Skip to content

Commit

Permalink
[alerting] add user facing doc on event log ILM policy (#92736) (#95404)
Browse files Browse the repository at this point in the history 
resolves #82435

Just provided a brief description, name of the policy, mentioned
we create it but never modify it, provided the default values, and mentioned
it could be updated by customers for their environment.  Not sure we want to
provide more info than that.
  • Loading branch information
@pmuellr
pmuellr authored Mar 25, 2021
1 parent 6f863c3 commit bd86eae
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions docs/user/production-considerations/alerting-production-considerations.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,16 @@ It is difficult to predict how much throughput is needed to ensure all rules and
By counting rules as recurring tasks and actions as non-recurring tasks, a rough throughput <<task-manager-rough-throughput-estimation,can be estimated>> as a _tasks per minute_ measurement.

Predicting the buffer required to account for actions depends heavily on the rule types you use, the amount of alerts they might detect, and the number of actions you might choose to assign to action groups. With that in mind, regularly <<task-manager-health-monitoring,monitor the health>> of your Task Manager instances.

[float]
[[event-log-ilm]]
=== Event log index lifecycle managment

Alerts and actions log activity in a set of "event log" indices. These indices are configured with an index lifecycle management (ILM) policy, which you can customize. The default policy rolls over the index when it reaches 50GB, or after 30 days. Indices over 90 days old are deleted.

The name of the index policy is `kibana-event-log-policy`. {kib} creates the index policy on startup, if it doesn't already exist. The index policy can be customized for your environment, but {kib} never modifies the index policy after creating it.

Because Kibana uses the documents to display historic data, you should set the delete phase longer than you would like the historic data to be shown. For example, if you would like to see one month's worth of historic data, you should set the delete phase to at least one month.

For more information on index lifecycle management, see:
{ref}/index-lifecycle-management.html[Index Lifecycle Policies].

0 comments on commit bd86eae

Please sign in to comment.