Help setting up Graylog Storage


I am very new to Graylog and Ubuntu Linux as a whole so apologies in advance.

I have set up Graylog 5.0.6 with ES 7.10.2, where the plan is to have Windows AD send syslog event information using a third party app to graylog for long term archiving.

Some devices are already sending data to the GL so I know it’s working from a network side. So the part I’m struggling with is how can I increase the total space GL has for logs and how can we increase the retention of those for let’s say 6 months, the articles on google are mentioning node settings which when I change they keep “shrinking” anyway.

Also, as an extension of this project I would like to forward those logs to SIEM for further processing, as archiving on SIEM is expensive I’m hoping to use GL as a good alternative.

Any help will be appreciated, cheers!

The length of time data is stored for is governed by the index settings. An index (where the data is written in opensearch) has two key settings, how often it is rotated (retured from being written to to being read only) and retention (how many of those old versions to keep around).

Rotation can be based on multiple things, but for this use time is easiest. So if we set the rotation to every 1 day, and retain the last 90 we now have 90 days of data. There are a million advanced topics on this, but that is the basics of it.
You can read all about it here Index model

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.