Keep index template and ILM when using logstash

Im looking for guidance on how to keep ILM working, when sending logs via Logstash to a custom index.

I do the classic setup with Winlogbeat->Logstash->ES.
Logstash output config:

output {
  if "CUSTOMTAG" in [tags] {
    elasticsearch {
      ssl => true
      cacert => '/etc/logstash/certs/ca.crt'
      #manage_template => true
      hosts => ["ES1fqdn:9200", "ES2.fqdn:9200", "ES2.fqdn:9200"]
      index => "COMPANYNAME-%{[@metadata][beat]}-%{[@metadata][version]}"
      user => "logstash_writer"
      password => "PASSWORD"
    }
  }

I read on some blog that i maybe should add the following lines to output:
template => "/myconfig/template.json"
template_name => "myindex"
template_overwrite => "true"

template.json is the winlogbeat index template that i exported from winlogbeat

Im basically looking for daily indexes following the pattern "COMPANYNAME-Winlogbeat-YY-MM-DD
Using ILM rollover to create extra indexes suffixed 00001, 00002 etc if it needs to create multiple indices that day

Am i confusing the older way to manage index rollover with ILM, or am i totally on the wrong path?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.