- Journalbeat Reference for 6.5-7.15:
- Overview
- Getting started with Journalbeat
- Setting up and running Journalbeat
- Configuring Journalbeat
- Configure inputs
- Specify general settings
- Configure the internal queue
- Configure the output
- Set up index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Enrich events with geoIP information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- journalbeat.reference.yml
- Exported fields
- Monitoring Journalbeat
- Securing Journalbeat
- Troubleshooting
This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
NOTE: This You are looking at documentation for an older release. For the latest information, see the current release documentation.
Set up index lifecycle management
editSet up index lifecycle management
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
You can use the index lifecycle management feature in Elasticsearch to manage your Journalbeat indices as they age. For example, instead of having Journalbeat create daily indices where index size can vary based on the number of Beats and number of events sent, you can use an index lifecycle policy that automates a rollover to a new index when the existing index reaches a specified size or age.
Journalbeat provides a default policy that you can load when you set up Journalbeat. The default policy is applied to any new indices created by Journalbeat. You can edit the policy to modify the lifecycle of both new and existing indices.
To use index lifecycle management on Journalbeat indices:
-
Enable index lifecycle management by setting
ilm.enabled: true
in the Elasticsearch output configuration. For example:output.elasticsearch: hosts: ["localhost:9200"] ilm.enabled: true
This configuration overwrites your index settings and adjusts the Journalbeat template to use the correct settings for index lifecycle management.
If you’ve previously loaded the index template for this version into Elasticsearch, you must overwrite the template by setting
setup.template.overwrite: true
.The rollover alias is set to
journalbeat-\{beat.version\}
by default. You can change the prefix used in the alias by settingilm.rollover_alias
, but you can’t remove{beat.version}
from the rollover alias name. The default pattern used for the rollover index is%{now/d}-000001
. You can change the pattern by settingilm.pattern
. For example:output.elasticsearch: hosts: ["localhost"] ilm.enabled: true ilm.rollover_alias: "journalbeat" ilm.pattern: "{now/d}-000001"
Date math is supported here. For more information, see Using date math with the rollover API.
If you modify the
rollover_alias
orpattern
settings after loading the index template, you must overwrite the template to apply the changes. -
Load the default policy into Elasticsearch. You can either use the
setup
command to load the policy without modifying it, or modify the policy and load it manually.To use the setup command, run:
journalbeat setup --ilm-policy
After loading the default policy, you can edit it in the Index lifecycle policies UI in Kibana. For more information about working with the UI, see Index lifecyle policies.
To modify the default policy before loading it, run
journalbeat export ilm-policy
to print the policy to stdout. Modify the policy then use the Create lifecycle policy API to load it into Elasticsearch.
Advanced ILM settings
editWe recommend that you avoid modifying these settings unless you know what you’re doing.
The default index lifecycle management settings work best for common use cases that work with the automated alias setup described earlier. It is possible to use a multiple write alias with dynamic index patterns, but this requires manual set up. This section describes the configuration options you need to change.
Let’s assume you have the index pattern customname-%{event.module}
where
event.module
can have the values system
and apache
. First you must set up
a rollover index for customname-system
and customname-apache
. For details on
how to do this, see
Rollover
Index.
Next, set the index pattern in the Elasticsearch output. For example:
If you change the index name, you must also set the template name, template pattern, rollover alias, and lifecycle name. The best way to set these is through an Elasticsearch template. It’s possible to disable the template loading in Journalbeat and specify these settings in your own template. Or you can use the following config options in Journalbeat:
setup.template.name: "customname" setup.template.pattern: "customname-*" setup.template.settings.index.lifecycle.rollover_alias: "customname" setup.template.settings.index.lifecycle.name: "beats-default-policy"
If you set the options manually as shown in this example, do not
set ilm.enabled
, or the settings specified in the configuration file will be
overwritten.
This configuration results in a managed index named something like
customname-2025-01-10-000001
and the following index settings:
"aliases" : { "customname" : { "is_write_index" : true } }, ... "index" : { "lifecycle" : { "name" : "beats-default-policy", "rollover_alias" : "customname" },
On this page