Index.lifecycle.rollover_alias [filebeat-7.17.7] does not point to index [filebeat-7.17.7-2022.12.21]

tjay · December 23, 2022, 1:46pm

Hi,

I started using elasticsearch, kibana, logstash and filebeat and noticed that the rollover error is occurring. Can someone shed a light on this?

It looks there are two indexes and the second one (000002) is used at present.

curl -XGET localhost:9200/_cat/aliases?v=true
alias                       index                             filter routing.index routing.search is_write_index
.kibana                     .kibana_7.17.7_001                -      -             -              -
.kibana_7.17.7              .kibana_7.17.7_001                -      -             -              -
filebeat-7.17.7             filebeat-7.17.7-2022.10.30-000001 -      -             -              false
.kibana-event-log-7.17.7    .kibana-event-log-7.17.7-000002   -      -             -              true
filebeat-7.17.7             filebeat-7.17.7-2022.11.29-000002 -      -             -              true
.kibana_task_manager        .kibana_task_manager_7.17.7_001   -      -             -              -
.kibana_task_manager_7.17.7 .kibana_task_manager_7.17.7_001   -      -             -              -
.kibana-event-log-7.17.7    .kibana-event-log-7.17.7-000001   -      -             -              false

tjay · December 23, 2022, 1:51pm

curl -X GET "localhost:9200/filebeat-7.17.7/_settings?pretty"
{
  "filebeat-7.17.7-2022.10.30-000001" : {
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : "filebeat",
          "rollover_alias" : "filebeat-7.17.7",
          "indexing_complete" : "true"
        },
        "routing" : {
          "allocation" : {
            "include" : {
              "_tier_preference" : "data_content"
            }
          }
        },
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "5s",
        "number_of_shards" : "1",
        "provided_name" : "<filebeat-7.17.7-{now/d}-000001>",
        "max_docvalue_fields_search" : "200",
        "query" : {
          "default_field" : [
            "message",
            "tags",
            "agent.ephemeral_id",
            "agent.id",
            "agent.name",
            "agent.type",
            "agent.version",
            "as.organization.name",
            "client.address",
            "client.as.organization.name",
            "client.domain",
            "client.geo.city_name",
            "client.geo.continent_name",
            "client.geo.country_iso_code",
            "client.geo.country_name",
            "client.geo.name",
            "client.geo.region_iso_code",
            "client.geo.region_name",
            "client.mac",
            "client.registered_domain",
            "client.top_level_domain",
            "client.user.domain",
            "client.user.email",
            "client.user.full_name",
            "client.user.group.domain",
            "client.user.group.id",
            "client.user.group.name",
            "client.user.hash",
            "client.user.id",
            "client.user.name",
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "container.id",
            "container.image.name",
            "container.image.tag",
            "container.name",
            "container.runtime",
            "destination.address",
            "destination.as.organization.name",
            "destination.domain",
            "destination.geo.city_name",
            "destination.geo.continent_name",
            "destination.geo.country_iso_code",
            "destination.geo.country_name",
            "destination.geo.name",
            "destination.geo.region_iso_code",
            "destination.geo.region_name",
            "destination.mac",
            "destination.registered_domain",
            "destination.top_level_domain",
            "destination.user.domain",
            "destination.user.email",
            "destination.user.full_name",
            "destination.user.group.domain",
            "destination.user.group.id",
            "destination.user.group.name",
            "destination.user.hash",
            "destination.user.id",
            "destination.user.name",
            "dns.answers.class",
            "dns.answers.data",
            "dns.answers.name",
            "dns.answers.type",
            "dns.header_flags",
            "dns.id",
            "dns.op_code",
            "dns.question.class",
            "dns.question.name",
            "dns.question.registered_domain",
            "dns.question.subdomain",
            "dns.question.top_level_domain",
            "dns.question.type",
            "dns.response_code",
            "dns.type",
            "ecs.version",
            "error.code",
            "error.id",
            "error.message",
            "error.stack_trace",
            "error.type",
            "event.action",
            "event.category",
            "event.code",
            "event.dataset",
            "event.hash",
            "event.id",
            "event.kind",
            "event.module",
            "event.outcome",
            "event.provider",
            "event.timezone",
            "event.type",
            "file.device",
            "file.directory",
            "file.extension",
            "file.gid",
            "file.group",
            "file.hash.md5",
            "file.hash.sha1",
            "file.hash.sha256",
            "file.hash.sha512",
            "file.inode",
            "file.mode",
            "file.name",
            "file.owner",
            "file.path",
            "file.target_path",
            "file.type",
            "file.uid",
... removed
            "coredns.id",
            "coredns.query.class",
            "coredns.query.name",
            "coredns.query.type",
            "coredns.response.code",
            "coredns.response.flags",
            "cef.version",
            "cef.device.vendor",
            "cef.device.product",
            "cef.device.version",
            "cef.device.event_class_id",
            "cef.severity",
            "cef.name",
            "source.service.name",
            "destination.service.name",
            "elasticsearch.component",
            "elasticsearch.cluster.uuid",
            "elasticsearch.cluster.name",
            "elasticsearch.node.id",
            "elasticsearch.node.name",
            "elasticsearch.index.name",
            "elasticsearch.index.id",
            "elasticsearch.shard.id",
            "elasticsearch.audit.layer",
            "elasticsearch.audit.event_type",
            "elasticsearch.audit.origin.type",
            "elasticsearch.audit.realm",
            "elasticsearch.audit.user.realm",
            "elasticsearch.audit.user.roles",
            "elasticsearch.audit.user.run_as.name",
            "elasticsearch.audit.user.run_as.realm",
            "elasticsearch.audit.component",
            "elasticsearch.audit.action",
            "elasticsearch.audit.url.params",
            "elasticsearch.audit.indices",
            "elasticsearch.audit.request.id",
            "elasticsearch.audit.request.name",
            "elasticsearch.audit.message",
            "elasticsearch.gc.phase.name",
            "elasticsearch.gc.tags",
            "elasticsearch.slowlog.logger",
            "elasticsearch.slowlog.took",
            "elasticsearch.slowlog.types",
            "elasticsearch.slowlog.stats",
            "elasticsearch.slowlog.search_type",
            "elasticsearch.slowlog.source_query",
            "elasticsearch.slowlog.extra_source",
            "elasticsearch.slowlog.total_hits",
            "elasticsearch.slowlog.total_shards",
            "elasticsearch.slowlog.routing",
            "elasticsearch.slowlog.id",
            "elasticsearch.slowlog.type",
            "elasticsearch.slowlog.source",
            "envoyproxy.log_type",
            "envoyproxy.response_flags",
            "envoyproxy.request_id",
            "envoyproxy.authority",
            "envoyproxy.proxy_type",
            "fortinet.file.hash.crc32",
            "gcp.destination.instance.project_id",
            "gcp.destination.instance.region",
            "gcp.destination.instance.zone",
            "gcp.destination.vpc.project_id",
            "gcp.destination.vpc.vpc_name",
            "gcp.destination.vpc.subnetwork_name",
            "gcp.source.instance.project_id",
            "gcp.source.instance.region",
            "gcp.source.instance.zone",
            "gcp.source.vpc.project_id",
            "gcp.source.vpc.vpc_name",
            "gcp.source.vpc.subnetwork_name",
            "gcp.audit.type",
            "gcp.audit.authentication_info.principal_email",
            "gcp.audit.authentication_info.authority_selector",
            "gcp.audit.method_name",
            "gcp.audit.request.proto_name",
            "gcp.audit.request.filter",
            "gcp.audit.request.name",
            "gcp.audit.request.resource_name",
            "gcp.audit.request_metadata.caller_supplied_user_agent",
            "gcp.audit.response.proto_name",
            "gcp.audit.response.details.group",
            "gcp.audit.response.details.kind",
            "gcp.audit.response.details.name",
            "gcp.audit.response.details.uid",
            "gcp.audit.response.status",
            "gcp.audit.resource_name",
            "gcp.audit.resource_location.current_locations",
