ILM policy is changing without editing it

Elastic Stack Elasticsearch
1

Hello everybody,

I created an ILM policy :

PUT _ilm/policy/hot-warm-cold-delete-60days-policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size":"20gb",
            "max_age":"30d"
          },
          "set_priority": {
            "priority": 50
          }
        }
      },
      "warm": {
        "actions": {
          "forcemerge": {
            "max_num_segments": 1
          },
          "shrink": {
            "number_of_shards": 1
          },
          "allocate": {
            "require": {
              "data": "warm"
            }
          },
          "set_priority": {
            "priority": 25
          }
        }
      },
      "cold": {
        "min_age": "30d",
        "actions": {
          "set_priority": {
            "priority": 0
          },
          "freeze": {},
          "allocate": {
            "require": {
              "data": "cold"
            }
          }
        }
      },
      "delete": {
        "min_age": "60d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

and then I created a template

PUT _template/packetbeat
{
  "index_patterns": ["packetbeat-*"], 
  "settings": {
    "number_of_shards": 10,
    "number_of_replicas": 1,
    "index.lifecycle.name": "hot-warm-cold-delete-60days-policy",  
    "index.lifecycle.rollover_alias": "packetbeat"
  }
}

and then create the first index :

PUT packetbeat-000001
{
  "aliases": {
    "packetbeat": {
      "is_write_index": true
    }
  }
}

It was working perfectly, but after 2 days I went to see the policy configuration and I found that the configuration changed and it's not the first time that arrives, even when I edit it it begin working and then after some time it changes again.

image
image938×849 58.6 KB

Could someone tell me what I am doing wrong please ?

Thanks for your help

2

Someone, or something must be changing this.

You wouldn't happen to be running setup from any other Packetbeat instances would you?

3

Thanks for your reply @warkolm

I am the only one who have access to the cluster, so we can exclude your first supposition.
Now I am running this policy just for firewall logs, the other beats (packetbeat, winlogbeat, audibbeat) I let them use the default policy.
I run setup for the other beats after configuring the firewall policy, but they are not using the same policy, so it shouldn't be the cause isn't it ?

Just for information, I am using Elasticsearch and Kibana from code source, so it's the version 8.0.0

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.