Retention for Indexer server

[Terry]

Hello, I would like to know how to set up data retention on my server indexer, it is currently in place for server manager but it does not apply to server indexer. 

[Leonardo Daniel Sancho]

Hello Terry, thanks for choosing Wazuh!

To set up ISM retention policies you can check out this guide:  Wazuh index management | Wazuh

But keep in mind that the ones provided in the guide are related to Wazuh installations with Elastic and OpenDistro, for the default Wazuh Indexer, you can go to your manager and press on the hamburger menu located on the upper left side (the three horizontal bars), once there go to Index Management, where you will be presented with the index management policies, by default it will be blank, allowing you to create a policy from scratch by pressing the Create Policy button, then you will be prompted to choose either a Visual editor or a JSON editor, whichever is more comfortable to you, once in there you can start creating your policies to fit your needs.

In the following example I've created a policy that will move the indexes to the cold state after 45 days, and will proceed with deletion after 90 days, you  can use this JSON as an example or edit it to fit your needs:

{ "policy": { "description": "A simple default policy that deletes after 90 days.", "default_state": "example_hot_state", "states": [ { "name": "example_hot_state", "actions": [ { "replica_count": { "number_of_replicas": 1 } } ], "transitions": [ { "state_name": "example_cold_state", "conditions": { "min_index_age": "45d" } } ] }, { "name": "example_cold_state", "actions": [ { "replica_count": { "number_of_replicas": 1 } } ], "transitions": [ { "state_name": "example_delete", "conditions": { "min_index_age": "90d" } } ] }, { "name": "example_delete", "actions": [ { "delete": {} } ], "transitions": [] } ], "ism_template": { "index_patterns": [ "example-index-*" ] } } }

You will have to replace example-index-* with the name of the index that you want this policy to manage.
More information about OpenSearch ISM policies can be found here:  Policies - OpenSearch documentation Should you have further questions, let us know!

Have a great day!