            "gcp.audit.service_name",
            "gcp.audit.status.message",
            "gcp.firewall.rule_details.action",
            "gcp.firewall.rule_details.direction",
            "gcp.firewall.rule_details.reference",
            "gcp.firewall.rule_details.source_range",
            "gcp.firewall.rule_details.destination_range",
            "gcp.firewall.rule_details.source_tag",
            "gcp.firewall.rule_details.target_tag",
            "gcp.firewall.rule_details.source_service_account",
            "gcp.firewall.rule_details.target_service_account",
            "gcp.vpcflow.reporter",
            "haproxy.frontend_name",
            "haproxy.backend_name",
            "haproxy.server_name",
            "haproxy.bind_name",
            "haproxy.error_message",
            "haproxy.source",
            "haproxy.termination_state",
            "haproxy.mode",
            "haproxy.http.response.captured_cookie",
            "haproxy.http.response.captured_headers",
            "haproxy.http.request.captured_cookie",
            "haproxy.http.request.captured_headers",
            "haproxy.http.request.raw_request_line",
            "ibmmq.errorlog.installation",
            "ibmmq.errorlog.qmgr",
            "ibmmq.errorlog.arithinsert",
            "ibmmq.errorlog.commentinsert",
            "ibmmq.errorlog.errordescription",
            "ibmmq.errorlog.explanation",
            "ibmmq.errorlog.action",
            "ibmmq.errorlog.code",
            "icinga.debug.facility",
            "icinga.main.facility",
            "icinga.startup.facility",
            "iis.access.site_name",
            "iis.access.server_name",
            "iis.access.cookie",
            "iis.error.reason_phrase",
            "iis.error.queue_name",
            "iptables.fragment_flags",
            "iptables.input_device",
            "iptables.output_device",
            "iptables.tcp.flags",
            "iptables.ubiquiti.input_zone",
            "iptables.ubiquiti.output_zone",
            "iptables.ubiquiti.rule_number",
            "iptables.ubiquiti.rule_set",
            "kafka.log.component",
            "kafka.log.class",
            "kafka.log.thread",
            "kafka.log.trace.class",
            "kafka.log.trace.message",
            "kibana.session_id",
            "kibana.space_id",
            "kibana.saved_object.type",
            "kibana.saved_object.id",
            "kibana.add_to_spaces",
            "kibana.delete_from_spaces",
            "kibana.authentication_provider",
            "kibana.authentication_type",
            "kibana.authentication_realm",
            "kibana.lookup_realm",
            "kibana.log.tags",
            "kibana.log.state",
            "logstash.log.module",
            "logstash.log.thread.text",
            "logstash.log.thread",
            "logstash.log.log_event.action",
            "logstash.log.pipeline_id",
            "logstash.slowlog.module",
            "logstash.slowlog.thread.text",
            "logstash.slowlog.thread",
            "logstash.slowlog.event.text",
            "logstash.slowlog.event",
            "logstash.slowlog.plugin_name",
            "logstash.slowlog.plugin_type",
            "logstash.slowlog.plugin_params.text",
            "logstash.slowlog.plugin_params",
            "misp.attack_pattern.id",
            "misp.attack_pattern.name",
            "misp.attack_pattern.description",
            "misp.attack_pattern.kill_chain_phases",
            "misp.campaign.id",
            "misp.campaign.name",
            "misp.campaign.description",
            "misp.campaign.aliases",
            "misp.campaign.objective",
            "misp.course_of_action.id",
            "misp.course_of_action.name",
            "misp.course_of_action.description",
            "misp.identity.id",
            "misp.identity.name",
            "misp.identity.description",
            "misp.identity.identity_class",
            "misp.identity.labels",
            "misp.identity.sectors",
            "misp.identity.contact_information",
            "misp.intrusion_set.id",
            "misp.intrusion_set.name",
            "misp.intrusion_set.description",
            "misp.intrusion_set.aliases",
            "misp.intrusion_set.goals",
            "misp.intrusion_set.resource_level",
            "misp.intrusion_set.primary_motivation",
            "misp.intrusion_set.secondary_motivations",
            "misp.malware.id",
            "misp.malware.name",
            "misp.malware.description",
            "misp.malware.labels",
            "misp.malware.kill_chain_phases",
            "misp.note.id",
            "misp.note.summary",
            "misp.note.description",
            "misp.note.authors",
            "misp.note.object_refs",
            "misp.threat_indicator.labels",
            "misp.threat_indicator.id",
            "misp.threat_indicator.version",
            "misp.threat_indicator.type",
            "misp.threat_indicator.description",
            "misp.threat_indicator.feed",
            "misp.threat_indicator.severity",
            "misp.threat_indicator.confidence",
            "misp.threat_indicator.kill_chain_phases",
            "misp.threat_indicator.mitre_tactic",
            "misp.threat_indicator.mitre_technique",
            "misp.threat_indicator.attack_pattern",
            "misp.threat_indicator.attack_pattern_kql",
            "misp.threat_indicator.intrusion_set",
            "misp.threat_indicator.campaign",
            "misp.threat_indicator.threat_actor",
            "misp.observed_data.id",
            "misp.observed_data.objects",
            "misp.report.id",
            "misp.report.labels",
            "misp.report.name",
            "misp.report.description",
            "misp.report.object_refs",
            "misp.threat_actor.id",
            "misp.threat_actor.labels",
            "misp.threat_actor.name",
            "misp.threat_actor.description",
            "misp.threat_actor.aliases",
            "misp.threat_actor.roles",
            "misp.threat_actor.goals",
            "misp.threat_actor.sophistication",
            "misp.threat_actor.resource_level",
            "misp.threat_actor.primary_motivation",
            "misp.threat_actor.secondary_motivations",
            "misp.threat_actor.personal_motivations",
            "misp.tool.id",
            "misp.tool.labels",
            "misp.tool.name",
            "misp.tool.description",
            "misp.tool.tool_version",
            "misp.tool.kill_chain_phases",
            "misp.vulnerability.id",
            "misp.vulnerability.name",
            "misp.vulnerability.description",
            "mongodb.log.component",
            "mongodb.log.context",
            "mssql.log.origin",
            "mysql.slowlog.query",
            "mysql.slowlog.schema",
            "mysql.slowlog.current_user",
            "mysql.slowlog.last_errno",
            "mysql.slowlog.killed",
            "mysql.slowlog.log_slow_rate_type",
            "mysql.slowlog.log_slow_rate_limit",
            "mysql.slowlog.innodb.trx_id",
            "nats.log.msg.type",
            "nats.log.msg.subject",
            "nats.log.msg.reply_to",
            "nats.log.msg.error.message",
            "nats.log.msg.queue_group",
            "netflow.type",
            "netflow.exporter.address",
            "netflow.source_mac_address",
            "netflow.post_destination_mac_address",
            "netflow.destination_mac_address",
            "netflow.post_source_mac_address",
            "netflow.interface_name",
            "netflow.interface_description",
            "netflow.sampler_name",
            "netflow.application_description",
            "netflow.application_name",
            "netflow.class_name",
            "netflow.wlan_ssid",
            "netflow.vr_fname",
            "netflow.metro_evc_id",
            "netflow.nat_pool_name",
            "netflow.p2p_technology",
            "netflow.tunnel_technology",
            "netflow.encrypted_technology",
            "netflow.observation_domain_name",
            "netflow.selector_name",
            "netflow.information_element_description",
            "netflow.information_element_name",
            "netflow.virtual_station_interface_name",
            "netflow.virtual_station_name",
            "netflow.sta_mac_address",
            "netflow.wtp_mac_address",
            "netflow.user_name",
            "netflow.application_category_name",
            "netflow.application_sub_category_name",
            "netflow.application_group_name",
            "netflow.dot1q_customer_source_mac_address",
            "netflow.dot1q_customer_destination_mac_address",
            "netflow.mib_context_name",
            "netflow.mib_object_name",
            "netflow.mib_object_description",
            "netflow.mib_object_syntax",
            "netflow.mib_module_name",
            "netflow.mobile_imsi",
            "netflow.mobile_msisdn",
            "netflow.http_request_method",
            "netflow.http_request_host",
            "netflow.http_request_target",
            "netflow.http_message_version",
            "netflow.http_user_agent",
            "netflow.http_content_type",
            "netflow.http_reason_phrase",
            "nginx.ingress_controller.upstream_address_list",
            "nginx.ingress_controller.upstream.response.length_list",
