Create a new Index Set in Graylog

Juan Romero

03-Aug-2025

Create a new Index Set in Graylog

New Index Set

Graylog servers interact with the Wazuh Indexer / OpenSearch API and have full R/W access when it comes to interacting with indices.

Graylog servers don't store logs and events, rather write data to the indices in the Indexers.

Via this API access, using the Graylog server's UI we can create new indices. Here's how:

Log on to your Graylog Server with admin credentials.

Go to System – Indices

Top right of the page, select “Create index set”

Close the pop up window with index templates, we'll create all the settings manually.

Assign a title and description to the new index set:

NOTE: SOCFortress Standard: Screenshot above shows our normalized naming for new indices, as a reference. The tenant / comoany name, folowed by the type of logs the new index will be storing.

The example above ilustrates a new index for OPNSense firewall logs.

Move down and create the index set name. Fields explanation:

• Index Prefix: following our naiming convention, for this example, opnsense-mycompany. Important to notice that once created, the index prefix (name) can NOT be modified.
• Analyzer: Leave standard, default option.
•  Index Shards: 2, as a general rule.
• Shards: If Wazuh Indexers in a cluster (3 or mode nodes), create one replica. If single node, replica = 0
• Other options by default.

Rotation and Retention

The last section will define the rotation and overal renetion strategy for the hot data.

Change from Data Tiering to Legacy: 

As rotation strategy select Index Time and as a general rule assign rotation period to 5 days.

The max number of indices  ( 7 in the example below) combined with the 5 days per index will define the amount of time that the hot data in this index will be available for querying logs:

5 days per index x 7 indices = 35 days ~ 1 month

Finally, click “Create Index Set”, bottom right.