I am having two ILM errors for different indexes.
My primary error was (and is for the indices where I have not carried our steps mentioned below).
illegal_argument_exception: index.lifecycle.rollover_alias "indice name" does not point to index "rollover indice name"
For these indices I could see that there was no aliases.
Hence I created an aliases using:
POST /_aliases
{
"actions" : [
{ "add" : { "index" : "auditbeat-7.13.0-*", "alias" : "auditbeat-7.13.0" }
}
]
}
However on indexes where Aliases is present, I get the error: (secondary error)
illegal_argument_exception: rollover target [auditbeat-7.13.1] does not point to a write index
I am using logstash to collect and forward the logs to Elasticsearch. Here is the output portion of the configuration from Logstash's beats.conf
output {
elasticsearch {
hosts => ["ES_IP_1:9200","ES_IP_2:9200"]
ssl => true
user => 'redacted'
password => 'redacted'
cacert => '/etc/logstash/elasticsearch-ca.pem'
ssl_certificate_verification => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
ilm_enabled => auto
}
}
I can see following logs in /var/log/syslog
(status=400): {"type":"illegal_argument_exception","reason":"no write index is defined for alias [auditbeat-7.13.1]. The write index may be explicitly disabled using is_write_index=false or the alias points to multiple indices without one being designated as a write index"}
I have tried adding parameter is_write_index : true but that hasn't solved the problem.
I have created new ILM policies too but same problem continues (Tutorial: Automate rollover with ILM | Elasticsearch Guide [7.13] | Elastic)
Where am I going wrong and how do I fix this?
PS: There is something weird wherein at times there are no indices with ILM error but I reckon that can be ignored until I fix the problem 