Skip to content

Spike - Viability analysis of creating ISM policies within a plugin #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4 tasks done
Tracked by #425
, #22887
...
AlexRuiz7 opened this issue Dec 11, 2024 · 16 comments · May be fixed by #269
Closed
4 tasks done
Tracked by #425
, #22887
...

Spike - Viability analysis of creating ISM policies within a plugin #435

AlexRuiz7 opened this issue Dec 11, 2024 · 16 comments · May be fixed by #269
Assignees
@f-galland
Labels
level/task Task issue phase/spike type/enhancement Enhancement issue type/research Research issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Dec 11, 2024
edited
Loading

Description

Related issues:

One of the main requirements of the Indexer initialization plugin project is to include aliases and rollover policies to stream indices by default, as Index Management related features.

For Wazuh 5, we have identified 2 stream indices:

  • wazuh-alerts data stream.
  • wazuh-archives data stream.

The setup plugin (see #9) generates indices for both data streams at startup, wazuh-alerts-5.x-0001 and wazuh-archives-5.x-0001 respectively.

On this issue, we are going to create aliases and rollover policies for both data streams, defining the rollover criteria.

We have not yet found a simple way of interacting with the OpenSearch's Indexer Management plugin, which is responsible for these things. As part of this issue, we will investigate how to implement these features within our setup plugin.

Functional requirements

  • The wazuh-alerts data stream is associated to an alias.
  • The wazuh-alerts data stream is managed by an active rollover policy.
  • The wazuh-archives data stream is associated to an alias.
  • The wazuh-archives data stream is managed by an active rollover policy.
  • Aliases and rollover policies are generated automatically.

Implementation restrictions

  • The initialization of the index aliases and the rollover policies are the responsibility of the setup plugin.

Plan

  • Spike. Investigate how the IM plugin persists such data.
  • Spike. Reproduce the IM creation of policies.
  • Define aliases names.
  • Define rollover policies.
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue labels Dec 11, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Dec 11, 2024
Open
29 tasks
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 6.0.0 Dec 11, 2024
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 6.0.0 Jan 14, 2025
@AlexRuiz7 AlexRuiz7 mentioned this issue Jan 15, 2025
Closed
5 tasks
@mcasas993
Copy link
Contributor

mcasas993 commented Jan 16, 2025
edited
Loading

Investigation of how the ISM plugin persists such data

export enum INDEX {
  OPENDISTRO_ISM_CONFIG = ".opendistro-ism-config",
}

  • This class document and control the mapping of policy schema in ISM Plugin.

  • Effectivily, after create a policy, I can search it in the .opendistro-ism-config index:

Image

GET /.opendistro-ism-config/_search 

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": ".opendistro-ism-config",
        "_id": "first_test",
        "_score": 1,
        "_source": {
          "policy": {
            "policy_id": "first_test",
            "description": "A first test of creation of an policy",
            "last_updated_time": 1736967823609,
            "schema_version": 21,
            "error_notification": null,
            "default_state": "pre_alias_removed",
            "states": [
              {
                "name": "pre_alias_removed",
                "actions": [
                  {
                    "retry": {
                      "count": 3,
                      "backoff": "exponential",
                      "delay": "1h"
                    },
                    "alias": {
                      "actions": [
                        {
                          "remove": {
                            "aliases": [
                              "commands"
                            ]
                          }
                        }
                      ]
                    }
                  }
                ],
                "transitions": []
              }
            ],
            "ism_template": [],
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": null
            }
          }
        }
      }
    ]
  }
}

UPDATE

  • The alias to do the rollover is applied in the settings of index that we want to manage with the policy
PUT /our_index/_settings
{
  "index": {
    "plugins": {
      "index_state_management": {
        "rollover_alias": "name_of_alias_to_rollover"
      }
    }
  }
}

@mcasas993
Copy link
Contributor

mcasas993 commented Jan 21, 2025
edited
Loading

Complete test of policy to rollover

1. Test in dashboard ### 1. Test in dashboard

Policy created to rollover alias

Image

GET /.opendistro-ism-config/_search/
{
  "query": {
    "match": {
      "_id":"policy_rollover_6"
    }
  }
}

