Graylog2-如何将日志保留配置为1周
[英]Graylog2- how to config logs retention to 1 week
问题描述
We are using some Graylog2 servers ( graylog-server version 1.3.4). 
我们正在使用一些Graylog2服务器(graylog-server版本1.3.4)。 Because we receive too much of log messages, it requires a lot of memory. 因为我们收到太多日志消息,所以需要大量内存。 I am trying to reduce the logs retention to 1 week, every log messages older than 1 week will be deleted. 我正在尝试将日志保留时间减少到1周,每个超过1周的日志消息都将被删除。 However, I cannot find out any value in configuration file to do that. 但是,我无法在配置文件中找到任何值来执行此操作。
I used "max_time_per_index = 7d" value but max_time_per_index seems just define the age of an index until it's rotated and a new index is being created, not of the messages in that index. 我使用了“max_time_per_index = 7d”值,但是max_time_per_index似乎只是定义了索引的年龄,直到它被轮换并且正在创建新索引,而不是该索引中的消息。
So, what's the best way to set message retention to 1 week? 那么,将邮件保留时间设置为1周的最佳方法是什么? Please help me. 请帮我。 Thanks a lot. 非常感谢。
3 个解决方案
解决方案1
9 2017-07-11 05:53:16
This can be easily configured using the Web GUI in Graylog_2 and later. 这可以使用Graylog_2及更高版本中的Web GUI轻松配置。
Navigate to "System/Indices" in the Administration drop down menu. 导航到“管理”下拉菜单中的“系统/索引”。 Under "Settings", click the Update configuration button. 在“设置”下,单击“ 更新配置”按钮。
Configure the Index Rotation Configuration to equal "Index Time", Rotation Period = P1D (a day). 将索引旋转配置配置为等于“索引时间”,旋转周期= P1D(一天)。 You'll have to decide whether or not you'd like to "Delete Index" or just close it, then set the Max number of indices to "8". 您必须决定是否要“删除索引”或仅关闭它,然后将最大索引数设置为“8”。 That should keep the current day, and the last 7 days worth of indices. 这应该保持当前和指数的最后7天。
NOTE: 注意:
Graylog Enterprise edition comes with an option to "Archive" log files , which essentially compresses them and allows you to move it to another storage location (whether to tape or just to another storage location). Graylog企业版附带“归档”日志文件选项 ,它基本上压缩它们并允许您将其移动到另一个存储位置(无论是磁带还是仅移动到另一个存储位置)。
解决方案2
7 2016-05-26 19:54:53
One way to achieve this is to rotate your index every day and keep the maximum number of index to 8. This way you will always have a full week + the current day of logs in your Elasticsearch cluster. 实现此目的的一种方法是每天旋转索引并将索引的最大数量保持为8.这样,您将始终在Elasticsearch集群中有一整周+当前日志。
elasticsearch_max_time_per_index = 1d
elasticsearch_max_number_of_indices = 8
Note that your search performance can be even better by using more index and less rotation time thanks to the intelligent time range selection feature of Graylog. 请注意,由于Graylog的智能时间范围选择功能,您可以通过使用更多索引和更少的旋转时间来提高搜索性能。 For example, this should give faster search results if you have many datas : 例如,如果您有许多数据,这应该可以提供更快的搜索结果:
elasticsearch_max_time_per_index = 12h
elasticsearch_max_number_of_indices = 16
you can even drop your number of indices to 15 and still have a whole week of data. 你甚至可以将你的指数数量减少到15,并且仍然有一整周的数据。
解决方案3
3 2016-05-30 10:28:41
graylog server should be configured as below: elasticsearch_max_time_per_index = 1d elasticsearch_max_number_of_indices = 7 rotation_strategy: time please note that, strategy is used this case must be time. graylog服务器应配置如下:elasticsearch_max_time_per_index elasticsearch_max_time_per_index = 1d elasticsearch_max_number_of_indices = 7 rotation_strategy: time请注意,策略是这种情况下必须使用的时间。 It worked well. 它运作良好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.