I’m using Elasticsearch (8.15.1) for logging in my server environment, and Fleet to distribute agents across the servers.
The indices created are currently using the logs index lifecycle policy, which according to Elasticsearch is now deprecated.
What’s the recommended way to change the ILM policy for indices created through Fleet and Elastic Agent?
From what I’ve seen, there are basically two options:
Create an index template with a higher priority to override the existing ILM setting.
“Fork” the integration package, meaning:
Download the Exchange integration package
Update its manifest.yml and component templates so that index.lifecycle.name: ilm-logs-exchange
Install it as a custom package in Fleet
That way, Fleet would handle everything with the new policy.
Can you upgrade to 8.19.2? This is way more easier to do on later versions where you just need to add the custom ILM policy on the @custom template.
If you cannot upgrade now, you need to follow this specific documentation for 8.15.
You would need to clone the index template for every dataset in every integration that you want to change.
On later versions this step is not required as the default templates already use a @custom component template that will be created on the first time you try to edit it.
Just to clarify, is it enough if I only update the @custom component templates?
For example:
I have an ILM policy called "ilm-logs-firewall", and when I run GET _component_template it shows:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.