            "nginx.ingress_controller.upstream.response.time_list",
            "nginx.ingress_controller.upstream.response.status_code_list",
            "nginx.ingress_controller.upstream.name",
            "nginx.ingress_controller.upstream.alternative_name",
            "nginx.ingress_controller.http.request.id",
            "oracle.database_audit.status",
            "oracle.database_audit.session_id",
            "oracle.database_audit.client.terminal",
            "oracle.database_audit.client.address",
            "oracle.database_audit.client.user",
            "oracle.database_audit.database.user",
            "oracle.database_audit.privilege",
            "oracle.database_audit.entry.id",
            "oracle.database_audit.database.host",
            "oracle.database_audit.action",
            "oracle.database_audit.action_number",
            "oracle.database_audit.database.id",
            "osquery.result.name",
            "osquery.result.action",
            "osquery.result.host_identifier",
            "osquery.result.calendar_time",
            "panw.panos.ruleset",
            "panw.panos.source.zone",
            "panw.panos.source.interface",
            "panw.panos.destination.zone",
            "panw.panos.destination.interface",
            "panw.panos.endreason",
            "panw.panos.network.pcap_id",
            "panw.panos.network.nat.community_id",
            "panw.panos.file.hash",
            "panw.panos.url.category",
            "panw.panos.flow_id",
            "panw.panos.threat.resource",
            "panw.panos.threat.id",
            "panw.panos.threat.name",
            "panw.panos.action",
            "panw.panos.type",
            "panw.panos.sub_type",
            "postgresql.log.timestamp",
            "postgresql.log.client_addr",
            "postgresql.log.client_port",
            "postgresql.log.session_id",
            "postgresql.log.database",
            "postgresql.log.query",
            "postgresql.log.query_step",
            "postgresql.log.query_name",
            "postgresql.log.command_tag",
            "postgresql.log.virtual_transaction_id",
            "postgresql.log.sql_state_code",
            "postgresql.log.detail",
            "postgresql.log.hint",
            "postgresql.log.internal_query",
            "postgresql.log.context",
            "postgresql.log.location",
            "postgresql.log.application_name",
            "postgresql.log.backend_type",
            "rabbitmq.log.pid",
            "redis.log.role",
            "redis.slowlog.cmd",
            "redis.slowlog.key",
            "redis.slowlog.args",
            "santa.action",
            "santa.decision",
            "santa.reason",
            "santa.mode",
            "santa.disk.volume",
            "santa.disk.bus",
            "santa.disk.serial",
            "santa.disk.bsdname",
            "santa.disk.model",
            "santa.disk.fs",
            "santa.disk.mount",
            "santa.certificate.common_name",
            "santa.certificate.sha256",
            "snyk.related.projects",
            "snyk.audit.org_id",
            "snyk.audit.project_id",
            "snyk.vulnerabilities.cvss3",
            "snyk.vulnerabilities.exploit_maturity",
            "snyk.vulnerabilities.id",
            "snyk.vulnerabilities.language",
            "snyk.vulnerabilities.package",
            "snyk.vulnerabilities.package_manager",
            "snyk.vulnerabilities.jira_issue_url",
            "snyk.vulnerabilities.reachability",
            "snyk.vulnerabilities.title",
            "snyk.vulnerabilities.type",
            "snyk.vulnerabilities.unique_severities_list",
            "snyk.vulnerabilities.version",
            "snyk.vulnerabilities.credit",
            "snyk.vulnerabilities.identifiers.alternative",
            "snyk.vulnerabilities.identifiers.cwe",
            "suricata.eve.event_type",
            "suricata.eve.app_proto_orig",
            "suricata.eve.tcp.tcp_flags",
            "suricata.eve.tcp.tcp_flags_tc",
            "suricata.eve.tcp.state",
            "suricata.eve.tcp.tcp_flags_ts",
            "suricata.eve.fileinfo.sha1",
            "suricata.eve.fileinfo.state",
            "suricata.eve.fileinfo.sha256",
            "suricata.eve.fileinfo.md5",
            "suricata.eve.dns.type",
            "suricata.eve.dns.rrtype",
            "suricata.eve.dns.rrname",
            "suricata.eve.dns.rdata",
            "suricata.eve.dns.rcode",
            "suricata.eve.flow_id",
            "suricata.eve.email.status",
            "suricata.eve.http.redirect",
            "suricata.eve.http.protocol",
            "suricata.eve.http.http_content_type",
            "suricata.eve.in_iface",
            "suricata.eve.alert.category",
            "suricata.eve.alert.signature",
            "suricata.eve.alert.protocols",
            "suricata.eve.alert.attack_target",
            "suricata.eve.alert.capec_id",
            "suricata.eve.alert.cwe_id",
            "suricata.eve.alert.malware",
            "suricata.eve.alert.cve",
            "suricata.eve.alert.cvss_v2_base",
            "suricata.eve.alert.cvss_v2_temporal",
            "suricata.eve.alert.cvss_v3_base",
            "suricata.eve.alert.cvss_v3_temporal",
            "suricata.eve.alert.priority",
            "suricata.eve.alert.hostile",
            "suricata.eve.alert.infected",
            "suricata.eve.alert.classtype",
            "suricata.eve.alert.rule_source",
            "suricata.eve.alert.sid",
            "suricata.eve.alert.affected_product",
            "suricata.eve.alert.deployment",
            "suricata.eve.alert.former_category",
            "suricata.eve.alert.mitre_tool_id",
            "suricata.eve.alert.performance_impact",
            "suricata.eve.alert.signature_severity",
            "suricata.eve.alert.tag",
            "suricata.eve.ssh.client.proto_version",
            "suricata.eve.ssh.client.software_version",
            "suricata.eve.ssh.server.proto_version",
            "suricata.eve.ssh.server.software_version",
            "suricata.eve.tls.issuerdn",
            "suricata.eve.tls.sni",
            "suricata.eve.tls.version",
            "suricata.eve.tls.fingerprint",
            "suricata.eve.tls.serial",
            "suricata.eve.tls.subject",
            "suricata.eve.app_proto_ts",
            "suricata.eve.flow.state",
            "suricata.eve.flow.reason",
            "suricata.eve.app_proto_tc",
            "suricata.eve.smtp.rcpt_to",
            "suricata.eve.smtp.mail_from",
            "suricata.eve.smtp.helo",
            "suricata.eve.app_proto_expected",
            "system.auth.ssh.method",
            "system.auth.ssh.signature",
            "system.auth.ssh.event",
            "system.auth.sudo.error",
            "system.auth.sudo.tty",
            "system.auth.sudo.pwd",
            "system.auth.sudo.user",
            "system.auth.sudo.command",
            "system.auth.useradd.home",
            "system.auth.useradd.shell",
            "traefik.access.user_identifier",
            "traefik.access.frontend_name",
            "traefik.access.backend_url",
            "zeek.session_id",
            "zeek.capture_loss.peer",
            "zeek.dns.trans_id",
            "zeek.dns.query",
            "zeek.dns.qclass_name",
            "zeek.dns.qtype_name",
            "zeek.dns.rcode_name",
            "zeek.dns.answers",
            "zeek.files.fuid",
            "zeek.files.session_ids",
            "zeek.files.source",
            "zeek.files.analyzers",
            "zeek.files.mime_type",
            "zeek.files.filename",
            "zeek.files.parent_fuid",
            "zeek.files.md5",
            "zeek.files.sha1",
            "zeek.files.sha256",
            "zeek.files.extracted",
            "zeek.http.status_msg",
            "zeek.http.info_msg",
            "zeek.http.tags",
            "zeek.http.password",
            "zeek.http.proxied",
            "zeek.http.client_header_names",
            "zeek.http.server_header_names",
            "zeek.http.orig_fuids",
            "zeek.http.orig_mime_types",
            "zeek.http.orig_filenames",
            "zeek.http.resp_fuids",
            "zeek.http.resp_mime_types",
            "zeek.http.resp_filenames",
            "zeek.notice.connection_id",
            "zeek.notice.icmp_id",
            "zeek.notice.file.id",
            "zeek.notice.file.parent_id",
            "zeek.notice.file.source",
            "zeek.notice.file.mime_type",
            "zeek.notice.fuid",
            "zeek.notice.note",
            "zeek.notice.msg",
            "zeek.notice.sub",
            "zeek.notice.peer_name",
            "zeek.notice.peer_descr",
            "zeek.notice.actions",
            "zeek.notice.email_body_sections",
            "zeek.notice.email_delay_tokens",
            "zeek.notice.identifier",
            "zookeeper.audit.session",
            "zookeeper.audit.znode",
            "zookeeper.audit.znode_type",
            "zookeeper.audit.acl",
            "zookeeper.audit.result",
            "zookeeper.audit.user",
            "fields.*"
          ]
        },
        "creation_date" : "1667129243291",
        "number_of_replicas" : "0",
        "uuid" : "Wt88CKPHT0St6Z5ya8KXnQ",
        "version" : {
          "created" : "7170799"
        }
      }
    }
  },

