Disk Usage on Graylog

cybernetus · 2017-03-23 14:23:01 UTC

Hello

I have today a graylog installation on tests in my structure.

And only one of our servers is generating around 9GB of daily logs.

Reading some documents about Graylog, I noticed that ElasticSearch is the element that uses the most disk.

I create a custom index mapping ( http://docs.graylog.org/en/2.1/pages/configuration/elasticsearch.html#custom-index-mappings ) removing the analysis of the full_message, but i have one question.

How to minimize the disk usage on Graylog ? The index mapping is a solution ?

Anyone have tips ?

jochen · 2017-03-23 15:09:58 UTC

What do you want to achieve exactly?

While Elasticsearch can (and by default does) compress data on disk, it will usually still take more disk space than plaintext files because of secondary data structures.

maniel · 2017-03-23 17:41:48 UTC

i managed to trim some space by removing some unneeded fields and dismissing some insignificant messages

maniel · 2017-03-23 17:42:12 UTC

do we need full_message field after data are extracted to respective fields? could it just be removed with pipeline rule?

cybernetus · 2017-03-23 18:12:37 UTC

Maniel, thanks for your reply.

I believe this is what i need. How do you remove this unneeded fields ?

cybernetus · 2017-03-23 19:22:34 UTC

Jochen, i need to trim some messages or remove some unneed fields from my index.

I believe removing some of these fields I minimize the use of the disk.

But my doubt is how i remove these fields. Using the index mapping or we have another method to do this ?

I use the tips of this repository : https://github.com/jordansissel/experiments/tree/master/elasticsearch/disk

but all of this tips are for logstash and have a low impact on my disk usage.

maniel · 2017-03-23 19:32:24 UTC

you can use a pipeline rule with remove_field function

jochen · 2017-03-24 09:05:48 UTC

This completely depends on your own requirements and use cases. Sometimes it might be viable to remove some fields for efficiency, sometimes it violates compliance requirements.

mr_m_cox · 2017-03-24 09:48:01 UTC

Could you create a rule somewhere within Graylog to automatically delete certain un-needed logs? This would certainly help with disk space and is something I have been look at how to do. For example, delete all informational event logs from graylog after 1 month?

jochen · 2017-03-24 10:24:10 UTC

That’s what index sets are for: http://docs.graylog.org/en/2.2/pages/configuration/index_model.html