Good day,
I'm trying to establish an Index Lifecycle Management for my indices by using the elasticsearch output in Logstash.
This is the elasticsearch output plugin config:
output {
if "tomcat" in [type] {
elasticsearch {
hosts => ["https://elasticsearch:9200"]
index => "filebeat-tomcat-7.10.0"
user => "elastic"
password => "<pw>"
ssl => true
cacert => "<path-to>-ca.crt"
ilm_rollover_alias => "filebeat-tomcat"
ilm_pattern => "000001"
ilm_policy => "logs"
}
} else if "apache_access" in [type] {
elasticsearch {
hosts => ["https://elasticsearch:9200"]
index => "filebeat-apache_access-7.10.0"
user => "elastic"
password => "<pw>"
ssl => true
cacert => "<path-to>-ca.crt"
ilm_rollover_alias => "filebeat-apache_access"
ilm_pattern => "000001"
ilm_policy => "logs"
}
} else if "apache_error" in [type] {
elasticsearch {
hosts => ["https://elasticsearch:9200"]
index => "filebeat-apache_error-7.10.0"
user => "elastic"
password => "<pw>"
ssl => true
cacert => "<path-to>-ca.crt"
ilm_rollover_alias => "filebeat-apache_error"
ilm_pattern => "000001"
ilm_policy => "logs"
}
} else {
elasticsearch {
hosts => ["https://elasticsearch:9200"]
index => "%{[@metadata][beat]}-%{[type]}-%{[@metadata][version]}"
user => "elastic"
password => "<pw>"
ssl => true
cacert => "<path-to>-ca.crt"
}
}
}
The indices are created with th indx name e. g. filebeat-tomcat-000001.
But in Kibana I get the error:
Index lifecycle error
illegal_argument_exception: setting [index.lifecycle.rollover_alias] for index [filebeat-apache_access-000001] is empty or not defined
And indeed a look at the filebeat-tomcat-000001 settings tells me:
"defaults": {
"index": {
...
"lifecycle": {
"parse_origination_date": "false",
"indexing_complete": "false",
"rollover_alias": "",
"origination_date": "-1"
},
....
Did I configure the elasticsearch output plugin wrongly or can I add the rollover_alias through the Rollover Index API?
Any help would be very much appreciated. TIA!