Alter the template for system indices


We want to reduce the amount of shards that each .security_audit_log template is generating on a daily basis. At the moment it is creating 5 shards each day and we want to reduce it to 1 primary and 1 replica.

Does the process of updating templates differ from a normal index when compared to system index? Or do we just run a PUT request and replace the values that we want to set?


Yes, both are same. You can browse all index templates containing system and user teplates in Cerebro, and modify index templates.

I have to assume you are using ES <7.0.

The setting you are looking for is documented on the same page where security auditing is documented itself.

You can change the index settings like shards and replica with those settings.

Just FYI, take note that shipping those audit logs directly in an index from ES itself is no longer a thing in >=7.0
It's now audit log file per node + filebeat to ship it out to your monitoring/auditing cluster.
Just keep in mind for your upgrade to 7.

Thank you,

However, if i update the template i effectively overwrite it yes? Is there a way i can mess up the predefined settings for the existing template? I would like to keep the existing template to 95%, just that i want to change how many shards each index creates.


Hi @victor.nilsson

Please be patient in waiting for responses to your question and refrain from
pinging multiple times asking for a response. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient".

I'm sure someone will be able to offer some valuable feedback soon :slight_smile:

Just modify number_of_shards and keep others unchanged.

The supported option is to follow @martinr_ubi's advice above.

Set the number of shards and replicas under in your elasticsearch.yml
You can edit the template, but we cannot guarantee that your updates will be retained when you upgrade.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.