Internal monitoring and log indices have "live forever" ILM policies

I was investigating an issue with too much retained data in our ES cloud cluster and realized that a lot of it comes from the internal monitoring and log indices. Specifically, the following indices with corresponding ILM policies:

  • .ds-metricbeat-* indices --> "metricbeat" ILM policy

  • .ds-elastic-cloud-logs-* --> "elastic-cloud-logs" ILM policy

Here is one of the policies - the other one is the same:

  "elastic-cloud-logs": {
    "version": 1,
    "modified_date": "2022-11-08T16:39:52.102Z",
    "policy": {
      "phases": {
        "hot": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_primary_shard_size": "50gb",
              "max_age": "30d"
    "in_use_by": {
      "indices": [
      "data_streams": [
      "composable_templates": [

I know I can change them manually (or add to our automation) however I like, but:
a few questions:

  1. is this OK/advisable to change internal ES ILM policies?
  2. and if I do that - would they be, potentially ,updated when the managed ES cluster is updated? (for example, reverted back tot he default version)?
  3. and related to above - DO ES cluster upgrade automatically for minor versions? or is it a manually "kicked off" process only?

Thank you!

Hi @ppine7

Great, thank you, @stephenb !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.