Wazuh template ILM policy resets to blank post-upgrade to 4.4.4

Nightingale_John · August 7, 2023, 10:48am

Hi,

I use Wazuh with Elastic, and recently I performed an update of wazuh to 4.4.4. Since the upgrade the ILM policy on the Wazuh template reset to null and therefore indexes didn't roll over.

I thought i fixed the index template:

PUT _template/wazuh
{
  "index_patterns": ["wazuh-alerts-4.x-*"],
  "settings": {
    "index.lifecycle.name": "wazuh",
    "index.lifecycle.rollover_alias" : "wazuh-alerts-4.x"
  }
}

This managed to fix it temporarily, but then the index didnt roll over again, and checking the index template the ILM policy is blank again. Putting it back using the above code worked, but then i saw within 10 mins the policy was reset to blank again.

Any ideas?

leandrojmp · August 7, 2023, 2:35pm

You need to edit the source json template file for wazuh, if you are using filebeat it will overwrite the template you have.

Nightingale_John · August 7, 2023, 2:39pm

Ah thanks Leandro!

system · September 4, 2023, 2:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ILM elasticsearch not working Elasticsearch ilm-index-lifecycle-management	3	286	December 4, 2022
ILM failing for rollover for Wazuh module / data Elasticsearch ilm-index-lifecycle-management	39	2712	February 4, 2022
Elastic index template and ilm policy configuracion reset by no reason Elasticsearch docker , ilm-index-lifecycle-management	1	250	February 17, 2023
ILM policy not kicking in for index template Elasticsearch ilm-index-lifecycle-management	1	244	July 26, 2022
Correct understanding of "aliases" in elasticsearch Elasticsearch ilm-index-lifecycle-management	4	641	November 6, 2022

Wazuh template ILM policy resets to blank post-upgrade to 4.4.4

Related topics