Use logstash index pattern #43
Comments
|
Hi @ict-one-nl, thank you for raising the issue. Could you please give some more details on why having logstash- prefix is useful? Links to ELK docs or some other trusted sources would be perfect as well. |
|
A of people will prefix the indexes with logstash because they will have security roles enabled that enable logstash to write data to logstash-*. To KISS it's more efficient not having to create extra roles / or index patters for each individual log flow. Opensearch does this by default as well. |
|
I got what you are saying. It makes sense to me. Do you mind sharing a link to a documentation that gives similar recommendation? |
|
Well it's more like common sense, but you can see it referenced here: https://www.elastic.co/guide/en/kibana/6.8/tutorial-define-index.html#:~:text=An%20index%20pattern%20can%20match,DD%20. Also, in opensearch it's the default config. |
|
Could you please also share a link to security rules you mentioned in the first comment? |
|
Already linked the elastic docs, config example from opensearch as well: https://github.com/opensearch-project/security/blob/main/securityconfig/roles_mapping.yml |
|
Let's stick to elastic for now. Is there a doc for elastic on default security rules you've mentioned in the very first comment? |
|
I already linked the elastic docs and this is common practice. |
The default index pattern is "waf-logs-%{+YYY.MM.dd}". It's using logstash, usually logstash indexes are prefixed with logstash-*. This also helps with the default security rules. Please use logstash- at the beginning of the string.
Also WAF is a bit generic, maybe also f5 in the index name to be able to distinguish from other sources.
The text was updated successfully, but these errors were encountered: