Log retention in wazuh

[dung nguyen phu]

Hi Wazuh Team,

We would be applying a year retention policy to the Elasticsearch indices follow this link https://wazuh.com/blog/wazuh-index-management/

But in newest version i can't follow tutorial. How i can setup this feature on wazuh 4.3

Best Regards

NGUYEN PHU DUNG

[Anthony Faruna]

Hello Nguyen 

Thank you for using Wazuh

Please can you share the error message you encountered while using the documentation, this will assist me provide a solution 

Best Regards

[Anthony Faruna]

Hello Ngyen 

Kindly click on Index Management as shown in the image below and make use of this JSON code to set a policy for 365 days 

You can edit it the policy name and description as it meets your requirements

{ "id": "1 year retention", "seqNo": 1, "primaryTerm": 1, "policy": { "policy_id": "1 year retention", "description": "Wazuh index state management for OpenDistro to move indices into a cold state after 30 days and delete them after a year.", "last_updated_time": 1660038899614, "schema_version": 12, "error_notification": null, "default_state": "hot", "states": [ { "name": "hot", "actions": [ { "replica_count": { "number_of_replicas": 1 } } ], "transitions": [ { "state_name": "cold", "conditions": { "min_index_age": "30d" } } ] }, { "name": "cold", "actions": [ { "read_only": {} } ], "transitions": [ { "state_name": "delete", "conditions": { "min_index_age": "365d" } } ] }, { "name": "delete", "actions": [ { "delete": {} } ], "transitions": [] } ], "ism_template": [ { "index_patterns": [ "wazuh-alerts*" ], "priority": 100, "last_updated_time": 1660038899614 } ] } }

Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0edf56ba-ece9-44b7-985b-8fc38758e7bdn%40googlegroups.com.