Hello, we are using the free enterprise licence but have gone over the 5GB limit. I had been told that we needed the enterprise licence to be able to define a retention policy, is that the case? I need to keep logs for 12 months then delete them.
If I select set the index rotation period to P3M and the deletion as the action in the retention strategy menu, then set 4 as the maximum number of indices, won’t that keep 12 months worth of logs?
Thanks
Not exactly. When there will be 4 full indices and new empty index will be created, the oldest one will be deleted. It means, you will have only 3 previous indices, 3 months each, and 1 current index. I recommend to set max 5 indices if you want to keep at least 12 months of logs.
Hi Karlis, thanks for the explanation. So do I need the archiving function provided by the enterprise licence in this case? It seems to me that I don’t unless I wanted to keep the log data indefinitely.
No, if your storage space is enough to keep this amount of data. Archiving allows to keep data outside of Graylog database, i.e. on fileserver or detachable storage.
Thanks Karlis, that’s really helpful.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
