Storage-based log retention strategy

Available since 2.26.0 (17.1.0 and 16.1.0)

StackLight uses a storage-based log retention strategy that optimizes storage utilization and ensures effective data retention. A proportion of available disk space is defined as 80% of disk space allocated for the OpenSearch node with the following data types:

  • 80% for system logs

  • 10% for audit logs

  • 5% for OpenStack notifications (applies only to MOSK clusters)

  • 5% for Kubernetes events

This approach ensures that storage resources are efficiently allocated based on the importance and volume of different data types.

The logging index management implies the following advantages:

  • Storage-based rollover mechanism

    The rollover mechanism for system and audit indices enforces shard size based on available storage, ensuring optimal resource utilization.

  • Consistent shard allocation

    The number of primary shards per index is dynamically set based on cluster size, which boosts search and facilitates ingestion for large clusters.

  • Minimal size of cluster state

    The logging size of the cluster state is minimal and uses static mappings, which are based on Elastic Common Schema (ESC) with slight deviations from the standard. Dynamic mapping in index templates is avoided to reduce overhead.

  • Storage compression

    The system and audit indices utilize the best_compression codec that minimizes the size of stored indices, resulting in significant storage savings of up to 50% on average.

  • No filter by logging level

    In light of non-even severity level over components in Container Cloud, logs of all severity levels are collected to prevent ignorance of important logs of low severity while debugging a cluster. Filtering by tags is still available.