Support v2 templates in ES indexing calls

[ycombinator]

Elasticsearch is introducing v2 of index templates. To understand the motivation for this change and it's details, see: elastic/elasticsearch#53101.

In 7.x (once elastic/elasticsearch#55411 is merged), Elasticsearch indexing APIs will accept an optional query string parameter: prefer_v2_templates. In 7.x, the default value for this parameter will be false, indicating that v1 templates should be used. In 8.0, the default value will change to true, indicating that v2 templates should be used.

This issue is to track changes needed in Beats to work with v2 templates. Concretely:

• For 7.x Beats:

  • If the Beat is operating standalone (i.e. not managed via Fleet + Agent), it is responsible for creating the index template (v1) in Elasticsearch. As such, indexing calls from such Beats should pass prefer_v2_templates=false in indexing requests to Elasticsearch.
  • If the Beat is being managed by Fleet, then the Beat is not responsible for creating the index template in Elasticsearch. It assumes (maybe checks?) the index template has been created before indexing it's events. Further, Fleet will create v2 index templates. So such Beats should pass prefer_v2_templates=true in indexing requests to Elasticsearch.

• Starting 8.0.0, Beats will use v2 index templates, either ones they create on their own (in standalone mode) or because Fleet created them beforehand. So such Beats should pass prefer_v2_templates=true in indexing requests to Elasticsearch.

Related: #17829

[elasticmachine]

Pinging @elastic/ingest-management (Team:Ingest Management)

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[urso]

If the Beat is operating standalone (i.e. not managed via Fleet + Agent), it is responsible for creating the index template (v1) in Elasticsearch. As such, indexing calls from such Beats should pass prefer_v2_templates=false in indexing requests to Elasticsearch.

In case the generated templates are the same from Beats POV, I would opt to not send a prefer_v2_templates flag at all, no matter which ES version is used. Instead we should only use prefer_v2_templates=true, iff the Beat is managed by Fleet + Elasticsearch is < 8.0. WDYT?

[ycombinator]

Agreed on both points, assuming Beats does not need to do any v1->v2 migration work (which seems quite likely to be the case, but will know for sure after #17829) .

[ph]

@urso @ycombinator what would be the best way to enable that? Are you planning to have an option in the output that we can just set?

[ycombinator]

@ph Yes, that could be one way: an option in the elasticsearch output that Agent can set. We can leave this option undocumented if we don't want end-users to use it. Alternatively, we could add a new class of settings to Beats under a fleet.* namespace if we expect there to be more "internal API" settings that only make sense between Fleet and Beats.