Support for ILM in Beats

[ruflin]

With elastic/elasticsearch#29823 (comment) index lifecycle management is added to Elasticsearch. ILM is especially useful in the case of Beats to automate rollover. This will ensure all indices have a similar size instead of having daily indices where size can vary based on how many Beats and the number of events sent.

This is a description of the possible implementation in Beats. It still might change during implementation.

Technical Implementation

The basic implementation if ILM is enabled in Beats will look as following:

The Beat template will contain the ILM policy which should be used:

PUT _template/filebeat-6.5.0
{
  "index_patterns": ["filebeat-6.5.0-*"],
  "settings": {
    "index.lifecycle.name": "filebeat-policy",
    "index.lifecycle.rollover_alias": "filebeat-6.5.0"
  },
  "mappings": {
    "_doc": {
      ...
    }
  }
}

This can already configured today through the following settings in Beats:

setup.template.settings.index.lifecycle.name: "filebeat-policy"
setup.template.settings.index.lifecycle.rollover_alias: "filebeat-6.5.0"

With ILM enabled these settings will be written automatically.

As soon as the template is loaded, the Beat will check for the existance of the write alias:

HEAD filebeat-6.5.0

In case the write alias does not exist yet, it will be created:

PUT filebeat-6.5.0-000001
{
  "aliases": {
      "filebeat-6.5.0":{
            "is_write_index": true
     }
  }
}

From here on all data is sent to the filebeat-6.5.0 alias and things work like usual.

Configuration

The configuration of ILM belongs to the Elasticsearch output and could look as following.

elasticsearch.output.ilm:
  enable: true
  write_alias: filebeat
  index: filebeat # Do we even want the version to be configurable? -> ES only and a lot of people break things with it
  pattern: 000001
  policy: filebeat-policy # What if the policy is also set in the settings?

The special part in the above is that the Beat version was left out. A common issue in Beats is that the version number is sometimes remove from the index which can cause issues on migration. To prevent this issue for ILM the version is automatically added to the write alias, index names and the template. We could add an additional config like automatic_version: false to disable this feature if we want.

Question:

• Should ILM config be it's own top level entry instead of part of elasticsearch ouptut?

Example Policy

An example policy could look as following.

PUT _ilm/filebeat-policy
{
   "policy": {
     "type": "timeseries",
     "phases": {
       "hot": {
         "after": "0s",
         "actions": {
          "rollover": {
            "max_docs": "20"
          }
         }
       }
     }
   }
}

This will create a new alias every 20 documents. In a real world example larger numbers and other rollover criterias can be used.

The policy is expected to be loaded with filebeat setup ilm-policy. A policy can be loaded at any time and is not required on template generation or data ingestion.

Questions

• Do we provide a default policy?
• If yes, what is our default policy? Do we have different phases? Is it different per Beat?
• What if Beats is started against an ES instance without ILM and ILM is configured? It should not start an error out.

Notes for testing

ILM policies are triggered every 10m by default. This can be changed as a cluster setting:

PUT /_cluster/settings
{
    "persistent" : {
        "indices.lifecycle.poll_interval": "5s"
    }
}

The above means policies are triggered every 5s.

[ruflin]

For anyone that wants to play around with ILM, here is a working copy / paste example:

PUT /_cluster/settings
{
    "persistent" : {
        "indices.lifecycle.poll_interval": "5s"
    }
}

PUT _template/filebeat-6.5.0
{
  "index_patterns": ["filebeat-6.5.0-*"],
  "settings": {
    "index.lifecycle.name": "filebeat-policy",
    "index.lifecycle.rollover_alias": "filebeat-6.5.0"
  }
}

PUT filebeat-6.5.0-000001
{
  "aliases": {
      "filebeat-6.5.0":{
            "is_write_index": true
     }
  }
}

HEAD filebeat-6.5.0

PUT _ilm/filebeat-policy
{
  "policy": {
    "type": "timeseries",
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_docs": "3"
          }
        }
      }
    }
  }
}

POST filebeat-6.5.0/_doc/
{
    "hello" : "world"
}

The last POST request must be execute at least 4 times to trigger a rollover.

[yaronp68]

@ruflin for version 6.x I suggest the following, in order to avoid a breaking change for unaware users:

• Policy will not be defined by a beat by default. The user will have to explicitly configure beat via start flag to define the policy
• The policy will use 1 day rollover and not size of data as currently a date pattern is used in index names to create new index daily
  Since users can change the ILM policy using API or GUI, users who won't like the rollover definition or need more definitions such as warm, cold indices or deletion of aged data, will be able to use the update policy wizard

[acchen97]

@ruflin thanks for drafting this up. Comments below...

index: filebeat # Do we even want the version to be configurable? -> ES only and a lot of people break things with it

If we strongly recommend having the version, then let's include it by default. +1 on having a flag to turn it off. For descriptiveness, perhaps it makes sense to name it index_version?

