HELP [illegal_argument_exception: index.lifecycle.rollover_alias [sonicwall-*] does not point to index [sonicwall-2020.09.28-000001]]

Akbar_Maulana · September 29, 2020, 3:03am

I use this configuration for my indices but always returned with this error

PUT _template/sonicwall?include_type_name
{
"version": 60001,
"order": 0,
"index_patterns": [
"sonicwall-"
],
"settings": {
"index": {
"lifecycle": {
"name": "logstash-policy",
"rollover_alias": "sonicwall-"
},
"max_result_window": "100000",
"refresh_interval": "5s",
"number_of_shards": "1",
"number_of_replicas": "0"
}
},
"mappings": {
"_doc": {
"_source": {
"excludes": ,
"includes": ,
"enabled": true
},
"_routing": {
"required": false
},
"dynamic": true,
"numeric_detection": false,
"date_detection": true,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
}

warkolm · September 29, 2020, 3:10am

Welcome to our community!

Check out my answer here ILM Policy - Help!>!>!>, it is the same issue.

Akbar_Maulana · October 5, 2020, 2:18am

I tried, but it's still the same

Akbar_Maulana · October 5, 2020, 2:41am

I use this request from Web UI

PUT _template/sonicwall?include_type_name
{
  "version": 60001,
  "order": 0,
  "index_patterns": [
    "sonicwall-*"
  ],
  "settings": {
    "index": {
      "lifecycle": {
        "name": "logstash-policy",
        "rollover_alias": "sonicwall-*"
      },
      "max_result_window": "100000",
      "refresh_interval": "5s",
      "number_of_shards": "1",
      "number_of_replicas": "0"
    }
  },
  "mappings": {
    "_doc": {
      "_source": {
        "excludes": [],
        "includes": [],
        "enabled": true
      },
      "_routing": {
        "required": false
      },
      "dynamic": true,
      "numeric_detection": false,
      "date_detection": true,
      "dynamic_date_formats": [
        "strict_date_optional_time",
        "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
      ],
      "dynamic_templates": [
        {
          "message_field": {
            "path_match": "message",
            "mapping": {
              "norms": false,
              "type": "text"
            },
            "match_mapping_type": "string"
          }
        },
        {
          "string_fields": {
            "mapping": {
              "norms": false,
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "match_mapping_type": "string",
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "keyword"
        },
        "geoip": {
          "dynamic": true,
          "type": "object",
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        }
      }
    }
  }
}

And use this output in logstash conf.d

Else if [type] == "Sonicwall"{
    elasticsearch {
      hosts => [ "xxxxx" ]
      user => "xxx"
      password => "xxx"
      #index => "sonicwall-index"
      manage_template => true
      template_name => "sonicwall"
      index => "sonicwall-%{+YYYY.MM.dd}"
      #ilm_enabled => true
      #ilm_rollover_alias => "sonicwall"
      #ilm_pattern => "{now/d}-000001"
      #ilm_policy => "logstash-policy"
      ssl => true
      cacert => "/etc/logstash/certs/ca.crt"

kavierkoo · October 5, 2020, 4:00am

In your index template, it shows below which seems incorrect

rollover_alias should be example sonicwall instead of having a -* inside

Also your logstash conf.d index => should point to your rollover_alias instead of "sonicwall-%{+YYYY.MM.dd}"

If you wanted to add date to your index, you can take a look at this post or read up on date math

This document helps me alot when I'm configuring ILM

Hope this can help you!

system · November 2, 2020, 4:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.