:23 UTC

The relation between index sets, indices, and messages is explained in the documentation chapter I’ve linked to.

ale1 · 2018-06-13 10:02:56 UTC

yes, but it’s not clear. Because, we can’t choose a particular messages in indices.

jochen · 2018-06-13 10:05:25 UTC

Graylog doesn’t support deleting individual messages. The smallest unit is an index.

ale1 · 2018-06-13 10:15:37 UTC

yes, but I don’t understand the difference between the different indices, because we don’t have need to choose a source

jochen · 2018-06-13 10:20:45 UTC

What exactly don’t you understand? Please elaborate.

ale1 · 2018-06-13 11:46:33 UTC

I don’t understand the operation between the differents input and the differents indices. And I don’t know what is the interest to create many indices

thanks

jochen · 2018-06-13 12:09:42 UTC

All messages received by Graylog are initially routed into the “All messages” stream, which is backed by the default index set.

If you want to keep messages for a different period of time, if they have different schemas (index mappings), or if you want to filter out some messages and only allow access to a subset, you might want to route them into different streams which are backed by different index sets (with unique rotation and retention settings).

ale1 · 2018-06-13 12:25:36 UTC

thanks for information

ale1 · 2018-06-15 06:58:02 UTC

It’s possible to see the messages presents in the indices and index. Because, it’s write the number of documents and the size, but no the messages.

Thanks

jtkarvo · 2018-06-15 15:55:03 UTC

just search normally, but add an extra search term:
_index:graylog_XXX
(replace XXX with the index number you want to search from)

ale1 · 2018-06-18 09:01:32 UTC

ok thanks for informations

system · 2018-07-02 09:01:36 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.