jijo.john
(Jijo John)
September 30, 2020, 3:01pm
1
Hi Team,
I have a problem with the elasticsearch index template setting. below is a custom config i have updated in the index template setting to keep the index in hot nodes,
"routing": {
"allocation": {
"require": {
"data": "hot"
}
}
But the problem is , this settings is getting removed automatically after some time , i guess its some client winlogbeat which is running the setup may be overwriting this.
Please help me how i can block this and how to find out which client is overwriting the index template settings
Screenshot attached
warkolm
(Mark Walkom)
September 30, 2020, 9:20pm
2
What is the output from _cat/templates?v
?
Are you creating a new template, or updating an existing one?
jijo.john
(Jijo John)
October 1, 2020, 4:24am
3
Hi Mark,
I am updating an existing template which is winlogbeat-7.9.0
Please find the output below.
name index_patterns order version composed_of
.management-beats [.management-beats] 0 70000
.lists-default [.lists-default-*] 0
winlogbeat-7.9.0 [winlogbeat-7.9.0-*] 1
.ml-notifications-000001 [.ml-notifications-000001] 0 7090099
.transform-notifications-000002 [.transform-notifications-*] 0 7090099
.ml-anomalies- [.ml-anomalies-*] 0 7090099
ilm-history [ilm-history-2*] 2147483647 2
.ml-state [.ml-state*] 0 7090099
.kibana-event-log-7.9.0-template [.kibana-event-log-7.9.0-*] 0
.ml-meta [.ml-meta] 0 7090099
filebeat-7.9.1 [filebeat-7.9.1-*] 1
.ml-stats [.ml-stats-*] 0 7090099
.transform-internal-005 [.transform-internal-005] 0 7090099
.watch-history-11 [.watcher-history-11*] 2147483647 11
.monitoring-logstash [.monitoring-logstash-7-*] 0 7000199
auditbeat-7.9.0 [auditbeat-7.9.0-*] 1
.logstash-management [.logstash] 0
.monitoring-beats [.monitoring-beats-7-*] 0 7000199
.monitoring-kibana [.monitoring-kibana-7-*] 0 7000199
cisco-dc [cisco-dc-*] 1
oracle [oracle-*] 0 60001
auditbeat-7.7.1 [auditbeat-7.7.1-*] 1
.watches [.watches*] 2147483647 11
.items-default [.items-default-*] 0
logstash [logstash-*] 0 60001
.slm-history [.slm-history-2*] 2147483647 2
.ml-config [.ml-config] 0 7090099
cisco-dc-flow [cisco-dc-flow-*] 1
.triggered_watches [.triggered_watches*] 2147483647 11
.ml-inference-000002 [.ml-inference-000002] 0 7090099
.siem-signals-default [.siem-signals-default-*] 0 1
.monitoring-es [.monitoring-es-7-*] 0 7000199
.monitoring-alerts-7 [.monitoring-alerts-7] 0 7000199
metrics-system.process [metrics-system.process-*] 200 []
metrics-system.fsstat [metrics-system.fsstat-*] 200 []
metrics-system.memory [metrics-system.memory-*] 200 []
metrics-endpoint.metadata [metrics-endpoint.metadata-*] 200 [metrics-endpoint.metadata-mappings]
metrics-system.socket_summary [metrics-system.socket_summary-*] 200 []
metrics-endpoint.metrics [metrics-endpoint.metrics-*] 200 [metrics-endpoint.metrics-mappings]
metrics-system.load [metrics-system.load-*] 200 []
metrics-system.core [metrics-system.core-*] 200 []
logs-endpoint.events.security [logs-endpoint.events.security-*] 200 [logs-endpoint.events.security-mappings]
logs-endpoint.events.registry [logs-endpoint.events.registry-*] 200 [logs-endpoint.events.registry-mappings]
logs [logs-*-*] 100 0 [logs-mappings, logs-settings]
metrics-system.uptime [metrics-system.uptime-*] 200 []
metrics-system.network_summary [metrics-system.network_summary-*] 200 []
logs-endpoint.events.network [logs-endpoint.events.network-*] 200 [logs-endpoint.events.network-mappings]
metrics-system.cpu [metrics-system.cpu-*] 200 []
logs-endpoint.events.process [logs-endpoint.events.process-*] 200 [logs-endpoint.events.process-mappings]
metrics-system.diskio [metrics-system.diskio-*] 200 []
metrics-system.process_summary [metrics-system.process_summary-*] 200 []
logs-system.auth [logs-system.auth-*] 200 []
metrics-endpoint.policy [metrics-endpoint.policy-*] 200 [metrics-endpoint.policy-mappings]
metrics-system.entropy [metrics-system.entropy-*] 200 []
metrics-system.socket [metrics-system.socket-*] 200 []
metrics-system.service [metrics-system.service-*] 200 []
logs-endpoint.events.library [logs-endpoint.events.library-*] 200 [logs-endpoint.events.library-mappings]
metrics-system.users [metrics-system.users-*] 200 []
metrics-system.raid [metrics-system.raid-*] 200 []
metrics-system.network [metrics-system.network-*] 200 []
metrics-system.filesystem [metrics-system.filesystem-*] 200 []
logs-system.syslog [logs-system.syslog-*] 200 []
metrics [metrics-*-*] 100 0 [metrics-mappings, metrics-settings]
logs-endpoint.alerts [logs-endpoint.alerts-*] 200 [logs-endpoint.alerts-mappings]
logs-endpoint.events.file [logs-endpoint.events.file-*] 200 [logs-endpoint.events.file-mappings]
jijo.john
(Jijo John)
October 3, 2020, 7:33am
4
HI Mark,
Is there any way i can enable auditing in index template and find out the hostname of device which is overwriting the default template. We have 800+ clients sending the data to elasticsearch. Please help.
Thanks,
Jijo John
jijo.john
(Jijo John)
October 4, 2020, 5:44pm
5
Hi Mark,
I cloned the existing index template with merge order as 2 and pattern as winlogbeat-* and added my custom routing allocation policy.Now its looks fine.
system
(system)
Closed
November 1, 2020, 7:44pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.