ILM using custom Logstash indices

Danilo_PC · April 5, 2021, 1:46pm

Hi,

I’m using logstash to ingest data into my elasticloud ES.

I’m using custom index names, such as “client_name-winlogbeat-2021.03.05” and “client_name-o365-2021.03.05” for windows and office 365 logs respectively.

By doing so, I’m unable to configure ILM for those indices.

An example of my logstash configuration can be seen as follow:

    input {
      syslog {
        port => 9001
        codec => cef
        type => "syslog_server"
        tags => ["office365"]

      }
    }

    output {
      if "icts-carbon-black" in [tags] {
        elasticsearch {
          hosts => ["ip:port"]
          user => "user"
          password => "pass"
          manage_template => false
          ssl => true
          ssl_certificate_verification => false
          index => "client-o365-%{+YYYY.MM.dd}"
        }
      }
    }

I’d like to ask how can I enable ILM policies for those custom indexes.

Thank you

warkolm · April 6, 2021, 1:06am

You can't use ILM and timebased indices like that;

You cannot use dynamic variable substitution when ilm_enabled is true and when using ilm_rollover_alias .

Please take a look at Elasticsearch output plugin | Logstash Reference [7.12] | Elastic

system · May 4, 2021, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.