Hi
I have recently been working on a new data source for Threat Intel data to make use of the Indicator Match detection. My plan was to ingest the TI data in to an index and then roll that index over every 12hrs in to a delete phase as it expires.
This works, I run a cron job to download TI data every 12 hours. This is ingested by the Elastic Agent monitoring a 'Custom Log' which has Filebeat monitor my directory for new TI data.
All of this is working and I have an index template and Ingest pipeline configured.
The problem is the ILM policy is not working as I would expect. It is set to have a Hot phase with a maximum duration of 12hrs. The Delete phase then activates and is supposed to Delete 1min from rollover.
I now have an index reporting a status of open but it is in the delete phase.
I don't understand how it can be in a delete phase but not delete?
I ran a query on the ILM status on the index as shown below:
GET .ds-logs-threat_intel-default-000001/_ilm/explain
{
"indices" : {
".ds-logs-threat_intel-default-000001" : {
"index" : ".ds-logs-threat_intel-default-000001",
"managed" : true,
"policy" : "threat-intel",
"lifecycle_date_millis" : 1605756732243,
"age" : "17.83h",
"phase" : "delete",
"phase_time_millis" : 1605757332389,
"action" : "complete",
"action_time_millis" : 1605756732744,
"step" : "complete",
"step_time_millis" : 1605757332389,
"phase_execution" : {
"policy" : "threat-intel",
"phase_definition" : {
"min_age" : "1h",
"actions" : { }
},
"version" : 3,
"modified_date_in_millis" : 1605802413374
}
}
}
}
This confirms that my ILM policy is being applied. Below is the configuration of the ILM policy, named threat-intel
PUT _ilm/policy/threat-intel
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "1gb",
"max_age": "12h"
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "1h",
"actions": {}
}
}
}
}
I would appreciate any ideas as to what I can check to determine why an index would be in the delete phase but not actually delete? Could there be something holding it open for some reason?
I can't see any errors in the elasticsearch.log file, the last log entry relating to this index reports it moving to the delete phase but nothing more.
[2020-11-19T03:42:12,389][INFO ][o.e.x.i.IndexLifecycleTransition] [itl101400.comm.ad.roke.co.uk] moving index [.ds-logs-threat_intel-default-000001] from [{"phase":"hot","action":"complete","name":"complete"}] to [{"phase":"delete","action":"complete","name":"complete"}] in policy [threat-intel]
Any guidance appreciated.