Index life management

Index retention

Security standards require keeping data available for audits for a minimum period of time. For data older than this retention period, you might want to delete it to save storage space.

You can define specific policies to handle deletions automatically. You might also find these policies useful for index rollovers.

Creating a retention policy

Using the Visual editor

  1. Click on the upper left menu , go to OpenSearch Plugins, and select Index Management. Choose State management policies and click Create policy. Select Visual editor and click Continue.

    State management policies
    Visual editor configuration method

  2. Enter a unique Policy ID in the Policy info section. For example, wazuh-alert-retention-policy. You can optionally describe the policy in the Description field.

    Create policy

  3. Click Add template under ISM templates and enter an index pattern such as wazuh-alerts-* to apply this policy to future alert indices automatically.

  4. Click Add state to create a state for index deletion. Enter a name such as delete_alerts.

  5. Click Add action and select Delete in the Action type. Click Add action. Then click Save state.

  6. Click Add state again to create an initial state. Enter a name, such as initial.

  7. Choose Add before from the Order tab and select delete_alerts.

  8. Click Add transition and select delete_alerts as the Destination state.

  9. Select Minimum Index Age in Condition. Input the retention value, for example, 90d for 90 days, in the Minimum Index Age.

  10. Click Add transition. Click Save state. Click Create.

Using the JSON editor

  1. Click on the upper left menu , go to OpenSearch Plugins, and choose Index Management. Choose State management policies and click Create policy. Select JSON editor and click Continue.

    JSON editor configuration method

  2. Enter a unique Policy ID in the Policy info section. For example, wazuh-alert-retention-policy. You can optionally enter a description within your JSON policy definition.

    JSON policy definition

  3. In the Define policy section, replace the content with your JSON policy definition. Your definition must look similar to this.

    {
    "policy": {
        "policy_id": "wazuh-alert-retention-policy",
        "description": "Wazuh alerts retention policy",
        "schema_version": 17,
        "error_notification": null,
        "default_state": "retention_state",
        "states": [
            {
                "name": "retention_state",
                "actions": [],
                "transitions": [
                    {
                        "state_name": "delete_alerts",
                        "conditions": {
                            "min_index_age": "90d"
                        }
                    }
                ]
            },
            {
                "name": "delete_alerts",
                "actions": [
                    {
                        "retry": {
                            "count": 3,
                            "backoff": "exponential",
                            "delay": "1m"
                        },
                        "delete": {}
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": [
            {
                "index_patterns": [
                    "wazuh-alerts-*"
                ],
                "priority": 1
            }
        ]
    }
}

    Adjust the “min_index_age”: from “90d” to your preferred number of days for minimum index retention.

  4. Click Create.

Applying the retention policy to alerts index

  1. Choose Indices in Index Management.

  2. Select the index or indices to attach the policy.

  3. Click Actions > Apply policy.

    Apply policy to indices

  4. Select the policy created in the previous steps from the Policy ID menu. Click Apply.