Is it possible that the P1D index rotation is based on the Graylog Server timezone (in my case GMT-3), and not in GMT?
Because if I need to restore an old index to search and old document in the future from specif day, is annoying to restore two indexes instead of one to review a full day of documents. Additionally, Audit Area is always going to complain about this.
To my knowledge tasks are scheduled based on creation datetime. So, P1D will apply from the moment the configuration is saved. This means that to achieve what you want through the web interface most likely you will have to click save at 00:00:00 GMT +3.
You may be able to adjust this with the Elasticsearch or Graylog APIs.
I’ve just been looking through the Graylog API as I recommended you do. I see that all of my index sets with a time-based rotation strategy have end times of approximatel 00:00 GMT unless for some reason the calculation itself took some time. I don’t see any way to adjust the schedule. Even if you did, based on what I’m seeing I don’t see that the range could end at exactly 21:00:00.000 because of the way the scheduler is working.
Ok @ttsandrew , so at your understanding, what I’m asking for is not possible because of the way the scheduler is working, it makes no sense to submit a request on Github?
Obviosly I can config the index rotation with other tool that “talk” with ElasticSearch (I don’t know if Graylog is going to “see” that rotation automatically), but for me, the feature of rotate an Index every day at midnight of my timezone is a basic thing, which is available in every SIEM solution that use ElasticSearch “under the hood” that I know.
Sorry for your disappointment that your unable to execute an index rotation per Graylog time zone.
It may not help right now, but maybe in the next release it might. Past years Graylog staff have been doing a really good job at implementing feature request. I think this would be a really good idea to have implemented. just a thought.
Don’t misunderstood me, @gsmith , I think Graylog is one of the best Log Management projects out there: the interface is nice and clear, and they are always adding things that you need, that are really helpfull, like in my case, Graylog Sidecar (for me it is a big differential against other Log Management products).
My dissapointment is only based on the idea that, at least for me, index rotation based on local timezone is a basic feature, and a feature that I need to avoid problems with Audit Area, only that.
Thanks for all your answers. If this feature is something that cannot be changed in the short time, I’m going to try to manage the ElasticSearch Index from “outside”.