'How to rotate ELK logs?

I have indexes around 250 GB all-together in 3 host i.e. 750 GB data in ELK cluster.

So how can I rotate ELK logs to keep three months data in my ELK cluster and older logs should be pushed some other place.

elastic-stackelk


Solution 1:[1]

Answer by dexter_ is correct, but as the answer is old, a better answer would be:

version 7.x of elastic stack provides a index life cycle management policies, which can be easily managed with kibana GUI and is native to elk stack. PS, you still have to manage the indices like "indexname-%{+YYYY.MM}" as suggested dexter_

elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html

Solution 2:[2]

You could create your index using "indexname-%{+YYYY.MM}" naming format. This will create a distinct index every month.

You could then filter this index, based on timestamp, using a plugin like curator. The curator could help you set up a CRON job to purge those older indexes or back them up on some s3 repository.

Reference - Backup or Restore using curator

Moreover, you could even restore these backup indexes whenever needed directly from s3 repo for historical analysis.

Solution 3:[3]

It took me a while to figure out exact syntax and rules, so I'll post the final policy I used to remove old indexes (it's based on the example from https://aws.amazon.com/blogs/big-data/automating-index-state-management-for-amazon-opensearch-service-successor-to-amazon-elasticsearch-service/):

{
    "policy": {
        "description": "Removes old indexes",
        "default_state": "active",
        "states": [
            {
                "name": "active",
                "transitions": [
                    {
                        "state_name": "delete",
                        "conditions": {
                            "min_index_age": "14d"
                        }
                    }
                ]
            },
            {
                "name": "delete",
                "actions": [
                    {
                        "delete": {}
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": {
            "index_patterns": [
                "mylogs-*"
            ]
        }
    }
}

It will automatically apply the policy for any new mylogs-* indexes, but you'll need to apply it manually for existing ones (under "Index Management" -> "Indices").

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Nitesh chauhan
Solution 2 dexter_
Solution 3 Drakula2k

Related Questions

"curl: (52) Empty reply from server" / timeout when querying ElastiscSearch

Efficient way to retrieve all _ids in ElasticSearch

How to disable SSL verification for Elasticsearch RestClient v6.7.0 in Java

How to watch the logstash log?

elastic search, is it possible to update nested objects without updating the entire document?

ElasticSearch Aggregation over Top Hits

Kibana server is not ready yet

Kibana server is not ready yet

Any way(plugin) to parse kibana query syntax to elasticsearch api body?

Elastic search with Google Big Query

Can not run Elastic Search on ubuntu (Error opening log file)

Is it possible to filter records of one index from another index in elasticsearch query?

Can We Retrieve Previous _source Docs with Elastic Search Versions

Sort multi-bucket aggregation by source fields inside inner multi-bucket aggregation

How to get latest document in elastic search