stephenb
October 27, 2022, 9:21pm
5
Apologies, not sure what's going on. I'm not getting the full thread until I reply... 7.17.
Try adding
setup.ilm.enabled: false
I think I went through a couple different methods of this and why the certain settings work here
As explained in the post I linked, You have a moduled enabled in your configuration whether it is important now or not... It overrides the output settings in some cases but let's put that aside there are other issues...
Also from the docs here ... which is your key issue...
When index lifecycle management (ILM) is enabled, the default index is "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}" , for example, "filebeat-7.12.1-2022-07-28-000001" . Custom index settings are ignored when…
so I think you need
setup.ilm.enabled: false
setup.template:
enabled: true
name: "suricata"
pattern: "suricata-*"