tjay · December 23, 2022, 1:53pm

  "filebeat-7.17.7-2022.11.29-000002" : {
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : "filebeat",
          "rollover_alias" : "filebeat-7.17.7"
        },
        "routing" : {
          "allocation" : {
            "include" : {
              "_tier_preference" : "data_content"
            }
          }
        },
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        },
        "refresh_interval" : "5s",
        "number_of_shards" : "1",
        "provided_name" : "<filebeat-7.17.7-{now/d}-000002>",
        "max_docvalue_fields_search" : "200",
        "query" : {
          "default_field" : [
            "message",
            "tags",
            "agent.ephemeral_id",
            "agent.id",
            "agent.name",
            "agent.type",
            "agent.version",
            "as.organization.name",
            "client.address",
            "client.as.organization.name",
            "client.domain",
            "client.geo.city_name",
            "client.geo.continent_name",
            "client.geo.country_iso_code",
            "client.geo.country_name",
            "client.geo.name",
            "client.geo.region_iso_code",
            "client.geo.region_name",
            "client.mac",
            "client.registered_domain",
            "client.top_level_domain",
            "client.user.domain",
            "client.user.email",
            "client.user.full_name",
            "client.user.group.domain",
            "client.user.group.id",
            "client.user.group.name",
            "client.user.hash",
            "client.user.id",
            "client.user.name",
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "container.id",
            "container.image.name",
            "container.image.tag",
            "container.name",
            "container.runtime",
            "destination.address",
            "destination.as.organization.name",
            "destination.domain",
            "destination.geo.city_name",
            "destination.geo.continent_name",
            "destination.geo.country_iso_code",
            "destination.geo.country_name",
            "destination.geo.name",
            "destination.geo.region_iso_code",
            "destination.geo.region_name",
            "destination.mac",
            "destination.registered_domain",
            "destination.top_level_domain",
            "destination.user.domain",
            "destination.user.email",
            "destination.user.full_name",
            "destination.user.group.domain",
            "destination.user.group.id",
            "destination.user.group.name",
            "destination.user.hash",
            "destination.user.id",
            "destination.user.name",
            "dns.answers.class",
            "dns.answers.data",
            "dns.answers.name",
            "dns.answers.type",
            "dns.header_flags",
            "dns.id",
            "dns.op_code",
            "dns.question.class",
            "dns.question.name",
            "dns.question.registered_domain",
            "dns.question.subdomain",
            "dns.question.top_level_domain",
            "dns.question.type",
            "dns.response_code",
            "dns.type",
            "ecs.version",
            "error.code",
            "error.id",
            "error.message",
            "error.stack_trace",
            "error.type",
            "event.action",
            "event.category",
            "event.code",
            "event.dataset",
            "event.hash",
            "event.id",
            "event.kind",
            "event.module",
            "event.outcome",
            "event.provider",
            "event.timezone",
            "event.type",
            "file.device",
            "file.directory",
            "file.extension",
            "file.gid",
            "file.group",
            "file.hash.md5",
            "file.hash.sha1",
            "file.hash.sha256",
            "file.hash.sha512",
            "file.inode",
            "file.mode",
            "file.name",
            "file.owner",
            "file.path",
            "file.target_path",
            "file.type",
            "file.uid",
... removed
            "coredns.id",
            "coredns.query.class",
            "coredns.query.name",
            "coredns.query.type",
            "coredns.response.code",
            "coredns.response.flags",
            "cef.version",
            "cef.device.vendor",
            "cef.device.product",
            "cef.device.version",
            "cef.device.event_class_id",
            "cef.severity",
            "cef.name",
            "source.service.name",
            "destination.service.name",
            "elasticsearch.component",
            "elasticsearch.cluster.uuid",
            "elasticsearch.cluster.name",
            "elasticsearch.node.id",
            "elasticsearch.node.name",
            "elasticsearch.index.name",
            "elasticsearch.index.id",
            "elasticsearch.shard.id",
            "elasticsearch.audit.layer",
            "elasticsearch.audit.event_type",
            "elasticsearch.audit.origin.type",
            "elasticsearch.audit.realm",
            "elasticsearch.audit.user.realm",
            "elasticsearch.audit.user.roles",
            "elasticsearch.audit.user.run_as.name",
            "elasticsearch.audit.user.run_as.realm",
            "elasticsearch.audit.component",
            "elasticsearch.audit.action",
            "elasticsearch.audit.url.params",
            "elasticsearch.audit.indices",
            "elasticsearch.audit.request.id",
            "elasticsearch.audit.request.name",
            "elasticsearch.audit.message",
            "elasticsearch.gc.phase.name",
            "elasticsearch.gc.tags",
            "elasticsearch.slowlog.logger",
            "elasticsearch.slowlog.took",
            "elasticsearch.slowlog.types",
            "elasticsearch.slowlog.stats",
            "elasticsearch.slowlog.search_type",
            "elasticsearch.slowlog.source_query",
            "elasticsearch.slowlog.extra_source",
            "elasticsearch.slowlog.total_hits",
            "elasticsearch.slowlog.total_shards",
            "elasticsearch.slowlog.routing",
            "elasticsearch.slowlog.id",
            "elasticsearch.slowlog.type",
            "elasticsearch.slowlog.source",
            "envoyproxy.log_type",
            "envoyproxy.response_flags",
            "envoyproxy.request_id",
            "envoyproxy.authority",
            "envoyproxy.proxy_type",
            "fortinet.file.hash.crc32",
            "gcp.destination.instance.project_id",
            "gcp.destination.instance.region",
            "gcp.destination.instance.zone",
            "gcp.destination.vpc.project_id",
            "gcp.destination.vpc.vpc_name",
            "gcp.destination.vpc.subnetwork_name",
            "gcp.source.instance.project_id",
            "gcp.source.instance.region",
            "gcp.source.instance.zone",
            "gcp.source.vpc.project_id",
            "gcp.source.vpc.vpc_name",
            "gcp.source.vpc.subnetwork_name",
            "gcp.audit.type",
            "gcp.audit.authentication_info.principal_email",
            "gcp.audit.authentication_info.authority_selector",
            "gcp.audit.method_name",
            "gcp.audit.request.proto_name",
            "gcp.audit.request.filter",
            "gcp.audit.request.name",
            "gcp.audit.request.resource_name",
            "gcp.audit.request_metadata.caller_supplied_user_agent",
            "gcp.audit.response.proto_name",
            "gcp.audit.response.details.group",
            "gcp.audit.response.details.kind",
            "gcp.audit.response.details.name",
            "gcp.audit.response.details.uid",
            "gcp.audit.response.status",
            "gcp.audit.resource_name",
            "gcp.audit.resource_location.current_locations",
            "gcp.audit.service_name",
            "gcp.audit.status.message",
            "gcp.firewall.rule_details.action",
            "gcp.firewall.rule_details.direction",
            "gcp.firewall.rule_details.reference",
            "gcp.firewall.rule_details.source_range",
            "gcp.firewall.rule_details.destination_range",
            "gcp.firewall.rule_details.source_tag",
            "gcp.firewall.rule_details.target_tag",
            "gcp.firewall.rule_details.source_service_account",
            "gcp.firewall.rule_details.target_service_account",
            "gcp.vpcflow.reporter",
            "haproxy.frontend_name",
            "haproxy.backend_name",
            "haproxy.server_name",
            "haproxy.bind_name",
            "haproxy.error_message",
            "haproxy.source",
            "haproxy.termination_state",
            "haproxy.mode",
            "haproxy.http.response.captured_cookie",
