|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: all |
| 4 | +products: |
| 5 | + - id: observability |
| 6 | +--- |
| 7 | + |
| 8 | +# Configure logs data retention |
| 9 | + |
| 10 | +This page explains how to manage log data retention using index lifecycle management (ILM). You’ll learn about customizing the built-in `logs@lifecycle` policy, automating rollover, and inspecting and managing ILM policies. |
| 11 | + |
| 12 | +## Store logs in data streams |
| 13 | + |
| 14 | +A data stream lets you store append-only time series data across multiple indices while giving you a single named resource for requests. Data streams also provide the following benefits: |
| 15 | + |
| 16 | +- ILM out of the box to automate the management of the backing indices. |
| 17 | +- Automatic rollover to ensure backing indices stay within optimal size and performance limits. |
| 18 | +- Tiered storage (hot, warm, and cold phases) to optimize storage and performance. |
| 19 | + |
| 20 | +Refer to the [data stream](/manage-data/data-store/data-streams.md) docs for more information. |
| 21 | + |
| 22 | +## Customize the built-in `logs@lifecycle` policy |
| 23 | + |
| 24 | +The `logs@lifecycle` ILM policy is preconfigured for common logging use cases. View or duplicate the policy at **Stack Management** → **Index Lifecycle Policies** or find `Index Lifecycle Policies` in the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). |
| 25 | + |
| 26 | +The logs ILM policy provides a good foundation for your logs data streams, but you may need to tailor it to fit your specific use case. Common modifications include: |
| 27 | + |
| 28 | +- Adjust phase transitions. |
| 29 | +- Set retention durations for different phases. |
| 30 | +- Update rollover conditions. |
| 31 | + |
| 32 | +Refer to the **[Customize built-in policies tutorial](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md)** for more on modifying the logs ILM policy. |
| 33 | + |
| 34 | +% might need some more common modifications or reasons why you might want to make these modifications. |
| 35 | + |
| 36 | +## Automate rollover based on log volume |
| 37 | + |
| 38 | +When continuously indexing timestamped documents, you'll want to periodically roll over to a new index to ensure that backing indices stay within optimal size and performance limits. |
| 39 | + |
| 40 | +% any logs specific limits the user might want to set and why? |
| 41 | + |
| 42 | +Refer to the [Automate rollover tutorial](/manage-data/lifecycle/index-lifecycle-management/tutorial-automate-rollover.md) for more information. |
| 43 | + |
| 44 | +## Use the ILM API |
| 45 | + |
| 46 | +You can also review ILM policies using the `Get lifecycle policies` API. |
| 47 | + |
| 48 | +For example, running `GET /_ilm/policy/logs@lifecycle` pulls up the default logs ILM policy, and you'll see something like the following: |
| 49 | + |
| 50 | +```json |
| 51 | +{ |
| 52 | + "logs@lifecycle": { |
| 53 | + "version": 1, |
| 54 | + "modified_date": "2025-05-19T16:45:58.754Z", |
| 55 | + "policy": { |
| 56 | + "phases": { |
| 57 | + "hot": { |
| 58 | + "min_age": "0ms", |
| 59 | + "actions": { |
| 60 | + "rollover": { |
| 61 | + "max_age": "30d", |
| 62 | + "max_primary_shard_size": "50gb" |
| 63 | + } |
| 64 | + } |
| 65 | + } |
| 66 | + }, |
| 67 | + "_meta": { |
| 68 | + "description": "default policy for the logs index template installed by x-pack", |
| 69 | + "managed": true |
| 70 | + }, |
| 71 | + "deprecated": false |
| 72 | + }, |
| 73 | + "in_use_by": { |
| 74 | + "indices": [], |
| 75 | + "data_streams": [], |
| 76 | + "composable_templates": [] |
| 77 | + } |
| 78 | + } |
| 79 | +} |
| 80 | +``` |
| 81 | + |
| 82 | +Refer to the [ILM API documentation](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-ilm) for more information. |
0 commit comments