Hi folks
I have following setup: filebeat sends logs from kubernetes cluster to logstash. Logstash sends them to elastic. These are the configurations of important components:
Index template:
"filebeat-k8s-logs" : {
"order" : 1,
"index_patterns" : [
"filebeat-k8s-logs-*"
],
"settings" : {
"index" : {
"lifecycle" : {
"name" : "ilm-filebeat",
"rollover_alias" : "filebeat-k8s-logs"
},
"mapping" : {
"total_fields" : {
"limit" : "10000"
}
},
"refresh_interval" : "5s",
"number_of_shards" : "3"}
ilm policy:
PUT _ilm/policy/ilm-filebeat
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"max_size": "50gb"
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {}
}
}
}
}
}
Index:
"settings": {
"index": {
"lifecycle": {
"name": "ilm-filebeat",
"rollover_alias": "filebeat-k8s-logs",
"indexing_complete": "true"
},
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s",
"number_of_shards": "3",
"provided_name": "<filebeat-k8s-logs-{now/d}-000004>"}
logsatsh config:
input {
beats {
port => 5022
ssl => true
ssl_certificate_authorities => ["/ca.crt"]
ssl_certificate => "/client.crt"
ssl_key => "/client.key"
ssl_key_passphrase => "${LOGSTASH_KEY_PASS}"
ssl_verify_mode => "force_peer"
}
}
output {
elasticsearch {
hosts => ["https://elastic.whatever:9200"]
#index => "filebeat-k8s-logs"
ilm_enabled => true
ilm_rollover_alias => "filebeat-k8s-logs"
ilm_policy => "ilm-filebeat"
ilm_pattern => "{now/d}-000001"
ssl => true
ssl_certificate_verification => true
cacert => '/ca.crt'
user => logstash
password => "${LOGSTASH}"
}
Question:
Index does not get rolled over after 50gb automatically.
When I do:
POST filebeat-k8s-logs/_rollover
the rollover works perfectly and a new index is getting created for example:
filebeat-k8s-logs-2021.01.18-000005
How can I achive automatic rollover? What am I doing wrong?
Many thanks!