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": ".opendistro-ism-config",
        "_id": "policy_rollover_6",
        "_score": 1,
        "_source": {
          "policy": {
            "policy_id": "policy_rollover_6",
            "description": "Created first the policy",
            "last_updated_time": 1737399485357,
            "schema_version": 21,
            "error_notification": null,
            "default_state": "created",
            "states": [
              {
                "name": "created",
                "actions": [
                  {
                    "retry": {
                      "count": 3,
                      "backoff": "exponential",
                      "delay": "1m"
                    },
                    "rollover": {
                      "min_doc_count": 3,
                      "copy_alias": true
                    }
                  }
                ],
                "transitions": [
                  {
                    "state_name": "rollovered",
                    "conditions": {
                      "min_doc_count": 3
                    }
                  }
                ]
              },
              {
                "name": "rollovered",
                "actions": [],
                "transitions": []
              }
            ],
            "ism_template": [
              {
                "index_patterns": [
                  "another-*"
                ],
                "priority": 1,
                "last_updated_time": 1737382578280
              }
            ],
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": null
            }
          }
        }
      }
    ]
  }
}

Index created and with an alias associated

Image

Policy applied with the alias specified

Image
GET /another-rollover/_settings 

{
  "another-rollover-index-00001": {
    "settings": {
      "index": {
        "replication": {
          "type": "DOCUMENT"
        },
        "refresh_interval": "1s",
        "number_of_shards": "1",
        "plugins": {
          "index_state_management": {
            "rollover_alias": "another-rollover",
            "auto_manage": "false"
          }
        },
        "provided_name": "another-rollover-index-00001",
        "creation_date": "1737399216111",
        "number_of_replicas": "0",
        "uuid": "WSeQeDH7S7a9LQTs0qqTSw",
        "version": {
          "created": "136347827"
        }
      }
    }
  }
}

Create documents in the test index

Create five documents like this:

POST /another-rollover/_doc
{
  "name": "Another Example",
  "price": 19.99,
  "description": "We are such stuff as dreams are made on"
}

Results of the policy run

Image

Result in another-rollover-index-00001 index

Image

Result in another-rollover-index-00002 index

Image

2. Test in manually in DevOp

2. Test in manually in DevOp

Policy created to rollover alias

POST .opendistro-ism-config/_doc/manual_policy_rollover_3
     {
      "policy": {
          "description": "Created third manual rollover the policy",
          "last_updated_time": 1737399485357,
          "schema_version": 21,
          "error_notification": null,
          "default_state": "Initial",
          "states": [
            {
              "name": "Initial",
              "actions": [
                {
                  "retry": {
                    "count": 3,
                    "backoff": "exponential",
                    "delay": "1m"
                  },
                  "rollover": {
                    "min_doc_count": 3,
                    "copy_alias": true
                  }
                }
              ],
              "transitions": [
                {
                  "state_name": "Rollovered",
                  "conditions": {
                    "min_doc_count": 3
                  }
                }
              ]
            },
            {
              "name": "Rollovered",
              "actions": [],
              "transitions": []
            }
          ],
          "ism_template": [
            {
              "index_patterns": [
                "manual-*"
              ],
              "priority": 1,
              "last_updated_time": 1737382578280
            }
          ],
          "user": {
            "name": "admin",
            "backend_roles": [
              "admin"
            ],
            "roles": [
              "own_index",
              "all_access"
            ],
            "custom_attribute_names": [],
            "user_requested_tenant": null
          }
        }
      }

Index created and with an alias associated

Image

Policy applied with the alias specified

PUT /manual-0001/_settings
{
  "index": {
    "plugins": {
      "index_state_management": {
        "rollover_alias": "manual"
      }
    }
  }
}

