I recently launched server monitoring using Winlogbeat, Packetbeat and Metricbeat. All three agents are running with default settings (except for Elasticsearch/Kibana hosts and winlog narrowed to security). Templates has been created automatically. For some reason, Elasticsearch indices are not rolled by day, which i remember happened by default in 6.7. Any idea why that might happen? Has anything changed in this regard from 6.7?
Here's today screenshot of my indexes. The services are still running and I'm able to see fresh data in Discover, so there's definitely data from other days than 25 and 26 of April.
Starting with 7.0, Beats uses index lifecycle management by default when it connects to a cluster that supports it. You can disable this behavior if you want to use daily indices. You just need to set setup.ilm.enabled: false and reload the index template. For more information, see the Beats documentation, for example: https://www.elastic.co/guide/en/beats/packetbeat/current/ilm.html
That explains it, thank you @dedemorton
Any idea why was is redone that way? Any particular reason why the default behavior was changed like this? I'm asking out of the curiosity.
Elastic strives to provide sensible defaults. Making ILM on by default makes a lot of sense for most users because it's an easier way to manage indices over time. A new index gets created based on criteria that you specify so you avoid situations where you get really big indices or lots of tiny ones. The lifecycle policy controls when indices get created, shrunk down, deleted, and so on.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
