Hi,
We want to reduce the amount of shards that each .security_audit_log template is generating on a daily basis. At the moment it is creating 5 shards each day and we want to reduce it to 1 primary and 1 replica.
Does the process of updating templates differ from a normal index when compared to system index? Or do we just run a PUT request and replace the values that we want to set?
Thanks
Yes, both are same. You can browse all index templates containing system and user teplates in Cerebro, and modify index templates.
I have to assume you are using ES <7.0.
The setting you are looking for is documented on the same page where security auditing is documented itself.
You can change the index settings like shards and replica with those settings.
Just FYI, take note that shipping those audit logs directly in an index from ES itself is no longer a thing in >=7.0
See https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#remove-audit-index-output
It's now audit log file per node + filebeat to ship it out to your monitoring/auditing cluster.
Just keep in mind for your upgrade to 7.
Thank you,
However, if i update the template i effectively overwrite it yes? Is there a way i can mess up the predefined settings for the existing template? I would like to keep the existing template to 95%, just that i want to change how many shards each index creates.
Anyone?
Please be patient in waiting for responses to your question and refrain from
pinging multiple times asking for a response. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient".
I'm sure someone will be able to offer some valuable feedback soon 
The supported option is to follow @martinr_ubi's advice above.
Set the number of shards and replicas under xpack.security.audit.index.settings in your elasticsearch.yml
You can edit the template, but we cannot guarantee that your updates will be retained when you upgrade.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
