I am trying to ingest data from a Zeek sensor directly into Elasticsearch and when I do ES creates index templates and system indices for each Zeek log but no usable indices. This is from a clean instance but this result occurs regardless of if I have pipelines installed. This is a basic single node setup with pretty low data rate.
The template indices all list the appropriate index alias. I.e. bro-conn-1343215431254 has an alias bro-conn.
The reason why I'm trying to go directly to ES vice using Logstash is because when I use ingest pipelines with Logstash my resource usage is unsustainable - though it works.
I have searched around and am not seeing this issue anywhere so thanks for your help.