Policy applied with the alias specified

POST .opendistro-ism-config/_doc/
{
    "managed_index": {
      "name": "manual-0001",
      "enabled": false,
      "index": "manual-0001",
      "index_uuid": "OG3zRya0RoiKpjbxyJTbbA",
      "schedule": {
        "interval": {
          "start_time": 1737494828282,
          "period": 5,
          "unit": "Minutes"
        }
      },
      "last_updated_time": 1737496659085,
      "enabled_time": null,
      "policy_id": "manual_policy_rollover_3",
      "policy_seq_no": 2510,
      "policy_primary_term": 3,
      "policy": {
            "description": "Created third manual rollover the policy",
            "last_updated_time": 1737399485357,
            "schema_version": 21,
            "error_notification": null,
            "default_state": "Initial",
            "states": [
              {
                "name": "Initial",
                "actions": [
                  {
                    "retry": {
                      "count": 3,
                      "backoff": "exponential",
                      "delay": "1m"
                    },
                    "rollover": {
                      "min_doc_count": 3,
                      "copy_alias": true
                    }
                  }
                ],
                "transitions": [
                  {
                    "state_name": "Rollovered",
                    "conditions": {
                      "min_doc_count": 3
                    }
                  }
                ]
              },
              {
                "name": "Rollovered",
                "actions": [],
                "transitions": []
              }
            ],
            "ism_template": [
              {
                "index_patterns": [
                  "manual-*"
                ],
                "priority": 1,
                "last_updated_time": 1737382578280
              }
            ],
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": null
            }
          },
      "change_policy": null,
      "jitter": 0.6
    }
}

Results of the policy run

Image

Results of the policy run in manual-0001

Image

@mcasas993
Copy link
Contributor

mcasas993 commented Jan 22, 2025
edited
Loading

Complete test of policy to rollover based on the previous issue

Test the issue steps

Test the issue steps

Applied an ISM policy for rollover as follows:

  1. Template modification

  • Edit /etc/filebeat/wazuh-template.json and add the following line inside the settings block:

    ```json
"index.plugins.index_state_management.rollover_alias": "test"
```

  • Restart wazuh-manager

    systemctl restart wazuh-manager.service
  1. ISM rollover and alias policy

    • Push ISM policy to the Wazuh indexer cluster:

      "min_size": "250mb" for testing purposes only

curl -XPOST  -k -u admin:$admin_pass "https://127.0.0.1:9200/.opendistro-ism-config/_doc/MANUAL_wazuh_rollover_policy" -H 'Content-Type: application/json' -d'
{
    "policy": {
      "policy_id": "MANUAL_wazuh_rollover_policy",
      "description": "Wazuh rollover and alias policy created directly on index .opendistro-ism-config",
      "last_updated_time": 1737572429671,
      "schema_version": 21,
      "error_notification": null,
      "default_state": "active",
      "states": [
        {
          "name": "active",
          "actions": [
            {
              "retry": {
                "count": 3,
                "backoff": "exponential",
                "delay": "1m"
              },
              "rollover": {
                "min_size": "250mb",
                "copy_alias": false
              }
            }
          ],
          "transitions": []
        }
      ],
      "ism_template": [
        {
          "index_patterns": [
            "wazuh-alerts-*"
          ],
          "priority": 50,
          "last_updated_time": 1737572429671
        }
      ],
      "user": {
        "name": "admin",
        "backend_roles": [
          "admin"
        ],
        "roles": [
          "own_index",
          "all_access"
        ],
        "custom_attribute_names": [],
        "user_requested_tenant": null
      }
    }
}'
* Create initial index and quick-start the rolling process:
```bash
curl -k -u admin:$admin_pass -X PUT "https://127.0.0.1:9200/%3Ctest-1.x-%7Bnow%2Fd%7D-000001%3E?pretty" -H 'Content-Type: application/json' -d'

{
"aliases": {
"test": {
"is_write_index": true
}
}
}'

**RESULT**
Error: ""message": "Missing rollover_alias index setting [index=test-1.x-2025.01.22-000001]""

![Image](https://github.com/user-attachments/assets/3656f2b7-477a-49a9-88b7-05473217eaac)

