Question about ILM

[Maria Juárez]

I would like to ask what is an ILM? and is it related to Legacy templates? Is possible to assign an ILM to a Legacy template?

[Julio Gasco]

HI Maju,

ILM ( Index Lifecycle Management) Defines the lifecycle of your indices, You can set up policies that move your indices across different states.

For Example you can set indices in Hot State for 30 days, then move them to cold state where they can have a smaller amount of replicas, and after 60 days you Delete them.

This can be set In the index Management menu:

With setting an ILM policy you avoid your indices from filling up your wazuh-indexer server.

Rememeber that indices have the data visible in Wazuh-Dashboard, but the alerts history is retained also in the wazuh-manager (if required) so deleting the indeces does not mean loosing the data forever. It just won´t be available for visualization in Wazuh-dashboard.

You can apply ILM policies both to legacy teamplates as to compaund templates.

In the following documentation you will find some policies examples

https://docs.openstack.org/infra/ci-log-processing/opensearch-configuration.html#create-ilm-index-lifecycle-management

You can always use the graphical editor when creating a new ILM instead of creating the full JSON manually.

Additionally you can find more information on ILM in the below link:

https://www.elastic.co/guide/en/elasticsearch/reference/7.10/index-lifecycle-management.html

Let me know if this helps,

Regards!