Should ILM config be it's own top level entry instead of part of elasticsearch ouptut?

Within the ES output feels like it makes sense given its an ES specific feature.

The policy is expected to be loaded with filebeat setup ilm-policy. A policy can be loaded at any time and is not required on template generation or data ingestion.

This is under the "Example Policy" section. I think it'd be worthwhile for us to recommend conducting this policy mgmt workflow completely in the ILM UI when possible. With the ILM UI in Basic, recommending the centralized and visual approach feels like a better user experience. If a user wants to use custom policies, they can create the policy in the UI and then reference it from the Beats side.

Regardless, I'd agree this filebeat setup ilm-policy feature is still of value for users who currently rely on third party config / change mgmt tools.

Do we provide a default policy?

I think we should include a default policy, especially for the getting started experience.

If yes, what is our default policy? Do we have different phases? Is it different per Beat?

We can probably start simple with one default policy with a 1d rollover, similar to the existing behavior. Additionally, we could also consider another default policy optimized for metrics (i.e. metricbeat, heartbeat, packetbeat) since they will naturally have a different storage profile. Thoughts? If needed, we'll have another opportunity at 7.0 to tweak these further after we get some customer feedback.

What if Beats is started against an ES instance without ILM and ILM is configured? It should not start an error out.

+1 on failing startup and showing a descriptive error msg. If the ILM feature isn't available in ES, configuring it in Beats would effectively be an invalid configuration.

[ruflin]

• ILM will be disable by default in 6.x as otherwise it would be a breaking change.
• For the policy: The main benefit of having ILM is that we get away from the daily indices which can lead to very uneven index sizes or too large / too small indices. So I think our default policy should not be daily indices as otherwise we would just have the same we have now but with ILM.
• index_version: I kind of like the suggestion, will play around with a few names
• If we ship with a default policy for Beats (I assume in Kibana), would it always be there by default or would the user have to trigger it? Agree that the setup command should be there in any case.
• I was thinking more about the default policy and I think our criteria should be size, something like "max_size": "25gb". The 6.x cycles allows us to play around with these params to understand what is best for 7.0. For users with more complex use cases there is going to be the wizard. The nice thing about ILM is that the policy can be adjusted at any time and will apply to all new data.

[colings86]

Can we please not have a default policy with a 1 day rollover. One of the reasons that ILM will be great for beats is that it will get rid of the daily indices idea and get users to "fill" their indices more so they avoid having 1000s of tiny indices. I think the default policy should focus on the size of the index rather than the age, at least for 7.0 onwards.

[acchen97]

If we ship with a default policy for Beats (I assume in Kibana), would it always be there by default or would the user have to trigger it? Agree that the setup command should be there in any case.

I think the default policy can be stored on either Beats or ES/KB side, but I'd agree it feels like it would make sense to have it bundled by default in ES/KB. @yaronp68 @colings86 thoughts on this?

I was thinking more about the default policy and I think our criteria should be size, something like "max_size": "25gb". The 6.x cycles allows us to play around with these params to understand what is best for 7.0. For users with more complex use cases there is going to be the wizard. The nice thing about ILM is that the policy can be adjusted at any time and will apply to all new data.

@ruflin I'm good with having just one default policy and having it based on size. 25GB sounds reasonable to start with. I'm not sure there will be a perfect value here, but curious whether there's any science behind that suggested value? Thanks @colings86 for your input on this as well.

[ruflin]

@acchen97 For the size: It's a bit smaller then 32 GB. No exact science here. Would be interesting to get feedback on this value from the field.

For the loading of the policy: I think it would be great if it would be bundled with Kibana and a user could install it with 1 click: Add Beats Policy. The policy would be the same that is loaded through metricbeat setup policy. So far I would version the policy in Beats an copy it over to Kibana. We can still figure out an automated way to keep the two in sync later.

Note: Having Kibana being able loading the policy I see as a user improvement and could still happen after 6.5.

[colings86]

@acchen97 My justification for the 25GB size is that its a bit smaller than what we tell users is the maximum size of a shard that they should aim for (which is 30GB). The reason I suggested it be a little lower than this is to give a little leeway given the rollover is run periodically so we may be slightly over the max size by the time the rollover is actually done.

[simitt]

As a starting point, you could have a look at how APM dashboards and index pattern are now bundled with Kibana and can be loaded within the APM Setup instructions (cc @sqren and @nreese).
As we still have the dashboards and index patterns within the APM Server code, we set up an automated test to check that those files are in sync. Sounds like a similar setup.