3. Try with a the template to the index
   * Create a template to the index
    ![Image](https://github.com/user-attachments/assets/f731e246-fe23-4b65-8b86-31639e0d027f)
   
   *Delete the manage of the policy in the index
    ![Image](https://github.com/user-attachments/assets/dcaf651d-3970-4190-8c9d-2564b24eda91)

   *Delete the index
    In Dev Tools: DELETE /test-1.x-2025.01.22-000001

    * Create initial index and quick-start the rolling process:
    ```bash
    curl -k -u admin:$admin_pass -X PUT "https://127.0.0.1:9200/%3Ctest-1.x-%7Bnow%2Fd%7D-000001%3E?pretty" -H 'Content-Type: application/json' -d'
{
  "aliases": {
    "test": {
      "is_write_index": true
    }
  }
}'

RESULT
Error: ""message": "Missing rollover_alias index setting [index=test-1.x-2025.01.22-000001]""

Image

  1. Put the settiing in the index
PUT /test/_settings
{
  "index": {
    "plugins": {
      "index_state_management": {
        "rollover_alias": "test"
      }
    }
  }
}

RESULT
Error: ""message": "{
"cause": "Rollover alias [test] can point to multiple indices, found duplicated alias [[test]] in index template [test]",
"message": "Failed to rollover index [index=test-1.x-2025.01.22-000001]"
}""

Image

@AlexRuiz7 AlexRuiz7 mentioned this issue Jan 23, 2025
Closed
4 tasks
@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 6.0.0 Jan 23, 2025
@AlexRuiz7 AlexRuiz7 self-assigned this Jan 24, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 6.0.0 Jan 24, 2025
@AlexRuiz7
Copy link
Member Author

AlexRuiz7 commented Jan 24, 2025
edited
Loading

Simple ISM configuration

Below there is a simple ISM configuration to automatically roll over the wazuh-commands indices.

PUT _template/wazuh-commands
{
  "index_patterns": [
    "wazuh-commands*"
  ],
  "mappings": {
    "date_detection": false,
    "dynamic": "true",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "agent": {
        "properties": {
          "groups": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "command": {
        "properties": {
          "action": {
            "properties": {
              "args": {
                "type": "object"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "order_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "request_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "result": {
            "properties": {
              "code": {
                "type": "short"
              },
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "message": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "source": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "status": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "timeout": {
            "type": "short"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "delivery_timestamp": {
        "type": "date"
      }
    }
  },
  "order": 1,
  "settings": {
    "index": {
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
        "command.source",
        "command.target.type",
        "command.status",
        "command.action.name"
      ],
      "refresh_interval": "5s",
      "plugins.index_state_management.rollover_alias": "wazuh-commands"
    }
  },
  "version": 500
}
PUT _plugins/_ism/policies/wazuh_rollover_policy
{
  "policy": {
    "description": "Wazuh rollover and alias policy",
    "default_state": "active",
    "states": [
      {
        "name": "active",
        "actions": [
          {
            "rollover": {
              "min_index_age": "5m"
            }
          }
        ]
      }
    ],
    "ism_template": {
      "index_patterns": ["wazuh-commands*"],
      "priority": "50"
    }
  }
}
PUT wazuh-commands-0001
{
  "aliases": {
    "wazuh-commands": {
      "is_write_index": true
    }
  }
}

Image

@AlexRuiz7 AlexRuiz7 removed their assignment Jan 24, 2025
@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 6.0.0 Jan 24, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 6.0.0 Jan 27, 2025
@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 6.0.0 Jan 29, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 6.0.0 Jan 30, 2025
@mcasas993
Copy link
Contributor

mcasas993 commented Jan 30, 2025
edited by AlexRuiz7
Loading

Test ISM rollover configuration by creating the policy directly on the index .opendistro-ism-config

