Stop logstash from automatically creating an index on elastic

Elie_Sbat · June 7, 2022, 11:16am

Hello,

Is there a way to stop logstash from automatically creating an index in Elasticsearch. even if the conf file does not contain any configuration regarding the index.

Logstash logs:

logstash    | [WARN ] 2022-06-07 09:21:17.045 [[main]>worker6] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-cisco_asa.log", :routing=>nil},

The index now is closed because I cannot delete it:

Logstash conf file


Output {
  else if [type] == "syslog" {

        elasticsearch {
                 hosts => ["https://X.X.X.X:9200","https://X.X.X.X:9200","https://X.X.X.X:9200"]
                 cacert => 'XXXXXXX’
                 user => "XXX"
                 password => “xxxx"
                 data_stream => true
                 data_stream_type => "logs"
                 data_stream_dataset => "asa"
                 data_stream_namespace => "prod"
        }
  }
}

Elie_Sbat · June 7, 2022, 11:19am

the logs-cisco_asa.log index is automatically being created even if after the output configuration is changed.

the purpose was to move syslog from legacy index to datastream.

system · July 5, 2022, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.