Im looking for guidance on how to keep ILM working, when sending logs via Logstash to a custom index.
I do the classic setup with Winlogbeat->Logstash->ES.
Logstash output config:
output {
if "CUSTOMTAG" in [tags] {
elasticsearch {
ssl => true
cacert => '/etc/logstash/certs/ca.crt'
#manage_template => true
hosts => ["ES1fqdn:9200", "ES2.fqdn:9200", "ES2.fqdn:9200"]
index => "COMPANYNAME-%{[@metadata][beat]}-%{[@metadata][version]}"
user => "logstash_writer"
password => "PASSWORD"
}
}
I read on some blog that i maybe should add the following lines to output:
template => "/myconfig/template.json"
template_name => "myindex"
template_overwrite => "true"
template.json is the winlogbeat index template that i exported from winlogbeat
Im basically looking for daily indexes following the pattern "COMPANYNAME-Winlogbeat-YY-MM-DD
Using ILM rollover to create extra indexes suffixed 00001, 00002 etc if it needs to create multiple indices that day
Am i confusing the older way to manage index rollover with ILM, or am i totally on the wrong path?