I’ve just recently solved my issue for retaining message for a year by creating another Index set. My problem is I’m getting duplicate messages now. During my controlled testing I made a failed logging attempt using the default index set only and the stream called “Linux: Failed Authentication” connected to it. Then I create the second Index set called “Failed Authentication” and edited the stream “Linux: Failed Authentication” to use “Failed Authentication” index set. When attempting to create one failed login, I now see duplicates message in global search
My environment is one node with Elasticsearch 6.8.2, MongoDB v4.0.11, and Graylog Server 3.0.2+1686930.
I’m using the “default Index set”, (Shards:4, Index rotation strategy: Index Time, Rotation period: P1D, Index retention strategy: Delete, Max number of indices:30)
Then my second index set “Failed Authentication” (Shards:4, Index rotation strategy: Index Time, Index retention strategy: Delete, Max number of indices:2, Rotation period: P1Y)
By having duplicates my Histogram graph is higher then it normally should be.
I have looked through the forum and did a google searched on this, I’ve have seen solution to fix this, but none that seemed to help my situation like the client/s sending dups to graylog server, etc…
Any advice how to prevent this would be greatly apperciated.