Logs getting deleted after 7 days

[loganterfehr]

Any idea why my logs are getting deleted after around 7 days? I thought that I had the deleted logs set to 120 days?

Let me know if there is a different area that could be doing this and not just under ElasticSearch. Thanks ahead of time for the help!

[cm-ops]

Depending on the size of the disk, you might be running into size-based deletion - https://docs.securityonion.net/en/2.4/elasticsearch.html#size-based-index-deletion

[loganterfehr]

I thought that too, I had the percentage set to 90% right now. It seems to be clearing at around like 40-50% though. Any other ideas? Note: I did resize the disk from ~150 -> ~400GBs, could the percentage maybe have not updated?

[jaypfe]

By default elastic is set to delete indices once it reaches 50% of the total disk space available.

https://docs.securityonion.net/en/2.4/elasticsearch.html#deleting-indices

"To modify this value, first navigate to Administration -> Configuration. At the top of the page, click the Options menu and then enable the Show all configurable settings, including advanced settings. option. Then navigate to elasticsearch -> retention -> retention_pct. The change will take effect at the next 15 minute interval. If you would like to make the change immediately, you can click the SYNCHRONIZE GRID button under the Options menu at the top of the page."

[loganterfehr]

Thanks Jaypfe! I had it set to 80% for a while now, and I changed it again now to 90%. I'll see if that fixes it. But I had it set to 80% when it was clearing it out at around 50%, so not sure why it is doing that. Any other ideas?

[cm-ops]

How big are your indices, so-elasticsearch-indices-list? If you are not rolling indices due to size, when the size-based deletion occurs it will remove the datastream and the data in the index.

[loganterfehr]

That could definitely be it! How would I go about changing it?

[cm-ops]

The rollover setting is in Administration > Configuration > elasticsearch > index_settings > index_name > policy > phases > hot > actions > rollover where index_name is the name of the index, there is one for time (max_age) and size (max_primary_shard_size).

[loganterfehr]

What should I change if I wanted the logs to be stored for 90 days (assuming I have enough storage)

[cm-ops]

Administration -> Configuration -> elasticsearch -> $index -> policy -> phases -> delete -> min_age That is the time based deletion setting for ILM https://docs.securityonion.net/en/2.4/elasticsearch.html#time-based-index-deletion You would set that to 90 days for the indicies you want to store for 90 days.

[Bal33p]

Check your default retention value in Elasticsearch it is probably set to like 50% not sure wy the default is so low