            "haproxy.http.response.captured_headers",
            "haproxy.http.request.captured_cookie",
            "haproxy.http.request.captured_headers",
            "haproxy.http.request.raw_request_line",
            "ibmmq.errorlog.installation",
            "ibmmq.errorlog.qmgr",
            "ibmmq.errorlog.arithinsert",
            "ibmmq.errorlog.commentinsert",
            "ibmmq.errorlog.errordescription",
            "ibmmq.errorlog.explanation",
            "ibmmq.errorlog.action",
            "ibmmq.errorlog.code",
            "icinga.debug.facility",
            "icinga.main.facility",
            "icinga.startup.facility",
            "iis.access.site_name",
            "iis.access.server_name",
            "iis.access.cookie",
            "iis.error.reason_phrase",
            "iis.error.queue_name",
            "iptables.fragment_flags",
            "iptables.input_device",
            "iptables.output_device",
            "iptables.tcp.flags",
            "iptables.ubiquiti.input_zone",
            "iptables.ubiquiti.output_zone",
            "iptables.ubiquiti.rule_number",
            "iptables.ubiquiti.rule_set",
            "kafka.log.component",
            "kafka.log.class",
            "kafka.log.thread",
            "kafka.log.trace.class",
            "kafka.log.trace.message",
            "kibana.session_id",
            "kibana.space_id",
            "kibana.saved_object.type",
            "kibana.saved_object.id",
            "kibana.add_to_spaces",
            "kibana.delete_from_spaces",
            "kibana.authentication_provider",
            "kibana.authentication_type",
            "kibana.authentication_realm",
            "kibana.lookup_realm",
            "kibana.log.tags",
            "kibana.log.state",
            "logstash.log.module",
            "logstash.log.thread.text",
            "logstash.log.thread",
            "logstash.log.log_event.action",
            "logstash.log.pipeline_id",
            "logstash.slowlog.module",
            "logstash.slowlog.thread.text",
            "logstash.slowlog.thread",
            "logstash.slowlog.event.text",
            "logstash.slowlog.event",
            "logstash.slowlog.plugin_name",
            "logstash.slowlog.plugin_type",
            "logstash.slowlog.plugin_params.text",
            "logstash.slowlog.plugin_params",
            "misp.attack_pattern.id",
            "misp.attack_pattern.name",
            "misp.attack_pattern.description",
            "misp.attack_pattern.kill_chain_phases",
            "misp.campaign.id",
            "misp.campaign.name",
            "misp.campaign.description",
            "misp.campaign.aliases",
            "misp.campaign.objective",
            "misp.course_of_action.id",
            "misp.course_of_action.name",
            "misp.course_of_action.description",
            "misp.identity.id",
            "misp.identity.name",
            "misp.identity.description",
            "misp.identity.identity_class",
            "misp.identity.labels",
            "misp.identity.sectors",
            "misp.identity.contact_information",
            "misp.intrusion_set.id",
            "misp.intrusion_set.name",
            "misp.intrusion_set.description",
            "misp.intrusion_set.aliases",
            "misp.intrusion_set.goals",
            "misp.intrusion_set.resource_level",
            "misp.intrusion_set.primary_motivation",
            "misp.intrusion_set.secondary_motivations",
            "misp.malware.id",
            "misp.malware.name",
            "misp.malware.description",
            "misp.malware.labels",
            "misp.malware.kill_chain_phases",
            "misp.note.id",
            "misp.note.summary",
            "misp.note.description",
            "misp.note.authors",
            "misp.note.object_refs",
            "misp.threat_indicator.labels",
            "misp.threat_indicator.id",
            "misp.threat_indicator.version",
            "misp.threat_indicator.type",
            "misp.threat_indicator.description",
            "misp.threat_indicator.feed",
            "misp.threat_indicator.severity",
            "misp.threat_indicator.confidence",
            "misp.threat_indicator.kill_chain_phases",
            "misp.threat_indicator.mitre_tactic",
            "misp.threat_indicator.mitre_technique",
            "misp.threat_indicator.attack_pattern",
            "misp.threat_indicator.attack_pattern_kql",
            "misp.threat_indicator.intrusion_set",
            "misp.threat_indicator.campaign",
            "misp.threat_indicator.threat_actor",
            "misp.observed_data.id",
            "misp.observed_data.objects",
            "misp.report.id",
            "misp.report.labels",
            "misp.report.name",
            "misp.report.description",
            "misp.report.object_refs",
            "misp.threat_actor.id",
            "misp.threat_actor.labels",
            "misp.threat_actor.name",
            "misp.threat_actor.description",
            "misp.threat_actor.aliases",
            "misp.threat_actor.roles",
            "misp.threat_actor.goals",
            "misp.threat_actor.sophistication",
            "misp.threat_actor.resource_level",
            "misp.threat_actor.primary_motivation",
            "misp.threat_actor.secondary_motivations",
            "misp.threat_actor.personal_motivations",
            "misp.tool.id",
            "misp.tool.labels",
            "misp.tool.name",
            "misp.tool.description",
            "misp.tool.tool_version",
            "misp.tool.kill_chain_phases",
            "misp.vulnerability.id",
            "misp.vulnerability.name",
            "misp.vulnerability.description",
            "mongodb.log.component",
            "mongodb.log.context",
            "mssql.log.origin",
            "mysql.slowlog.query",
            "mysql.slowlog.schema",
            "mysql.slowlog.current_user",
            "mysql.slowlog.last_errno",
            "mysql.slowlog.killed",
            "mysql.slowlog.log_slow_rate_type",
            "mysql.slowlog.log_slow_rate_limit",
            "mysql.slowlog.innodb.trx_id",
            "nats.log.msg.type",
            "nats.log.msg.subject",
            "nats.log.msg.reply_to",
            "nats.log.msg.error.message",
            "nats.log.msg.queue_group",
            "netflow.type",
            "netflow.exporter.address",
            "netflow.source_mac_address",
            "netflow.post_destination_mac_address",
            "netflow.destination_mac_address",
            "netflow.post_source_mac_address",
            "netflow.interface_name",
            "netflow.interface_description",
            "netflow.sampler_name",
            "netflow.application_description",
            "netflow.application_name",
            "netflow.class_name",
            "netflow.wlan_ssid",
            "netflow.vr_fname",
            "netflow.metro_evc_id",
            "netflow.nat_pool_name",
            "netflow.p2p_technology",
            "netflow.tunnel_technology",
            "netflow.encrypted_technology",
            "netflow.observation_domain_name",
            "netflow.selector_name",
            "netflow.information_element_description",
            "netflow.information_element_name",
            "netflow.virtual_station_interface_name",
            "netflow.virtual_station_name",
            "netflow.sta_mac_address",
            "netflow.wtp_mac_address",
            "netflow.user_name",
            "netflow.application_category_name",
            "netflow.application_sub_category_name",
            "netflow.application_group_name",
            "netflow.dot1q_customer_source_mac_address",
            "netflow.dot1q_customer_destination_mac_address",
            "netflow.mib_context_name",
            "netflow.mib_object_name",
            "netflow.mib_object_description",
            "netflow.mib_object_syntax",
            "netflow.mib_module_name",
            "netflow.mobile_imsi",
            "netflow.mobile_msisdn",
            "netflow.http_request_method",
            "netflow.http_request_host",
            "netflow.http_request_target",
            "netflow.http_message_version",
            "netflow.http_user_agent",
            "netflow.http_content_type",
            "netflow.http_reason_phrase",
            "nginx.ingress_controller.upstream_address_list",
            "nginx.ingress_controller.upstream.response.length_list",
            "nginx.ingress_controller.upstream.response.time_list",
            "nginx.ingress_controller.upstream.response.status_code_list",
            "nginx.ingress_controller.upstream.name",
            "nginx.ingress_controller.upstream.alternative_name",
            "nginx.ingress_controller.http.request.id",
            "oracle.database_audit.status",
            "oracle.database_audit.session_id",
            "oracle.database_audit.client.terminal",