  1. Add index template for the indices with the setting "plugins.index_state_management.rollover_alias": "<alias>".

    Upload template 
    PUT _template/wazuh-commands
{
  "index_patterns": [
    "wazuh-commands*"
  ],
  "mappings": {
    "date_detection": false,
    "dynamic": "true",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "agent": {
        "properties": {
          "groups": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "command": {
        "properties": {
          "action": {
            "properties": {
              "args": {
                "type": "object"
              },
              "name": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "version": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "order_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "request_id": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "result": {
            "properties": {
              "code": {
                "type": "short"
              },
              "data": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "message": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "source": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "status": {
            "ignore_above": 1024,
            "type": "keyword"
          },
          "target": {
            "properties": {
              "id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "type": {
                "ignore_above": 1024,
                "type": "keyword"
              }
            }
          },
          "timeout": {
            "type": "short"
          },
          "user": {
            "ignore_above": 1024,
            "type": "keyword"
          }
        }
      },
      "delivery_timestamp": {
        "type": "date"
      }
    }
  },
  "order": 1,
  "settings": {
    "index": {
      "number_of_replicas": "0",
      "number_of_shards": "1",
      "query.default_field": [
        "command.source",
        "command.target.type",
        "command.status",
        "command.action.name"
      ],
      "refresh_interval": "5s",
      "plugins.index_state_management.rollover_alias": "wazuh-commands"
    }
  },
  "version": 500
}

  1. Index policy

    Index policy in `.opendistro-ism-config` 
    POST .opendistro-ism-config/_doc/wazuh_rollover_policy
{
          "policy": {
            "policy_id": "wazuh_rollover_policy",
            "description": "Wazuh rollover and alias policy",
            "last_updated_time": 1738255639727,
            "schema_version": 21,
            "error_notification": null,
            "default_state": "active",
            "states": [
              {
                "name": "active",
                "actions": [
                  {
                    "retry": {
                      "count": 3,
                      "backoff": "exponential",
                      "delay": "1m"
                    },
                    "rollover": {
                      "min_index_age": "5m",
                      "copy_alias": false
                    }
                  }
                ],
                "transitions": []
              }
            ],
            "ism_template": [
              {
                "index_patterns": [
                  "wazuh-commands*"
                ],
                "priority": 50,
                "last_updated_time": 1738255639727
              }
            ],
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": null
            }
          }
      }

  2. Create initial index with alias

    Create index alias 
    PUT wazuh-commands-0001
{
  "aliases": {
    "wazuh-commands": {
      "is_write_index": true
    }
  }
}

RESULTS

Policy created

Image

Policy managed indexes

Image

Index created

Image

Configuration of active index with alias set

Image

@mcasas993
Copy link
Contributor

mcasas993 commented Jan 30, 2025
edited
Loading

Define aliases name

The best options to the alias are the name for the index without any aggregation of number, date or anything:

  • wazuh-alerts
  • wazuh-commands

Because the prefix "wazuh" indicates that these are indexes generated for Wazuh automatically.

@mcasas993
Copy link
Contributor

mcasas993 commented Jan 31, 2025
edited by AlexRuiz7
Loading

Define rollover policies

After careful consideration and analysis of the requirements from both the previous issues and industry best practices, I think the best options to implement a rollover policy for Wazuh data streams are the following conditions:

  1. Maximum Document Count: 20,000,000,000 documents
  2. Maximum Shard Size: 25 GB per shard
  3. Maximum Index Age: 7 days

Justification:

  • Maximum Document Count: Setting a maximum document count of 20 billion ensures we adhere to the limitations of OpenSearch while accommodating hyper-scaling scenarios.

  • Maximum Shard Size: A maximum shard size of 25 GB aligns with best practices for performance. Shard sizes in this range (between 10-50 GB) help balance the need for efficient metadata management while allowing for effective data distribution across the cluster. This approach mitigates issues related to excessive small shards, which could lead to exhausting JVM memory.

  • Maximum Index Age: Limiting the index age to 7 days prevents the cluster from being cluttered with indices that do not, in fact, enhance performance. If the shard size limit or document count limit has not been reached, there is not much benefit in generating numerous indexes just because of their age.

