Logstash ILM

Hi, I'm setting up a test environment where i want Winlogbeat and packetbeat to send Windows event logs to Elasticsearch through Logstash.

I need to know where do i suppose to enable ILM? on Beats side or logstash?
I've loaded the templates by enabling elasticsearch output in beats configuration.

When i set the output to logstash, the index it creates for Winlogbeat doesn't end with increamental number and eventually fails to rollover by policy.

Please suggest.

###################### Logstash Configuration 7.3.0 ########################
input {
beats {
port => 5044
}
}

output {
elasticsearch {
hosts => ["https://xxxxxxxx:9800"]
user => "elastic"
password => "xxxx"
ssl => true
ssl_certificate_verification => true
cacert => "path_to_cer"
ilm_enabled => true
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

}
}

###################### Winlogbeat Configuration 7.3.0 ########################
winlogbeat.event_logs:

  • name: Security
    ignore_older: 1h
    tags: ["dc"]
    processors:
    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

output.logstash:
hosts: ["xxxxxxxxxx:5044"]

processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~

setup.template.settings:
index.number_of_shards: 15
index.codec: best_compression

See here: https://www.elastic.co/guide/en/elasticsearch/reference/current/getting-started-index-lifecycle-management.html#ilm-gs-apply-policy

Drop down to the "Bootstrapping our first index". Before starting logstash, this step creates the first index, with the alias set to is_write_index.

Thanks for your reply @rugenl
Is there a way to get the first index created automatically?

Configuration is quite confusing actually. With the above config that i pasted before, index gets created in ES but it doesn't have an aliases associated.

No, there doesn't seem to be a way (in elasticsearch anyway) to create the initial index. This is similar to a case/discussion I had with Elastic :slight_smile:

Depending on your environment and depth of devops structure, things might be possible. Say you were automating deployment of beats, you could possibly automate the template and bootstrap index creation.

Yes, it is confusing. I had a lot of problems with date math in index names. Yes, if you don't bootstrap the index, the initial index is a single index, neither old or new style rollover. And it probably duplicates the is_write_alias you want, so it's in the way of creating the bootstrap index.

ILM came out after we had planned our stack, it was too much of a crunch to learn it to implement. 60-90 days into our stack, we were creating over 60 indices a day, which isn't good. It took about a month to mostly convert to ILM, with a few bumps along the way.

Thanks @rugenl
I was able to create ILM supported indexes in ES through logstash using following config. So far its working fine.

Beats:
While the beat service was stopped, added following to the config, enabled ES output for setting up dashboard /Index management and removed / reverted output to LS when done.

setup.template.overwrite: true
setup.template.settings:
index.number_of_shards: 15
index.codec: best_compression

./Winlogbeat setup
Modified ILM policies manually in GUI as per the requirement.
Deleted any indexes with old policies if exit.


Logstash:
Configured LS as per below and started the service. It created new indexes with the right configuration in ES.

			elasticsearch {
				hosts => ["xxx:yyyy"]
				user => xxx
				password => xxx
				ssl => true
				ssl_certificate_verification => true
				cacert => "path_to_cer"
				ilm_enabled => true
				ilm_rollover_alias => "winlogbeat-7.3.0"
				ilm_policy => "winlogbeat-7.3.0"
                           }

Started beat service finally to use indexes created by LS.