Graylog Retention Strategy Not Being Followed

GTownson · August 20, 2018, 9:57am

Hi All,

I have set a Graylog instance to only hold 60 indices and delete all others. I had previously closed some older indices and then noticed that Graylog was not following the retention strategy and now has 69 indices, I then opened the old indices thinking that closing them may have caused this, but Graylog still hasn’t deleted them.
I have also tried cyling the active write index and recalculating index ranges, but this helped.
I encountered this issue once before, however I found Elasticsearch to be Red in status and resolving that issue resolved the retention strategy problem. In this case Elasticsearch is healthy.

System Specs

OS: Ubuntu 16.04 LTS
Graylog: 2.4.4
Elasticsearch: 5.6.9
MongoDB: 2.6.10

Here you can see my config and also the amount of incides in the system.

Regards,

G

jan · August 20, 2018, 3:41pm

did you see any entries in the logfiles about the retention check?

Graylog should give you some ideas why it can’t run the retention checks.

GTownson · August 21, 2018, 7:38am

Hi Jan,

I looked in the logs and can’t find anything regarding retention strategies.
I have looked into another working system and found logs such as these:

2018-08-21T01:03:58.379+01:00 INFO  [AbstractIndexCountBasedRetentionStrategy] Number of indices (4) higher than limit (3). Running retention for 1 indices.
2018-08-21T01:03:59.296+01:00 INFO  [AbstractIndexCountBasedRetentionStrategy] Running retention strategy [org.graylog2.indexer.retention.strategies.DeletionRetentionStrategy] for index <graylog_381>

Both systems are configured the same, however the one that is not working is set to 60 indices instead of 4.

Cheers,

G

jan · August 21, 2018, 8:50am

you need to find the difference to solve the issue.

GTownson · August 21, 2018, 9:40am

The one that works is on 2.4.5 and the one that isn’t working is on 2.4.4, is this a known issue of 2.4.4?

We will aim to update as soon as we can but due to being in production it will have to be scheduled in.

jan · August 21, 2018, 10:04am

not that I know - so it should be something else.

GTownson · August 22, 2018, 12:18pm

I did close and reopen about ten of the indices on the system that is not working properly. That’s all I can think of, it shouldn’t have caused this.

system · September 5, 2018, 12:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog Retention Strategy Not working Graylog Central (peer support)	3	2041	October 19, 2017
Graylog Indices with problem Graylog Central (peer support)	2	899	March 4, 2022
My graylog elasticsearch indices have been deleted for no reason Graylog Central (peer support) elastic	2	550	July 26, 2022
Confused on why I'm not storing as much as I expected Graylog Central (peer support)	3	497	September 5, 2017
Suddenly the graylog delete index configuration is not working Graylog Central (peer support)	2	421	September 23, 2022

Graylog Retention Strategy Not Being Followed

Related topics