Stop logstash from automatically creating an index on elastic


Is there a way to stop logstash from automatically creating an index in Elasticsearch. even if the conf file does not contain any configuration regarding the index.

Logstash logs:

logstash    | [WARN ] 2022-06-07 09:21:17.045 [[main]>worker6] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-cisco_asa.log", :routing=>nil}, 

The index now is closed because I cannot delete it:

Logstash conf file

Output {
  else if [type] == "syslog" {

        elasticsearch {
                 hosts => ["https://X.X.X.X:9200","https://X.X.X.X:9200","https://X.X.X.X:9200"]
                 cacert => 'XXXXXXX’
                 user => "XXX"
                 password => “xxxx"
                 data_stream => true
                 data_stream_type => "logs"
                 data_stream_dataset => "asa"
                 data_stream_namespace => "prod"

the logs-cisco_asa.log index is automatically being created even if after the output configuration is changed.

the purpose was to move syslog from legacy index to datastream.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.