            "oracle.database_audit.client.address",
            "oracle.database_audit.client.user",
            "oracle.database_audit.database.user",
            "oracle.database_audit.privilege",
            "oracle.database_audit.entry.id",
            "oracle.database_audit.database.host",
            "oracle.database_audit.action",
            "oracle.database_audit.action_number",
            "oracle.database_audit.database.id",
            "osquery.result.name",
            "osquery.result.action",
            "osquery.result.host_identifier",
            "osquery.result.calendar_time",
            "panw.panos.ruleset",
            "panw.panos.source.zone",
            "panw.panos.source.interface",
            "panw.panos.destination.zone",
            "panw.panos.destination.interface",
            "panw.panos.endreason",
            "panw.panos.network.pcap_id",
            "panw.panos.network.nat.community_id",
            "panw.panos.file.hash",
            "panw.panos.url.category",
            "panw.panos.flow_id",
            "panw.panos.threat.resource",
            "panw.panos.threat.id",
            "panw.panos.threat.name",
            "panw.panos.action",
            "panw.panos.type",
            "panw.panos.sub_type",
            "postgresql.log.timestamp",
            "postgresql.log.client_addr",
            "postgresql.log.client_port",
            "postgresql.log.session_id",
            "postgresql.log.database",
            "postgresql.log.query",
            "postgresql.log.query_step",
            "postgresql.log.query_name",
            "postgresql.log.command_tag",
            "postgresql.log.virtual_transaction_id",
            "postgresql.log.sql_state_code",
            "postgresql.log.detail",
            "postgresql.log.hint",
            "postgresql.log.internal_query",
            "postgresql.log.context",
            "postgresql.log.location",
            "postgresql.log.application_name",
            "postgresql.log.backend_type",
            "rabbitmq.log.pid",
            "redis.log.role",
            "redis.slowlog.cmd",
            "redis.slowlog.key",
            "redis.slowlog.args",
            "santa.action",
            "santa.decision",
            "santa.reason",
            "santa.mode",
            "santa.disk.volume",
            "santa.disk.bus",
            "santa.disk.serial",
            "santa.disk.bsdname",
            "santa.disk.model",
            "santa.disk.fs",
            "santa.disk.mount",
            "santa.certificate.common_name",
            "santa.certificate.sha256",
            "snyk.related.projects",
            "snyk.audit.org_id",
            "snyk.audit.project_id",
            "snyk.vulnerabilities.cvss3",
            "snyk.vulnerabilities.exploit_maturity",
            "snyk.vulnerabilities.id",
            "snyk.vulnerabilities.language",
            "snyk.vulnerabilities.package",
            "snyk.vulnerabilities.package_manager",
            "snyk.vulnerabilities.jira_issue_url",
            "snyk.vulnerabilities.reachability",
            "snyk.vulnerabilities.title",
            "snyk.vulnerabilities.type",
            "snyk.vulnerabilities.unique_severities_list",
            "snyk.vulnerabilities.version",
            "snyk.vulnerabilities.credit",
            "snyk.vulnerabilities.identifiers.alternative",
            "snyk.vulnerabilities.identifiers.cwe",
            "suricata.eve.event_type",
            "suricata.eve.app_proto_orig",
            "suricata.eve.tcp.tcp_flags",
            "suricata.eve.tcp.tcp_flags_tc",
            "suricata.eve.tcp.state",
            "suricata.eve.tcp.tcp_flags_ts",
            "suricata.eve.fileinfo.sha1",
            "suricata.eve.fileinfo.state",
            "suricata.eve.fileinfo.sha256",
            "suricata.eve.fileinfo.md5",
            "suricata.eve.dns.type",
            "suricata.eve.dns.rrtype",
            "suricata.eve.dns.rrname",
            "suricata.eve.dns.rdata",
            "suricata.eve.dns.rcode",
            "suricata.eve.flow_id",
            "suricata.eve.email.status",
            "suricata.eve.http.redirect",
            "suricata.eve.http.protocol",
            "suricata.eve.http.http_content_type",
            "suricata.eve.in_iface",
            "suricata.eve.alert.category",
            "suricata.eve.alert.signature",
            "suricata.eve.alert.protocols",
            "suricata.eve.alert.attack_target",
            "suricata.eve.alert.capec_id",
            "suricata.eve.alert.cwe_id",
            "suricata.eve.alert.malware",
            "suricata.eve.alert.cve",
            "suricata.eve.alert.cvss_v2_base",
            "suricata.eve.alert.cvss_v2_temporal",
            "suricata.eve.alert.cvss_v3_base",
            "suricata.eve.alert.cvss_v3_temporal",
            "suricata.eve.alert.priority",
            "suricata.eve.alert.hostile",
            "suricata.eve.alert.infected",
            "suricata.eve.alert.classtype",
            "suricata.eve.alert.rule_source",
            "suricata.eve.alert.sid",
            "suricata.eve.alert.affected_product",
            "suricata.eve.alert.deployment",
            "suricata.eve.alert.former_category",
            "suricata.eve.alert.mitre_tool_id",
            "suricata.eve.alert.performance_impact",
            "suricata.eve.alert.signature_severity",
            "suricata.eve.alert.tag",
            "suricata.eve.ssh.client.proto_version",
            "suricata.eve.ssh.client.software_version",
            "suricata.eve.ssh.server.proto_version",
            "suricata.eve.ssh.server.software_version",
            "suricata.eve.tls.issuerdn",
            "suricata.eve.tls.sni",
            "suricata.eve.tls.version",
            "suricata.eve.tls.fingerprint",
            "suricata.eve.tls.serial",
            "suricata.eve.tls.subject",
            "suricata.eve.app_proto_ts",
            "suricata.eve.flow.state",
            "suricata.eve.flow.reason",
            "suricata.eve.app_proto_tc",
            "suricata.eve.smtp.rcpt_to",
            "suricata.eve.smtp.mail_from",
            "suricata.eve.smtp.helo",
            "suricata.eve.app_proto_expected",
            "system.auth.ssh.method",
            "system.auth.ssh.signature",
            "system.auth.ssh.event",
            "system.auth.sudo.error",
            "system.auth.sudo.tty",
            "system.auth.sudo.pwd",
            "system.auth.sudo.user",
            "system.auth.sudo.command",
            "system.auth.useradd.home",
            "system.auth.useradd.shell",
            "traefik.access.user_identifier",
            "traefik.access.frontend_name",
            "traefik.access.backend_url",
            "zeek.session_id",
            "zeek.capture_loss.peer",
            "zeek.dns.trans_id",
            "zeek.dns.query",
            "zeek.dns.qclass_name",
            "zeek.dns.qtype_name",
            "zeek.dns.rcode_name",
            "zeek.dns.answers",
            "zeek.files.fuid",
            "zeek.files.session_ids",
            "zeek.files.source",
            "zeek.files.analyzers",
            "zeek.files.mime_type",
            "zeek.files.filename",
            "zeek.files.parent_fuid",
            "zeek.files.md5",
            "zeek.files.sha1",
            "zeek.files.sha256",
            "zeek.files.extracted",
            "zeek.http.status_msg",
            "zeek.http.info_msg",
            "zeek.http.tags",
            "zeek.http.password",
            "zeek.http.proxied",
            "zeek.http.client_header_names",
            "zeek.http.server_header_names",
            "zeek.http.orig_fuids",
            "zeek.http.orig_mime_types",
            "zeek.http.orig_filenames",
            "zeek.http.resp_fuids",
            "zeek.http.resp_mime_types",
            "zeek.http.resp_filenames",
            "zeek.notice.connection_id",
            "zeek.notice.icmp_id",
            "zeek.notice.file.id",
            "zeek.notice.file.parent_id",
            "zeek.notice.file.source",
            "zeek.notice.file.mime_type",
            "zeek.notice.fuid",
            "zeek.notice.note",
            "zeek.notice.msg",
            "zeek.notice.sub",
            "zeek.notice.peer_name",
            "zeek.notice.peer_descr",
            "zeek.notice.actions",
            "zeek.notice.email_body_sections",
            "zeek.notice.email_delay_tokens",
            "zeek.notice.identifier",
            "zookeeper.audit.session",
            "zookeeper.audit.znode",
            "zookeeper.audit.znode_type",
            "zookeeper.audit.acl",
            "zookeeper.audit.result",
            "zookeeper.audit.user",
            "fields.*"
          ]
        },
        "creation_date" : "1669721788944",
        "number_of_replicas" : "0",
        "uuid" : "AWgeot-kS5Wb9nSLksNYng",
        "version" : {
          "created" : "7170799"
        }
      }
    }
  }

