I’m currently building a Graylog Enterprise setup.
The goal is to store logs on a long period, like 1 year. But i don’t need to access logs more than 2 months frequently. So i would like to move the logs from expensive storage to cheap one.
I discoverd Hot/Cold architechture in this post :
But the post is old and the infos seems to be outdated. Curator do not seems to be available anymore on ES 6.8.
I tried to see if i can use ES Indices Life Management, but it’s not available in the ES OSS installed with Graylog 3.3.
Any tips on how to achive this on Graylog 3.3 Enterprise ?
It is possible, you need to use the regular ES package rather than the OSS.
You need to setup I.L.M (free since ES 6.8) :
Setup an ILM policy
Add another index template with the same index_pattern of the “graylog-internal” template, to map this template to the indices. In this template, link it to your ILM policy, set the routing.allocation to your «hot» nodes, set “order” to a positive integer.
