HELP [illegal_argument_exception: index.lifecycle.rollover_alias [sonicwall-*] does not point to index [sonicwall-2020.09.28-000001]]

I use this configuration for my indices but always returned with this error

PUT _template/sonicwall?include_type_name
{
"version": 60001,
"order": 0,
"index_patterns": [
"sonicwall-"
],
"settings": {
"index": {
"lifecycle": {
"name": "logstash-policy",
"rollover_alias": "sonicwall-
"
},
"max_result_window": "100000",
"refresh_interval": "5s",
"number_of_shards": "1",
"number_of_replicas": "0"
}
},
"mappings": {
"_doc": {
"_source": {
"excludes": ,
"includes": ,
"enabled": true
},
"_routing": {
"required": false
},
"dynamic": true,
"numeric_detection": false,
"date_detection": true,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
}
}

Welcome to our community! :smiley:

Check out my answer here ILM Policy - Help!>!>!>, it is the same issue.

I tried, but it's still the same

I use this request from Web UI

PUT _template/sonicwall?include_type_name
{
  "version": 60001,
  "order": 0,
  "index_patterns": [
    "sonicwall-*"
  ],
  "settings": {
    "index": {
      "lifecycle": {
        "name": "logstash-policy",
        "rollover_alias": "sonicwall-*"
      },
      "max_result_window": "100000",
      "refresh_interval": "5s",
      "number_of_shards": "1",
      "number_of_replicas": "0"
    }
  },
  "mappings": {
    "_doc": {
      "_source": {
        "excludes": [],
        "includes": [],
        "enabled": true
      },
      "_routing": {
        "required": false
      },
      "dynamic": true,
      "numeric_detection": false,
      "date_detection": true,
      "dynamic_date_formats": [
        "strict_date_optional_time",
        "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
      ],
      "dynamic_templates": [
        {
          "message_field": {
            "path_match": "message",
            "mapping": {
              "norms": false,
              "type": "text"
            },
            "match_mapping_type": "string"
          }
        },
        {
          "string_fields": {
            "mapping": {
              "norms": false,
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "match_mapping_type": "string",
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "keyword"
        },
        "geoip": {
          "dynamic": true,
          "type": "object",
          "properties": {
            "ip": {
              "type": "ip"
            },
            "latitude": {
              "type": "half_float"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "half_float"
            }
          }
        }
      }
    }
  }
}

And use this output in logstash conf.d

Else if [type] == "Sonicwall"{
    elasticsearch {
      hosts => [ "xxxxx" ]
      user => "xxx"
      password => "xxx"
      #index => "sonicwall-index"
      manage_template => true
      template_name => "sonicwall"
      index => "sonicwall-%{+YYYY.MM.dd}"
      #ilm_enabled => true
      #ilm_rollover_alias => "sonicwall"
      #ilm_pattern => "{now/d}-000001"
      #ilm_policy => "logstash-policy"
      ssl => true
      cacert => "/etc/logstash/certs/ca.crt"

In your index template, it shows below which seems incorrect

rollover_alias should be example sonicwall instead of having a -* inside

Also your logstash conf.d index => should point to your rollover_alias instead of "sonicwall-%{+YYYY.MM.dd}"

If you wanted to add date to your index, you can take a look at this post or read up on date math

This document helps me alot when I'm configuring ILM

Hope this can help you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.