Hi, sure thing!

Here’s the solution that solved a problem similar to yours.

Graylog

In your Graylog UI, go to “system/indices” and edit your “Default index set” to rotate every day:

Captura de Tela 2021-06-01 às 08.28.041206×291 33.6 KB

Elasticsearch

Next, in all node in yout ES Cluster, identify “who is who” in you cluster configuration with this options in your elasticsearch.yml:

node.attr.data: hot     # change here to "warm" for warm nodes or "cold" for your cold ones
node.attr.box_type: hot #

• In the node you will manage indexes with curator follow the steps below:

Create a script with the content below, I named it wire.sh:

#!/bin/bash

CURRENT_INDEX=$(curl -s -XGET "0.0.0.0:9200/_cat/indices?pretty" -H 'Content-Type: application/json' | grep 'graylog_' | awk '{print $3}' | sort -t _ -k 2 -rn | head -1)

curl -s --output /dev/null -XPUT "0.0.0.0:9200/${CURRENT_INDEX}/_settings?pretty" -H 'Content-Type: application/json' --data '
{
  "index.routing.allocation.include.data": "hot",
  "index.routing.allocation.include.box_type": "warm,cold",
  "index.routing.allocation.require.box_type": "warm,cold",
}'

This script will add some additional options to every new index created by Graylog, so you need to run it sometime after a new index is created.

• Configure your Repo:
  DEB: Install Elasticsearch with Debian Package | Elasticsearch Guide [8.11] | Elastic
  RPM: Install Elasticsearch with RPM | Elasticsearch Guide [8.11] | Elastic

• Install Curator:
  elasticsearch-curator-5.8.4-1.x86_64 (Current Version)

• Create a config file for curator:

client:
  hosts:
    - ?.?.?.? # Add here all node in your ES Cluster
    - ?.?.?.? # 
    - ?.?.?.? #
    - ?.?.?.? #
  port: 9200
  url_prefix:
  use_ssl: False
  certificate:
  client_cert:
  client_key:
  ssl_no_validate: False
  username:
  password:
  timeout: 30
  master_only: False

logging:
  loglevel: INFO
  logfile: /var/log/curator.log
  logformat: default
  blacklist: []

• Next, create a file called data-migration.yml or name it whatever you want, whit the content below:

This is the “Playbook” that tells curator what do with the indexes.
In this case it will force new indexes been migrated to hot nodes, and then migrate old nodes to warm after 1 day, cold after 30 days and delete indexes older than 60 days.
Change here according your needs.

actions:
  1:
    action: allocation
    description: "Apply shard allocation filtering rules to newest indexes"
    options:
      key: box_type
      value: hot
      allocation_type: require
      wait_for_completion: True
      max_wait: 3600
      timeout_override:
      continue_if_exception: False
      disable_action: False
      allow_ilm_indices: True
    filters:
      - filtertype: pattern
        kind: prefix
        value: graylog_
      - filtertype: age
        source: creation_date
        direction: younger
        unit: days
        unit_count: 1

  2:
    action: allocation
    description: "Apply shard allocation filtering rules to the hot log"
    options:
      key: box_type
      value: warm
      allocation_type: require
      wait_for_completion: True
      max_wait: 3600
      timeout_override:
      continue_if_exception: False
      disable_action: False
      allow_ilm_indices: True
    filters:
      - filtertype: pattern
        kind: prefix
        value: graylog_
      - filtertype: age
        source: creation_date
        direction: older
        unit: days
        unit_count: 1

  3:
    action: allocation
    description: "Apply shard allocation filtering rules to the warm log"
    options:
      key: box_type
      value: cold
      allocation_type: require
      wait_for_completion: True
      max_wait: 3600
      timeout_override:
      continue_if_exception: False
      disable_action: False
      allow_ilm_indices: True
    filters:
      - filtertype: pattern
        kind: prefix
        value: graylog_
      - filtertype: age
        source: creation_date
        direction: older
        unit: days
        unit_count: 30

  4:
    action: delete_indices
    description: "Delete index after 60 days of life"
    options:
      timeout_override: 3600
      continue_if_exception: False
      disable_action: False
    filters:
      - filtertype: pattern
        kind: prefix
        value: graylog_
      - filtertype: age
        source: creation_date
        direction: older
        unit: days
        unit_count: 60

  5:
    action: forcemerge
    description: "Perform forceMerge to 'max_num_segments' per shard"
    options:
      max_num_segments: 1
      delay:
      timeout_override: 21600
      continue_if_exception: false
      disable_action: false
    filters:
      - filtertype: pattern
        kind: prefix
        value: graylog_
      - filtertype: age
        source: creation_date
        direction: older
        unit: days
        unit_count: 3

Manual tests

Run “wire.sh” and check if it changes the ES Index Settings.

bash wire.sh
curl -s -XGET "0.0.0.0:9200/graylog_[INDEX NUMBER]/_settings?pretty"

Run curator and check if your data has been migrated:

curator --config /etc/curator/curator.yml /etc/curator/data-migration.yml
less /var/log/curator.log

CronJob

If everything worked fine, add to cron:

• create a cronjob for “wire” and curator:
  /etc/cron.d/wire

MAILTO=""
SHELL=/bin/bash
10 1 * * *       root bash wire.sh

/etc/cron.d/curator

MAILTO=""
SHELL=/bin/bash
0 1 * * *       root    curator --config /etc/curator/curator.yml /etc/curator/data-migration.yml >/dev/null 2>&1

Hope it helps, let me know if you have any other question.