Retaining logs for 6 months

Hi all,
I have a policy requirement that logs are stored and accessible for 6 months. after 6 months the oldest logs can be deleted.

how do i do this?
I found the indices tap under system but there i can just define how many log entries before the index is deleted.

I think its possible because i saw a post somewhere where someone suggested… i think the syntax was something like p1w for 1 week im not really sure. but i have no clue where to set it and what the syntax would be for 6 months.

Any help would be greatly appreciated

Documentation is your friend
By default you have one default index set with index rotation based on message count, this is what you see now. You can change this to rotation by index time, set the period to P1M (one month) and set to keep 7 indices (1 current write index + number of kept indices).
If you collect logs from different systems, consider if you need to keep all messages so long. In our graylog we have different rotation strategy for different logs, i.e., logs from mailservers are stored 2 years, firewall logs 6 months. They are routed to dedicated and accordingly configured index sets using streams, all other logs goes to default index set with default rotation strategy.

1 Like

Hi Karlis,

I can’t explain why i hadn’t noticed the drop down box “select rotation strategy” i mean its right there!!

sorry, i had looked in the documentation but i guess must overlooked this or starred me blind on it :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.