I got logs from winlogbeats, and i want to store them in custom indexes.
So i need rollover policy for this indexes.
here is part of logstash config file (output):
output {
if [type] == "winlogbeat" {
elasticsearch {
hosts => ["https://10.101.8.48:9200"]
user => "elastic"
password => "*******"
ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/elasticsearch-ca.pem"
index => "%{[@metadata][beat]}-%{+yyyyMMdd}"
#ilm_rollover_alias => "winlogbeat"
ilm_pattern => "000001"
ilm_policy => "winlogbeat-policy"
}
}
if [type] == "netflow" {
elasticsearch {
hosts => ["https://10.101.8.48:9200"]
user => "elastic"
password => "********"
ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/elasticsearch-ca.pem"
index => "netflow-%{+yyyyMMdd}"
#ilm_rollover_alias => "netflow"
ilm_pattern => "000001"
ilm_policy => "netflow-policy"
}
}
if [type] == "json" {
elasticsearch {
hosts => ["https://10.101.8.48:9200"]
user => "elastic"
password => "*******"
ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/elasticsearch-ca.pem"
}
}
if [type] == "syslog" {
elasticsearch {
hosts => ["https://10.101.8.48:9200"]
user => "elastic"
password => "****"
ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/elasticsearch-ca.pem"
}
#stdout { codec => rubydebug }
}
}
Here is index-template settings:
{
"index": {
"lifecycle": {
"name": "winlogbeat-policy",
"rollover_alias": "winlogbeat"
},
"number_of_shards": "1",
"refresh_interval": "5s"
}
}
So this is how looks like indices now:
Can someone help to setup index-templates with rollover policy?
Elastic - v 7.15.2