Badger · December 23, 2022, 6:05pm

What error? To me it just looks like it has rolled over from the 000001 index to the 000002 index, so it is working as expected.

tjay · December 24, 2022, 9:50am

This is the stack trace. Also, the Index Management screen says there are x indices have lifecycle errors.

java.lang.IllegalArgumentException: index.lifecycle.rollover_alias [filebeat-7.17.7] does not point to index [filebeat-7.17.7-2022.12.21]
	at org.elasticsearch.xpack.core.ilm.WaitForRolloverReadyStep.evaluateCondition(WaitForRolloverReadyStep.java:156)
	at org.elasticsearch.xpack.ilm.IndexLifecycleRunner.runPeriodicStep(IndexLifecycleRunner.java:226)
	at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggerPolicies(IndexLifecycleService.java:418)
	at org.elasticsearch.xpack.ilm.IndexLifecycleService.triggered(IndexLifecycleService.java:349)
	at org.elasticsearch.xpack.core.scheduler.SchedulerEngine.notifyListeners(SchedulerEngine.java:186)
	at org.elasticsearch.xpack.core.scheduler.SchedulerEngine$ActiveSchedule.run(SchedulerEngine.java:220)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1589)

Badger · December 24, 2022, 5:46pm

That is really an xpack/elasticsearch question rather than a logstash question.

stephenb · December 24, 2022, 6:12pm

Please Share your entire logstash and filebeat configurations.

tjay · December 25, 2022, 3:06am

logstash.yml

# Settings file in YAML
#
# Settings can be specified either in hierarchical form, e.g.:
#
#   pipeline:
#     batch:
#       size: 125
#       delay: 5
#
# Or as flat keys:
#
#   pipeline.batch.size: 125
#   pipeline.batch.delay: 5
#
# ------------  Node identity ------------
#
# Use a descriptive name for the node:
#
# node.name: test
#
# If omitted the node name will default to the machine's host name
#
# ------------ Data path ------------------
#
# Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data
#
path.data: /var/lib/logstash
#
# ------------ Pipeline Settings --------------
#
# The ID of the pipeline.
#
# pipeline.id: main
#
# Set the number of workers that will, in parallel, execute the filters+outputs
# stage of the pipeline.
#
# This defaults to the number of the host's CPU cores.
#
# pipeline.workers: 2
#
# How many events to retrieve from inputs before sending to filters+workers
#
# pipeline.batch.size: 125
#
# How long to wait in milliseconds while polling for the next event
# before dispatching an undersized batch to filters+outputs
#
# pipeline.batch.delay: 50
#
# Force Logstash to exit during shutdown even if there are still inflight
# events in memory. By default, logstash will refuse to quit until all
# received events have been pushed to the outputs.
#
# WARNING: enabling this can lead to data loss during shutdown
#
# pipeline.unsafe_shutdown: false
#
# Set the pipeline event ordering. Options are "auto" (the default), "true" or "false".
# "auto" will  automatically enable ordering if the 'pipeline.workers' setting
# is also set to '1'.
# "true" will enforce ordering on the pipeline and prevent logstash from starting
# if there are multiple workers.
# "false" will disable any extra processing necessary for preserving ordering.
#
# pipeline.ordered: auto
#
# Sets the pipeline's default value for `ecs_compatibility`, a setting that is
# available to plugins that implement an ECS Compatibility mode for use with
# the Elastic Common Schema.
# Possible values are:
# - disabled (default)
# - v1
# - v8
# The default value will be `v8` in Logstash 8, making ECS on-by-default. To ensure a
# migrated pipeline continues to operate as it did before your upgrade, opt-OUT
# of ECS for the individual pipeline in its `pipelines.yml` definition. Setting
# it here will set the default for _all_ pipelines, including new ones.
#
# pipeline.ecs_compatibility: disabled
#
# ------------ Pipeline Configuration Settings --------------
#
# Where to fetch the pipeline configuration for the main pipeline
#
# path.config:
#
# Pipeline configuration string for the main pipeline
#
# config.string:
#
# At startup, test if the configuration is valid and exit (dry run)
#
# config.test_and_exit: false
#
# Periodically check if the configuration has changed and reload the pipeline
# This can also be triggered manually through the SIGHUP signal
#
# config.reload.automatic: false
#
# How often to check if the pipeline configuration has changed (in seconds)
# Note that the unit value (s) is required. Values without a qualifier (e.g. 60)
# are treated as nanoseconds.
# Setting the interval this way is not recommended and might change in later versions.
#
# config.reload.interval: 3s
#
# Show fully compiled configuration as debug log message
# NOTE: --log.level must be 'debug'
#
# config.debug: false
#
# When enabled, process escaped characters such as \n and \" in strings in the
# pipeline configuration files.
#
# config.support_escapes: false
#
# ------------ API Settings -------------
# Define settings related to the HTTP API here.
#
# The HTTP API is enabled by default. It can be disabled, but features that rely
# on it will not work as intended.
#
# api.enabled: true
#
# By default, the HTTP API is not secured and is therefore bound to only the
# host's loopback interface, ensuring that it is not accessible to the rest of
# the network.
# When secured with SSL and Basic Auth, the API is bound to _all_ interfaces
# unless configured otherwise.
#
# api.http.host: 127.0.0.1
#
# The HTTP API web server will listen on an available port from the given range.
# Values can be specified as a single port (e.g., `9600`), or an inclusive range
# of ports (e.g., `9600-9700`).
#
# api.http.port: 9600-9700
#
# The HTTP API includes a customizable "environment" value in its response,
# which can be configured here.
#
# api.environment: "production"
#
# The HTTP API can be secured with SSL (TLS). To do so, you will need to provide
# the path to a password-protected keystore in p12 or jks format, along with credentials.
#
# api.ssl.enabled: false
# api.ssl.keystore.path: /path/to/keystore.jks
# api.ssl.keystore.password: "y0uRp4$$w0rD"
#
# The HTTP API can be configured to require authentication. Acceptable values are
#  - `none`:  no auth is required (default)
#  - `basic`: clients must authenticate with HTTP Basic auth, as configured
#             with `api.auth.basic.*` options below
# api.auth.type: none
#
# When configured with `api.auth.type` `basic`, you must provide the credentials
# that requests will be validated against. Usage of Environment or Keystore
# variable replacements is encouraged (such as the value `"${HTTP_PASS}"`, which
# resolves to the value stored in the keystore's `HTTP_PASS` variable if present
# or the same variable from the environment)
#
# api.auth.basic.username: "logstash-user"
# api.auth.basic.password: "s3cUreP4$$w0rD"
#
# ------------ Module Settings ---------------
# Define modules here.  Modules definitions must be defined as an array.
# The simple way to see this is to prepend each `name` with a `-`, and keep
# all associated variables under the `name` they are associated with, and
# above the next, like this:
#
# modules:
#   - name: MODULE_NAME
#     var.PLUGINTYPE1.PLUGINNAME1.KEY1: VALUE
#     var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE
#     var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE
#     var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE
#
# Module variable names must be in the format of
#
# var.PLUGIN_TYPE.PLUGIN_NAME.KEY
#
# modules:
#
# ------------ Cloud Settings ---------------
# Define Elastic Cloud settings here.
# Format of cloud.id is a base64 value e.g. dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy
# and it may have an label prefix e.g. staging:dXMtZ...
# This will overwrite 'var.elasticsearch.hosts' and 'var.kibana.host'
# cloud.id: <identifier>
#
# Format of cloud.auth is: <user>:<pass>
# This is optional
# If supplied this will overwrite 'var.elasticsearch.username' and 'var.elasticsearch.password'
# If supplied this will overwrite 'var.kibana.username' and 'var.kibana.password'
# cloud.auth: elastic:<password>
#
# ------------ Queuing Settings --------------
#
# Internal queuing model, "memory" for legacy in-memory based queuing and
# "persisted" for disk-based acked queueing. Defaults is memory
#
# queue.type: memory
#
# If using queue.type: persisted, the directory path where the data files will be stored.
# Default is path.data/queue
#
# path.queue:
#
# If using queue.type: persisted, the page data files size. The queue data consists of
# append-only data files separated into pages. Default is 64mb
#
# queue.page_capacity: 64mb
#
# If using queue.type: persisted, the maximum number of unread events in the queue.
# Default is 0 (unlimited)
#
# queue.max_events: 0
#
# If using queue.type: persisted, the total capacity of the queue in number of bytes.
# If you would like more unacked events to be buffered in Logstash, you can increase the
# capacity using this setting. Please make sure your disk drive has capacity greater than
# the size specified here. If both max_bytes and max_events are specified, Logstash will pick
# whichever criteria is reached first
# Default is 1024mb or 1gb
#
# queue.max_bytes: 1024mb
#
# If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint
# Default is 1024, 0 for unlimited
#
# queue.checkpoint.acks: 1024
#
# If using queue.type: persisted, the maximum number of written events before forcing a checkpoint
# Default is 1024, 0 for unlimited
#
# queue.checkpoint.writes: 1024
#
# If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page
# Default is 1000, 0 for no periodic checkpoint.
#
# queue.checkpoint.interval: 1000
#
# ------------ Dead-Letter Queue Settings --------------
# Flag to turn on dead-letter queue.
#
# dead_letter_queue.enable: false

