Graylog 6.0 and index retention

I am testing 6.0 on my local homelab before I roll out to production. First thoughts are that it looks nicer?

Second thought is that the index retention options are somewhat lacking (in Open) or, more accurately, hidden under “Depreciated”. It certainly appears that deletion of aged-out indices is the only option, now (at least for Open).

With this being said, has anyone had any success managing Indices through either the Opensearch API or Opensearch Dashboard? I use the latter to set snapshot policy, but have not ventured further into Index management. Ideally, I would like to have < 30 days in a hot node, then transfer indices >30 days to cold storage. But, where Index/Time Size Optimizing with deletion being the only options now, this doesn’t seem possible within Graylog. That being said, its entirely possible (in theory) using Opensearch Dashboard.

So, the question is thus: would managing the index policy via OpenSearch Dashboard as opposed to the Graylog GUI royally fudge up Graylog?

Thank you!

@accidentaladmin love that you posed the comment on how it appears nicer as a question. What were your honest initial thoughts?

I’m interested to know, has the removal of an option regarding index rotation caused your previous workflow to break?

  1. It is definitely more aesthetically pleasing. It definitely looks like more attention was given to the UI. Before it was “nice” to look at but was very utilitarian. Now it is both useful and pleasing to look at (but I happen to love blue, Lets Go City!). Further, I am not sure if the font has changed (I’m not good at picking that stuff out) but it “seems” easier to read? I am using a lot of quotes and “?” because these observations are very person-to-person in my opinion.

  2. I had previously set my index retention to “close” as opposed to “delete”. My employer needs to retain 1 years worth of records but leaving 1 years worth of records (20GB per day) in the equivalent of “hot” would absolutely destroy our hardware (and we lack the capacity, anyway). Archive is not an option because, as I am sure many here are familiar, my employer views the IT budget as an afterthought (I guess its partially my fault has I save them near $35K+ a year just by focusing on OpenSource/FOSS solutions). I love Graylog, I want Operations/Security/Enterprise, but am forced to be “creative” with the Open version because I am not given the budget to invest in the paid-for solutions :confused:

*Edit: I was using “close” as basically a placeholder until I figured a way to duct-tape together an archiving equivalent to the archive solution provided by Graylog Enterprise

Always interesting to get another perspective on this, thank you for sharing.

Gone but not forgotten.

# This configuration list limits the retention strategies available for user configuration via the UI
# The following strategies can be disabled:
#   - delete # Deletes the index completely (Default)
#   - close # Closes the index and hides it from the system. Can be re-opened later.
#   - none #  No operation is performed. The index stays open. (Not recommended)
# WARNING: At least one strategy must be enabled. Be careful when extending this list on existing installations!
disabled_retention_strategies = none,close
1 Like

Boom! That’s a start! Thank you. I suspect that where its marked as depreciated in the GUI I probably shouldn’t rely on this being available down the road.

What are your thoughts on the reworked UI?

A safe assumption to make.

I’m about it, always fun to have a palette refresh but in the end it’s not so different. The more interesting part is a “Security Perspective” interface centred around the threat detection features but it’s gated behind the security license.

I have created a couple python scripts that run nightly.

One creates a snapshot for any index that is older than a given timeframe. Scripts/ at main · danclancey/Scripts · GitHub
The second checks the snapshot repository and deletes any snapshot that is older than a given timeframe. Scripts/ at main · danclancey/Scripts · GitHub

You will have to adjust these to fit your needs but I think it might help get you in the right direction.

Also the version of these scripts are for testing in non-prod environment. Please note the security implications of having passwords in a script and take proper measures if you choose to use it these in a production environment.


Thank you! I believe OpenSearch Dashboard has some of this functionality but I will definitely review your scripts!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.