Auto Log Rotation Policy

[John Carry]

Hello Wazuh Team,

Our Use-Case:

This policy enforces Wazuh index state management for OpenDistro to move indices into a cold state after 45 days and delete them after 60 days.

We have recently migrated our Wazuh environment to new instance, other functions seem to be working fine, how-ever we have noticed that the Policy creation for Log rotation method is changed from Script to UI based, I have referred below resource to replicate my earlier assigned policy as mentioned below to the newer instance but unable to find a way to Delete indexes after required number of days.

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/set-up-lifecycle-policy.html#ilm-create-policy

It would be quite helpful if you could help me out to replicate below script based policy into UI (the mothed on new Wazuh instance).

The actual Policy Script:

{
    "policy_id": "Auto_Log_Rotation_Policy",
    "description": "This policy enforces Wazuh index state management for OpenDistro to move indices into a cold state after 45 days and delete them after 60 days.",
    "last_updated_time": 1662631966440,
    "schema_version": 1,
    "error_notification": null,
    "default_state": "hot",
    "states": [
        {
            "name": "hot",
            "actions": [
                {
                    "replica_count": {
                        "number_of_replicas": 1
                    }
                }
            ],
            "transitions": [
                {
                    "state_name": "cold",
                    "conditions": {
                        "min_index_age": "45d"
                    }
                }
            ]
        },
        {
            "name": "cold",
            "actions": [
                {
                    "read_only": {}
                }
            ],
            "transitions": [
                {
                    "state_name": "delete",
                    "conditions": {
                        "min_index_age": "60d"
                    }
                }
            ]
        },
        {
            "name": "delete",
            "actions": [
                {
                    "delete": {}
                }
            ],
            "transitions": []
        }
    ],
    "ism_template": null
}

The UI based method provided on our new wazuh instance:

As you can see the UI based policy menu only allowing me to apply policy on HOT, Warm and Cold but there is no option to delete those Indexes after particular number of days.

[Kasim Mustapha]

Hello John,

Apologies for the late response.

Just chipping in here.

When you enter, you will not see the Delete phase. You must press the trash can button next to "keep data in this phase forever" on the right side before the Delete phase appears.

I hope this helps. Let me know if you have further questions.

[John Carry]

Hello Kasim,
Thanks alot for the confirmation, just to conclude I need your verification that below policy settings will Move the Indexes to cold State after 45 days from Hot state , and Cold state will retain those indexes for 45 days, and finally after 60 days (45 [Hot] +15[Cold] Days) those indices will be deleted, right?

[Kasim Mustapha]

Hello John,

Apologies for not getting back to you sooner.

Yes. 

The policy you set above indicates that;

1. Indices older than 45 days would move the Cold State.
2. Indices older than 60 days (45 [Hot] + 15[Cold] Days) those indices will be deleted.

I hope this answers your questions.

let me know if you have further questions.