Replies: 1 comment 8 replies
-
|
That is older documentation for what the index used to be called. The steps are generally all the same. Check updated directions here: https://github.com/cisagov/LME/blob/main/docs/markdown/maintenance/index-management.md 2 sections here -- one for creating a new policy to manage your wazuh logs -- and one for managing the existing policy that comes with elastic (logs that come in from elastic agents) Ultimately, it will be the same concept. You're setting or editing a policy and then in that policy to move your index to the next stage after a certain amount of time or size. Completely up to you when you want to delete indexes based on these settings. |
Beta Was this translation helpful? Give feedback.
-
|
Screenshot of Lifecycle Policies page: |
Beta Was this translation helpful? Give feedback.
-
|
I found it. I had to click the Deprecated button. Is it right that it's deprecated when LME 2 was just released? |
Beta Was this translation helpful? Give feedback.
-
|
Some things like this are managed by elastic - so if they deem it 'deprecated' they may have replaced it with something else. From what I can tell they replaced it to with the logs@lifecycle you see in your screenshot -- however, that has no linked indices to it. You certainly want to manage whichever ones actually has linked indices to it or your policy wont do anything. -- more research will be needed on this |
Beta Was this translation helpful? Give feedback.
-
|
Here's more info on this -- doesn't appear youre the only confused person: |
Beta Was this translation helpful? Give feedback.
-
|
My guess is they made this so it doesn't automatically convert in case users were upgrading from 8.11 to 8.12 it doesn't break their lifecycle policies they already setup with the other one. Keep in mind even if it says deprecated you can still use it it just means they wont make anymore updates to that lifecycle policy. You are self managing it at this point anyway though |
Beta Was this translation helpful? Give feedback.
-
I was attempting to follow the guidance on adjusting retention. I don't have the lme_ilm_policy in my index lifecycle policies. Is that a problem with my instance or is the documentation out of date?
https://github.com/cisagov/LME/blob/main/docs/markdown/logging-guidance/retention.md
Beta Was this translation helpful? Give feedback.
All reactions