# If using dead_letter_queue.enable: true, the maximum size of each dead letter queue. Entries
# will be dropped if they would increase the size of the dead letter queue beyond this setting.
# Default is 1024mb
# dead_letter_queue.max_bytes: 1024mb

# If using dead_letter_queue.enable: true, the interval in milliseconds where if no further events eligible for the DLQ
# have been created, a dead letter queue file will be written. A low value here will mean that more, smaller, queue files
# may be written, while a larger value will introduce more latency between items being "written" to the dead letter queue, and
# being available to be read by the dead_letter_queue input when items are are written infrequently.
# Default is 5000.
#
# dead_letter_queue.flush_interval: 5000

# If using dead_letter_queue.enable: true, the directory path where the data files will be stored.
# Default is path.data/dead_letter_queue
#
# path.dead_letter_queue:
#
# ------------ Debugging Settings --------------
#
# Options for log.level:
#   * fatal
#   * error
#   * warn
#   * info (default)
#   * debug
#   * trace
#
# log.level: info
path.logs: /var/log/logstash
#
# ------------ Other Settings --------------
#
# Where to find custom plugins
# path.plugins: []
#
# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
# Default is false
# ------------ Other Settings --------------
#
# Where to find custom plugins
# path.plugins: []
#
# Flag to output log lines of each pipeline in its separate log file. Each log filename contains the pipeline.name
# Default is false
# pipeline.separate_logs: false
#
# ------------ X-Pack Settings (not applicable for OSS build)--------------
#
# X-Pack Monitoring
# https://www.elastic.co/guide/en/logstash/current/monitoring-logstash.html
#xpack.monitoring.enabled: false
#xpack.monitoring.elasticsearch.username: logstash_system
#xpack.monitoring.elasticsearch.password: password
#xpack.monitoring.elasticsearch.proxy: ["http://proxy:port"]
#xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.monitoring.elasticsearch.cloud_id: monitoring_cluster_id:xxxxxxxxxx
#xpack.monitoring.elasticsearch.cloud_auth: logstash_system:password
# another authentication alternative is to use an Elasticsearch API key
#xpack.monitoring.elasticsearch.api_key: "id:api_key"
#xpack.monitoring.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
#xpack.monitoring.elasticsearch.ssl.truststore.path: path/to/file
#xpack.monitoring.elasticsearch.ssl.truststore.password: password
#xpack.monitoring.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.monitoring.elasticsearch.ssl.keystore.password: password
#xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
#xpack.monitoring.elasticsearch.sniffing: false
#xpack.monitoring.collection.interval: 10s
#xpack.monitoring.collection.pipeline.details.enabled: true
#
# X-Pack Management
# https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html
#xpack.management.enabled: false
#xpack.management.pipeline.id: ["main", "apache_logs"]
#xpack.management.elasticsearch.username: logstash_admin_user
#xpack.management.elasticsearch.password: password
#xpack.management.elasticsearch.proxy: ["http://proxy:port"]
#xpack.management.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]
# an alternative to hosts + username/password settings is to use cloud_id/cloud_auth
#xpack.management.elasticsearch.cloud_id: management_cluster_id:xxxxxxxxxx
#xpack.management.elasticsearch.cloud_auth: logstash_admin_user:password
# another authentication alternative is to use an Elasticsearch API key
#xpack.management.elasticsearch.api_key: "id:api_key"
#xpack.management.elasticsearch.ssl.certificate_authority: [ "/path/to/ca.crt" ]
#xpack.management.elasticsearch.ssl.truststore.path: /path/to/file
#xpack.management.elasticsearch.ssl.truststore.password: password
#xpack.management.elasticsearch.ssl.keystore.path: /path/to/file
#xpack.management.elasticsearch.ssl.keystore.password: password
#xpack.management.elasticsearch.ssl.verification_mode: certificate
#xpack.management.elasticsearch.sniffing: false
#xpack.management.logstash.poll_interval: 5s

# X-Pack GeoIP plugin
# https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html#plugins-filters-geoip-manage_update
#xpack.geoip.download.endpoint: "https://geoip.elastic.co/v1/database"

tjay · December 25, 2022, 3:08am

elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: localhost
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: localhost
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Security ----------------------------------
#
#                                 *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html

stephenb · December 25, 2022, 4:17am

Apologies I meant filebeat configuration and logstash pipeline configuration so.we can see what you are trying to write too...

Also how did you get started / setup?

Perhaps look at these two...I have other write ups on using

Filebeat -> Logstash -> Elasticsearch

Or

And this ..

tjay · December 25, 2022, 12:00pm

Here are the logstash pipeline configurations.

conf.d/02-beats-input.conf

input {
  beats {
    port => 5044
  }
}

conf.d/30-elasticsearch-output.conf

output {
  if [@metadata][pipeline] {
        elasticsearch {
        hosts => ["localhost:9200"]
        manage_template => false
        index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        pipeline => "%{[@metadata][pipeline]}"
        }
  } else {
        elasticsearch {
        hosts => ["localhost:9200"]
        manage_template => false
        index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }
  }
}

tjay · December 25, 2022, 12:03pm

filebeat.yml

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================
setup.template.settings:
  index.number_of_shards: 1
  index.number_of_replicas: 0
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

tjay · December 25, 2022, 12:08pm

I used this page to set up as a base. Installed apache2 module instead of system.

stephenb · December 25, 2022, 4:01pm

First in general It's always hard to help when users use third party articles to set up, but I think I found your issue.

Your issue is your output section I would follow the link I gave you above as I know it works and you can see it's been used by many other people

This is the correct version. Notice that it does not have the date portion on the index.

Correct Write alias

filebeat-7.17.7

What your log stash is trying to write to you
filebeat-7.17.7-2022.12.21

That is because the write alias does not have to date portion on the index name which is also correct...

And although it's a little hard to understand, that's exactly what your error message is saying you're writing to something that's not the rollover alias.

If you run filebeat setup it will create the alias without the date part and then it should work.

You may need to clean up and run filebeat setup -e again when you have filebeat configured the point to elasticsearch.

BTW our docs also have this wrong if you are using ILM which most folks do..

Below is correct

Note no date portion on the index

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      pipeline => "%{[@metadata][pipeline]}" 
      user => "elastic"
      password => "secret"
    }
  } else {
    elasticsearch {
      hosts => "http://localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      user => "elastic"
      password => "secret"
    }
  }
}

tjay · December 26, 2022, 11:40am

Hi Stephen,

Thank you for your reply pointing out the root cause.

I'll clean it up and seee how it goes.

Much appreciated.

system · January 23, 2023, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rollover not working, Filebeat default index does not have an alias Elasticsearch	9	205	February 11, 2024
Metricbeat - INDEX LIFECYCLE ERROR Kibana	2	253	May 13, 2023
Illegal_argument_exception: index.lifecycle.rollover_alias does not point to index Kibana ilm-index-lifecycle-management	1	138	March 20, 2024
Facing issues with ILM on auto indexes Elasticsearch ilm-index-lifecycle-management	3	272	February 8, 2023
Index management error: "Index is not the write index for alias" Elasticsearch ilm-index-lifecycle-management	4	25772	July 1, 2019

Index.lifecycle.rollover_alias [filebeat-7.17.7] does not point to index [filebeat-7.17.7-2022.12.21]

Related Topics