The index templates are not used
127 views
Skip to first unread message
Zoltán Beck
Feb 13, 2025, 6:56:40 AM2/13/25
to Wazuh | Mailing List
Hi,
I have created custom index templates for the wazuh-statistics-*, wazuh-monitoring-* and wazuh-alerts-* indexes. I deleted the existing indexes and restarted the indexer service. In contrast, only wazuh-alerts-* uses the template among the new indexes, the others do not.
Each index should contain 6 primary and 1 replica shard. What am I messing up?
Kind Regards,
Zoltan
Kevin Ledesma
Feb 13, 2025, 9:28:42 AM2/13/25
to Wazuh | Mailing List
Hello!
Have you followed the custom index process from the official user manual page?
The wazuh-monitoring-* index template can be modified on the Dashboard Configuration, you can create a new template and configure the dashboard to use it there.
Please, if possible, share the steps you have followed to do this customization.
Zoltán Beck
Feb 17, 2025, 5:21:28 AM2/17/25
to Wazuh | Mailing List
Hi Kevin,
I think we have misunderstood each other, as a first step I just want to get these data: wazuh-statistics-*, wazuh-monitoring-* and wazuh-alerts-* to use 6 shards and 1 replica.
In the meantime, I noticed that there are also basic templates for these indexes, each with priority 0. And I notice that even if I create a template with a higher priority for the same indexes, the template with priority 0 always applies.
So as a last test I tried to change the template with priority 0 to 6 shard and 1 replica setting via API. But even after restarting these settings are not valid, I also tried deleting all indexes to recreate them, but they are still not created with the correct settings.
GET /_template/wazuh-statistics
{
"wazuh-statistics": {
"order": 0,
"index_patterns": [
"wazuh-statistics-*"
],
"settings": {
"index": {
"refresh_interval": "5s"
}
},
Kind Regards,
I think we have misunderstood each other, as a first step I just want to get these data: wazuh-statistics-*, wazuh-monitoring-* and wazuh-alerts-* to use 6 shards and 1 replica.
In the meantime, I noticed that there are also basic templates for these indexes, each with priority 0. And I notice that even if I create a template with a higher priority for the same indexes, the template with priority 0 always applies.
So as a last test I tried to change the template with priority 0 to 6 shard and 1 replica setting via API. But even after restarting these settings are not valid, I also tried deleting all indexes to recreate them, but they are still not created with the correct settings.
GET /_cat/templates
wazuh [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1
wazuh-agent [wazuh-monitoring-*] 0
wazuh-statistics [wazuh-statistics-*] 0
wazuh-states-vulnerabilities-wazuh_cluster_template [wazuh-states-vulnerabilities-*] 1 []
tenant_template [.kibana_-*_*, .kibana_0*_*, .kibana_1*_*, .kibana_2*_*, .kibana_3*_*, .kibana_4*_*, .kibana_5*_*, .kibana_6*_*, .kibana_7*_*, .kibana_8*_*, .kibana_9*_*] 2147483647 []
GET /_template/wazuh-agent
wazuh [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1
wazuh-agent [wazuh-monitoring-*] 0
wazuh-statistics [wazuh-statistics-*] 0
wazuh-states-vulnerabilities-wazuh_cluster_template [wazuh-states-vulnerabilities-*] 1 []
tenant_template [.kibana_-*_*, .kibana_0*_*, .kibana_1*_*, .kibana_2*_*, .kibana_3*_*, .kibana_4*_*, .kibana_5*_*, .kibana_6*_*, .kibana_7*_*, .kibana_8*_*, .kibana_9*_*] 2147483647 []
GET /_template/wazuh-agent
{
"wazuh-agent": {
"order": 0,
"index_patterns": [
"wazuh-monitoring-*"
],
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"wazuh-agent": {
"order": 0,
"index_patterns": [
"wazuh-monitoring-*"
],
"settings": {
"index": {
"refresh_interval": "5s"
}
},
...
GET /_template/wazuh-statistics
{
"wazuh-statistics": {
"order": 0,
"index_patterns": [
"wazuh-statistics-*"
],
"settings": {
"index": {
"refresh_interval": "5s"
}
},
...
Kind Regards,
Zoltan
Alejandro Ruiz Becerra
Feb 18, 2025, 10:31:23 AM2/18/25
to Wazuh | Mailing List
Hello Zoltan
You are right on your assumption. You can create multiple index templates for your indexes. If the index name matches more than one template, OpenSearch takes the mappings and settings from the template with the highest priority and applies it to the index.
You would not need to remove the existing index templates, just create custom ones modifying the sharding and the priority (order). In the example below, I modified the index template for the wazuh-monitoring indexes, and then created a new index to check it was created using the custom index template.
I hope it helps.
Regards,
You are right on your assumption. You can create multiple index templates for your indexes. If the index name matches more than one template, OpenSearch takes the mappings and settings from the template with the highest priority and applies it to the index.
You would not need to remove the existing index templates, just create custom ones modifying the sharding and the priority (order). In the example below, I modified the index template for the wazuh-monitoring indexes, and then created a new index to check it was created using the custom index template.
- First, I list the existing index templates.
- Second, we obtain the specific index template we want to modify, using the index template name from step 1.
- Upload the index template, changing the order and the number of shards.
- Newly created indices will use the index template with higher order. In this case, our custom index template.
I hope it helps.
Regards,
Alex
Reply all
Reply to author
Forward
0 new messages