ILM using custom Logstash indices

Danilo_PC · April 5, 2021, 1:46pm

Hi,

I’m using logstash to ingest data into my elasticloud ES.

I’m using custom index names, such as “client_name-winlogbeat-2021.03.05” and “client_name-o365-2021.03.05” for windows and office 365 logs respectively.

By doing so, I’m unable to configure ILM for those indices.

An example of my logstash configuration can be seen as follow:

    input {
      syslog {
        port => 9001
        codec => cef
        type => "syslog_server"
        tags => ["office365"]

      }
    }

    output {
      if "icts-carbon-black" in [tags] {
        elasticsearch {
          hosts => ["ip:port"]
          user => "user"
          password => "pass"
          manage_template => false
          ssl => true
          ssl_certificate_verification => false
          index => "client-o365-%{+YYYY.MM.dd}"
        }
      }
    }

I’d like to ask how can I enable ILM policies for those custom indexes.

Thank you

warkolm · April 6, 2021, 1:06am

You can't use ILM and timebased indices like that;

You cannot use dynamic variable substitution when ilm_enabled is true and when using ilm_rollover_alias .

Please take a look at Elasticsearch output plugin | Logstash Reference [7.12] | Elastic

system · May 4, 2021, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Does ILM work in Logstash with custom index names? Logstash	1	906	July 2, 2020
Elasticsearch custom ILM Elasticsearch ilm-index-lifecycle-management	5	1146	September 15, 2019
Workaround to Dynamic Index Names When Ussing ILM Policy Logstash ilm-index-lifecycle-management	2	544	May 25, 2021
How to enable ILM when I i have custom index name with hostname via logstash Logstash	1	502	August 2, 2019
Need help with ILM when using logstash Logstash ilm-index-lifecycle-management	2	321	August 17, 2020

ILM using custom Logstash indices

Related topics