Skip to content

LogMan.io Depositor

TeskaLabs LogMan.io Depositor is a microservice responsible for storing events in ElasticSearch and setting up ElasticSearch artifacts (like index templates and ILM policies) based on event lane declarations. LogMan.io Depositor stores the successfully parsed or correlated events and other events in proper ElasticSearch indices.

Note

LogMan.io Depositor replaces LogMan.io Dispatcher.

Important notes

  • Depositor requires specific Elasticsearch setting with node roles provided, see Prerequisites
  • Depositor creates its own index template and lifecycle policy (ILM) for each index specified in events and others section within the event lane declaration, see Event Lane
  • Depositor's default index template has 6 shards and 1 replica
  • The field mapping (types of the fields) in the index template are based on the schema, which by default is /Schemas/ECS.yaml, unless specified in the configuration or event lane, see Event Lane
  • Depositor considers all event lane files regardless if they are disabled for the given tenant in the UI or not
  • Depositor's default lifecycle policy requires node roles to be set in Elasticsearch's configuration, see Prerequisites
  • Depositor's default lifecycle policy has limit of 16 GB per primary shard per index (the default maximum index size is thus 6 shards * 16 GB * 2 for replica = 192 GB)
  • Depositor's default lifecycle policy has shrinking enabled when entering the warm phase
  • Depositor's default lifecycle policy deletes data after 180 days
  • Deposior by default stops sending data to Elasticsearch if cluster health is below 50 %, see Configuration
  • When migrating LogMan.io Dispatcher to LogMan.io Depositor, see Migration section