Skip to content

Changing Filebeat Log File Retention Policies

This document will provide the steps that are needed to change how many days of log data is stored in the filebeat indexes in Elasticsearch. The default configuration is to store 30 days worth of data.

Note

  • For single server installations, this value can be reduced to save hard drive space.

  • For installations using Elasticsearch database redundancy, this value must be changed by accessing the configuration via both presentation servers. A change made on one server will not be automatically copied to the other server.

Steps

  1. Via the navigation, access the analytics Management UI.

    Analytics -> Events -> Administration -> Management

  2. In the list of links on the left, under Elasticsearch, click on the Index Lifecycle Policies link.

  3. In the list of policies, click on the ilm-filebeat link.

  4. Scroll down to the Delete phase section.

  5. In the box next to Timing for delete phase, change the value to the number of days worth of data that should be kept.

    Warning

    If increasing the number of days of data to keep, additional hard drive space will be utilized. This must be taken into consideration before changing the retention value. The amount of space that will be used can be estimated by looking at the existing indices, averaging the storage sizes, then mulitplying that value by the number of days.

  6. Click on the Save Policy button.