weslambert edited this page Apr 12, 2018 · 5 revisions



Elasticsearch Curator helps you curate, or manage, your Elasticsearch indices and snapshots by:

  1. Obtaining the full list of indices (or snapshots) from the cluster, as the actionable list
  2. Iterate through a list of user-defined filters to progressively remove indices (or snapshots) from this actionable list as needed.
  3. Perform various actions on the items which remain in the actionable list.

Curator runs as a Docker container within Security Onion. It runs every minute and is controlled by cron jobs defined in /etc/cron.d/. When Curator completes an action, it logs such activity in a log file found in /var/log/curator/curator.log.

Curator defaults to closing indices older than 30 days. To modify this, change CURATOR_CLOSE_DAYS in /etc/nsm/securityonion.conf.

As your disk reaches capacity, Curator starts deleting old indices to prevent your disk from filling up. To change the limit, modify LOG_SIZE_LIMIT in /etc/nsm/securityonion.conf.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.