Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
Cant view old messages
2. Describe your environment:
OS Information: Debian 12
Package Version: 5.2.4
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
I have a problem with Graylog 5.2.4 on Debian 12, it is an installation that has been working since April, a few days ago I needed to check logs that arrive from 10 different servers, but I find that there are no messages from April to July.
I cannot understand how the indexes and their rotation work, I leave a brief of how the “Default index” is configured, and the indexes that are created, any help you can give me will be welcome.
The server begin recollecting messages in April, but now only view messages from July 8 to today.
The default index configuration is:
Index Time Size Optimizing
Minimum lifetime:
P30D (30 days )
Maximum lifetime:
P40D (40 days)
Index retention strategy:
Delete
Max number of indices:
20
THE INDEX STATUS:
graylog_17 Current writable index Contains messages up to a few seconds ago (66.7MiB / 486,350 messages)
graylog_16 Contains messages from 7 days ago up to 19 hours ago (511.1MiB / 3,834,979 messages)
graylog_15 Contains messages from 17 days ago up to 7 days ago (5.2GiB / 24,855,810 messages)
graylog_14 Contains messages from a month ago up to 17 days ago (301.8MiB / 1,819,852 messages)
graylog_13 Contains messages from a month ago up to a month ago (437.6MiB / 2,617,215 messages)
With your below current configuration below, you are only storing 30 days of logs, anything over 30 days is deleted. Should you wish to store more than this drag the slider from 30 up to the amount of days you want to be searchable. As an example, 91 days would be 3 months of searchable data.
Minimum lifetime:
P30D (30 days )
Maximum lifetime:
P40D (40 days)
Hi! Thanks for the response, but this configuration is the graylog default? I don’t know this when deploy the server and there is no notification about deleting indices, we lost a lot of data because this rotation configuration.
The default is a little heavy handed but the idea is the deletion will mean you are not running out of space for as long as you haven’t implemented your own retention policy.
When storing data it’s good practice to review the requirements of your retention strategy and ensure that the system managing that data is reflecting this.