I dont set index retention strategy to delete yet, beacuse I want have good understanding how i to it work.
Fortigate
Default (winlogbeat)
Graylog 1
Graylog 2
Delete means exactly what it sounds like. Any index that exceeds the max number of indices is deleted.
If you need to retain those messages, you need to explore either index snapshots or look into the commercial version, which offers automatic archiving.
Actually I want close indices which are open from 2 motnhs.
I think we need to step back a bit. Let’s not worry about how to achieve the goal. Instead, let’s start with what exactly you need to do.
How long do you need to keep the logs?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.