Wazuh template ILM policy resets to blank post-upgrade to 4.4.4

Nightingale_John · August 7, 2023, 10:48am

Hi,

I use Wazuh with Elastic, and recently I performed an update of wazuh to 4.4.4. Since the upgrade the ILM policy on the Wazuh template reset to null and therefore indexes didn't roll over.

I thought i fixed the index template:

PUT _template/wazuh
{
  "index_patterns": ["wazuh-alerts-4.x-*"],
  "settings": {
    "index.lifecycle.name": "wazuh",
    "index.lifecycle.rollover_alias" : "wazuh-alerts-4.x"
  }
}

This managed to fix it temporarily, but then the index didnt roll over again, and checking the index template the ILM policy is blank again. Putting it back using the above code worked, but then i saw within 10 mins the policy was reset to blank again.

Any ideas?

leandrojmp · August 7, 2023, 2:35pm

You need to edit the source json template file for wazuh, if you are using filebeat it will overwrite the template you have.

Nightingale_John · August 7, 2023, 2:39pm

Ah thanks Leandro!

system · September 4, 2023, 2:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ILM elasticsearch not working Elasticsearch ilm-index-lifecycle-management	3	286	December 4, 2022
Correct understanding of "aliases" in elasticsearch Elasticsearch ilm-index-lifecycle-management	4	628	November 6, 2022
Index not rolling over Elasticsearch ilm-index-lifecycle-management	16	6185	March 24, 2021
Mapping error for rollover Logstash ilm-index-lifecycle-management	0	112	April 23, 2024
Index rollover due to policy does not copy mapping Elasticsearch ilm-index-lifecycle-management , rollups	16	298	January 6, 2024

Wazuh template ILM policy resets to blank post-upgrade to 4.4.4

Related Topics