Elasticsearch Curator helps you curate, or manage, your Elasticsearch indices and snapshots by:
- Obtaining the full list of indices (or snapshots) from the cluster, as the actionable list
- Iterate through a list of user-defined filters to progressively remove indices (or snapshots) from this actionable list as needed.
- Perform various actions on the items which remain in the actionable list.
Curator runs as a Docker container within Security Onion. It runs every
minute and is controlled by cron jobs defined in
Curator completes an action, it logs such activity in a log file found
Curator defaults to closing indices older than 30 days. To modify this,
As your disk reaches capacity, Curator starts deleting old indices to
prevent your disk from filling up. To change the limit, modify
actions are stored in
actions are run every minute from the cron jobs located in
If you would like to add a new action, you can certainly do so, and add
another cron job in
/etc/cron.d to automate the process.
For example, a new process for snapshotting would require a new action file, Elasticsearch configuration, and a cron job to automate it all: