Index template setting overwrite

Hi Team,

I have a problem with the elasticsearch index template setting. below is a custom config i have updated in the index template setting to keep the index in hot nodes,

"routing": {
  "allocation": {
    "require": {
      "data": "hot"
      } 
    }

But the problem is , this settings is getting removed automatically after some time , i guess its some client winlogbeat which is running the setup may be overwriting this.

Please help me how i can block this and how to find out which client is overwriting the index template settings

Screenshot attached

What is the output from _cat/templates?v?

Are you creating a new template, or updating an existing one?

Hi Mark,

I am updating an existing template which is winlogbeat-7.9.0

Please find the output below.

name                             index_patterns                     order      version composed_of
.management-beats                [.management-beats]                0          70000   
.lists-default                   [.lists-default-*]                 0                  
winlogbeat-7.9.0                 [winlogbeat-7.9.0-*]               1                  
.ml-notifications-000001         [.ml-notifications-000001]         0          7090099 
.transform-notifications-000002  [.transform-notifications-*]       0          7090099 
.ml-anomalies-                   [.ml-anomalies-*]                  0          7090099 
ilm-history                      [ilm-history-2*]                   2147483647 2       
.ml-state                        [.ml-state*]                       0          7090099 
.kibana-event-log-7.9.0-template [.kibana-event-log-7.9.0-*]        0                  
.ml-meta                         [.ml-meta]                         0          7090099 
filebeat-7.9.1                   [filebeat-7.9.1-*]                 1                  
.ml-stats                        [.ml-stats-*]                      0          7090099 
.transform-internal-005          [.transform-internal-005]          0          7090099 
.watch-history-11                [.watcher-history-11*]             2147483647 11      
.monitoring-logstash             [.monitoring-logstash-7-*]         0          7000199 
auditbeat-7.9.0                  [auditbeat-7.9.0-*]                1                  
.logstash-management             [.logstash]                        0                  
.monitoring-beats                [.monitoring-beats-7-*]            0          7000199 
.monitoring-kibana               [.monitoring-kibana-7-*]           0          7000199 
cisco-dc                         [cisco-dc-*]                       1                  
oracle                           [oracle-*]                         0          60001   
auditbeat-7.7.1                  [auditbeat-7.7.1-*]                1                  
.watches                         [.watches*]                        2147483647 11      
.items-default                   [.items-default-*]                 0                  
logstash                         [logstash-*]                       0          60001   
.slm-history                     [.slm-history-2*]                  2147483647 2       
.ml-config                       [.ml-config]                       0          7090099 
cisco-dc-flow                    [cisco-dc-flow-*]                  1                  
.triggered_watches               [.triggered_watches*]              2147483647 11      
.ml-inference-000002             [.ml-inference-000002]             0          7090099 
.siem-signals-default            [.siem-signals-default-*]          0          1       
.monitoring-es                   [.monitoring-es-7-*]               0          7000199 
.monitoring-alerts-7             [.monitoring-alerts-7]             0          7000199 
metrics-system.process           [metrics-system.process-*]         200                []
metrics-system.fsstat            [metrics-system.fsstat-*]          200                []
metrics-system.memory            [metrics-system.memory-*]          200                []
metrics-endpoint.metadata        [metrics-endpoint.metadata-*]      200                [metrics-endpoint.metadata-mappings]
metrics-system.socket_summary    [metrics-system.socket_summary-*]  200                []
metrics-endpoint.metrics         [metrics-endpoint.metrics-*]       200                [metrics-endpoint.metrics-mappings]
metrics-system.load              [metrics-system.load-*]            200                []
metrics-system.core              [metrics-system.core-*]            200                []
logs-endpoint.events.security    [logs-endpoint.events.security-*]  200                [logs-endpoint.events.security-mappings]
logs-endpoint.events.registry    [logs-endpoint.events.registry-*]  200                [logs-endpoint.events.registry-mappings]
logs                             [logs-*-*]                         100        0       [logs-mappings, logs-settings]
metrics-system.uptime            [metrics-system.uptime-*]          200                []
metrics-system.network_summary   [metrics-system.network_summary-*] 200                []
logs-endpoint.events.network     [logs-endpoint.events.network-*]   200                [logs-endpoint.events.network-mappings]
metrics-system.cpu               [metrics-system.cpu-*]             200                []
logs-endpoint.events.process     [logs-endpoint.events.process-*]   200                [logs-endpoint.events.process-mappings]
metrics-system.diskio            [metrics-system.diskio-*]          200                []
metrics-system.process_summary   [metrics-system.process_summary-*] 200                []
logs-system.auth                 [logs-system.auth-*]               200                []
metrics-endpoint.policy          [metrics-endpoint.policy-*]        200                [metrics-endpoint.policy-mappings]
metrics-system.entropy           [metrics-system.entropy-*]         200                []
metrics-system.socket            [metrics-system.socket-*]          200                []
metrics-system.service           [metrics-system.service-*]         200                []
logs-endpoint.events.library     [logs-endpoint.events.library-*]   200                [logs-endpoint.events.library-mappings]
metrics-system.users             [metrics-system.users-*]           200                []
metrics-system.raid              [metrics-system.raid-*]            200                []
metrics-system.network           [metrics-system.network-*]         200                []
metrics-system.filesystem        [metrics-system.filesystem-*]      200                []
logs-system.syslog               [logs-system.syslog-*]             200                []
metrics                          [metrics-*-*]                      100        0       [metrics-mappings, metrics-settings]
logs-endpoint.alerts             [logs-endpoint.alerts-*]           200                [logs-endpoint.alerts-mappings]
logs-endpoint.events.file        [logs-endpoint.events.file-*]      200                [logs-endpoint.events.file-mappings]

HI Mark,

Is there any way i can enable auditing in index template and find out the hostname of device which is overwriting the default template. We have 800+ clients sending the data to elasticsearch. Please help.

Thanks,
Jijo John

Hi Mark,

I cloned the existing index template with merge order as 2 and pattern as winlogbeat-* and added my custom routing allocation policy.Now its looks fine.