index deletion

[Jose Campos]

Hi all I have been trying to keep my information 90 days according to the ILM configuration, for history, however I think I am doing something wrong since it takes about 6 days and it deletes it. 

Could you support me on how I should define the policy or if I should deactivate it, I want to have as much of the history as possible in kibana. 

  This is my configuration 

Regards

[mayte...@wazuh.com]

Hi,

Did you follow the Wazuh index management blog post to configure ILM and manage your Wazuh indices over time?  (It was made for 3.x version, but it should work properly by performing some minor changes)

 

However, it is odd that the indices are deleted 6 days after its creation with that policy ¿Which indices are you trying to manage? Could you check if the desired policy is applied to that indices?

 

You can use the explain lifecycle API in order to debug the problem and check the current lifecycle status for one or more indices.

 

Also, could you perform the following request in your elasticsearch server to get some details about the current cluster health?:

curl http://localhost:9200/_cluster/health?pretty

(you may need to change http to https or add your Elasticsearch credentials)

 

Please, keep us updated to debug the issue.

 

Best regards,

Mayte Ariza.

[Jose Campos]

Hello, thanks for answering. 

Yes, in fact the blog configuration is the one I used to configure it, but I don't know if I'm correct with the filebeat.yml and the wazuh module.

It is strange because 6 days ago I applied that configuration and all the indexes were linked to politics, in fact last night I still had the 6 days and today at 00:00 hours it was gone. 

This is my cluster health

Regards,

[mayte...@wazuh.com]

Hi,

You can check the following link which contains all the steps to set up ILM: ILM for Wazuh indexes. It also configures the /etc/filebeat/wazuh-template.json and /etc/filebeat/filebeat.yml files.

In this case, rollover was also added. If you are not interested in rollover you can skip the 4th and 5th steps and also the settings related to aliases (index.lifecycle.rollover_alias in the 2nd step and setup.ilm.rollover_alias in the 3rd step). 

Following this guide will overwrite the Wazuh template in Elasticsearch (notice that setup.template.overwrite is enabled)

I would advise you to configure the policy to match your desired retention period again and review all the performed steps in case something was missing or incorrect.

Also, use the use explain lifecycle API once everything is configured to track the current lifecycle status.

I hope it helps. Keep us updated.

 

Best regards,

Mayte Ariza.