-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Registry] Default index settings and ILM policy for all indices #111152
Comments
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
cc @weltenwort |
ℹ️ I'm implementing the removal of the |
Hey everyone, I removed this ticket from the backlog of the Detection Rules area. We (@elastic/security-detections-response-rules) are not the owners anymore (however feel free to still ping us if you have any tech questions about the ticket). Ownership of this ticket and other tickets related to rule_registry (like #101016) now goes to the Detection Alerts area ( |
Transferring again to @elastic/response-ops as they now own the rule registry implementation. |
Linking with #141146 for researching. |
Closing as default index settings and ILM policy already exists for RAC indices. |
Parent ticket: #101016
Summary
We never really talked about which index settings and ILM policy would be best for all RAC indices by default. What we have in the code is more like a draft and an issue was found with the default policy: #111029
kibana/x-pack/plugins/rule_registry/common/assets/lifecycle_policies/default_lifecycle_policy.ts
Lines 8 to 26 in 1205ba4
Index settings are minimalistic and defined in the technical component template:
kibana/x-pack/plugins/rule_registry/common/assets/component_templates/technical_component_template.ts
Lines 14 to 16 in 0d55d30
Ideas for the policy
We could use the
.siem-signals
policy as a base because it was in production for some time:30d
and50gb
are the recommended defaults, andmax_size
is deprecated in favour ofmax_primary_shard_size
:So it could be
Some default policies also include a
_meta
object withmanaged: true
and a description.Any other settings that would make sense? Data tiers, priorities, etc?
Ideas for the settings
I was thinking about something like that:
auto_expand_replicas: '0-1'
can be useful in simple 1-node setups (otherwise indices won’t be healthy); it’s used inevent_log
plugin for example‘mapping.total_fields.limit’: 10000
is used in Security Solution for.siem-signals
indicesThe text was updated successfully, but these errors were encountered: