Keep index template and ILM when using logstash

sref · July 3, 2020, 6:31am

Im looking for guidance on how to keep ILM working, when sending logs via Logstash to a custom index.

I do the classic setup with Winlogbeat->Logstash->ES.
Logstash output config:

output {
  if "CUSTOMTAG" in [tags] {
    elasticsearch {
      ssl => true
      cacert => '/etc/logstash/certs/ca.crt'
      #manage_template => true
      hosts => ["ES1fqdn:9200", "ES2.fqdn:9200", "ES2.fqdn:9200"]
      index => "COMPANYNAME-%{[@metadata][beat]}-%{[@metadata][version]}"
      user => "logstash_writer"
      password => "PASSWORD"
    }
  }

I read on some blog that i maybe should add the following lines to output:
template => "/myconfig/template.json"
template_name => "myindex"
template_overwrite => "true"

template.json is the winlogbeat index template that i exported from winlogbeat

Im basically looking for daily indexes following the pattern "COMPANYNAME-Winlogbeat-YY-MM-DD
Using ILM rollover to create extra indexes suffixed 00001, 00002 etc if it needs to create multiple indices that day

Am i confusing the older way to manage index rollover with ILM, or am i totally on the wrong path?

system · July 31, 2020, 6:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with ILM when using logstash Logstash ilm-index-lifecycle-management	2	321	August 17, 2020
How to import Winlogbeat index template when using ILM and Logstash? Elasticsearch	1	334	March 6, 2020
Elasticsearch custom ILM Elasticsearch ilm-index-lifecycle-management	5	1146	September 15, 2019
Need help with importing Winlogbeat index template when using ILM and Logstash Beats winlogbeat	1	329	March 4, 2020
ILM template and index pattern Kibana ilm-index-lifecycle-management	6	329	September 22, 2021

Keep index template and ILM when using logstash

Related topics