I have a need to retain a small subset of events in an index for a longer retention period. I have all the Windows Event Logs from all my servers going to an index with a 90 day retention period. But, I have a few events types that I would like to retain for longer (2 to 3 years).
Is there a way to have events be copied to two indexes at index time? I want all Windows Event Logs to go into the main event log index and the special events for long term retention to go to the main event log index AND a separate long term retention event log index.
I have tried to use summary indexing as per the recommendation from other posts. But when doing that it causes three problems.
1. The host, source, and sourcetype are all changed, I need those preserved.
2. All the field extractions are gone. I believe this is because the sourcetype is changed to stash so if #1 is fixed, that may resolve this too.
3. The time of the events loses the time zone. I have events forwarded from multiple time zones. When the events are copied to the summary index, the times are all the raw time on the event, not the real time it was generated.
... View more