Policies

Policy for wazuh-commands*

"policy": {
    "policy_id": "wazuh-command_rollover_policy",
    "description": "Wazuh-command rollover and alias policy",
    "last_updated_time": XXXXX,
    "schema_version": XXXX,
    "error_notification": null,
    "default_state": "active",
    "states": [
      {
        "name": "active",
        "actions": [
          {
            "retry": {
              "count": 3,
              "backoff": "exponential",
              "delay": "1m"
            },
            "rollover": {
              "min_doc_count": 200000000,
              "min_index_age": "7d",
              "min_primary_shard_size": "25gb",
              "copy_alias": false
            }
          }
        ],
        "transitions": []
      }
    ],
    "ism_template": [
      {
        "index_patterns": [
          "wazuh-commands*"
        ],
        "priority": 50,
        "last_updated_time": XXXXX
      }
    ]
  }

Policy for wazuh-alerts*

"policy": {
    "policy_id": "wazuh-alerts_rollover_policy",
    "description": "Wazuh-alerts rollover and alias policy",
    "last_updated_time": XXXXX,
    "schema_version": XXXX,
    "error_notification": null,
    "default_state": "active",
    "states": [
      {
        "name": "active",
        "actions": [
          {
            "retry": {
              "count": 3,
              "backoff": "exponential",
              "delay": "1m"
            },
            "rollover": {
              "min_doc_count": 200000000,
              "min_index_age": "7d",
              "min_primary_shard_size": "25gb",
              "copy_alias": false
            }
          }
        ],
        "transitions": []
      }
    ],
    "ism_template": [
      {
        "index_patterns": [
          "wazuh-alerts*"
        ],
        "priority": 50,
        "last_updated_time": XXXXX
      }
    ]
  }

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 6.0.0 Jan 31, 2025
@wazuhci wazuhci moved this from Pending review to In review in XDR+SIEM/Release 6.0.0 Feb 6, 2025
@wazuhci wazuhci moved this from In review to In progress in XDR+SIEM/Release 6.0.0 Feb 6, 2025
@f-galland f-galland mentioned this issue Feb 7, 2025
Draft
@f-galland f-galland linked a pull request Feb 7, 2025 that will close this issue
Add a rollover policy to the setup plugin #269
Draft
@f-galland
Copy link
Member

We were able to get the policy to be applied from our setup plugin:

Comments in the PR explain how to try that out.

@f-galland f-galland self-assigned this Apr 4, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 6.0.0 Apr 4, 2025
@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 6.0.0 Apr 10, 2025
@wazuhci wazuhci moved this from On hold to Backlog in XDR+SIEM/Release 6.0.0 May 9, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 6.0.0 May 12, 2025
@f-galland f-galland changed the title Rollover and alias for stream indices Spike - Viability analysis of creating ISM policies within a plugin May 21, 2025
@f-galland f-galland mentioned this issue May 21, 2025
Open
11 tasks
@f-galland f-galland transferred this issue from wazuh/wazuh-indexer May 21, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 May 21, 2025
@f-galland f-galland self-assigned this May 26, 2025
@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 May 26, 2025
@f-galland
Copy link
Member

A viable approach has been demonstrated on the PoC in the linked PR.

However, a new official OpenSearch plugin was released in the meantime which may cover our needs:

I'm running a quick PoC to test whether this can be used to load an ISM policy on startup.

@f-galland
Copy link
Member

Upon closer inspection, the opensearch-system-templates plugin, seems to be geared towards setting up so-called Index Contexts, which are a set of customized settings and mappings to improve performance of indices.

As of today, the code of the plugin still looks somewhat minimal:

I don't think this will be useful at all to load our own ISM policies, since the policies themselves are documents.

@wazuhci wazuhci moved this from In progress to On hold in XDR+SIEM/Release 5.0.0 May 27, 2025
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 5.0.0 May 28, 2025
@AlexRuiz7 AlexRuiz7 mentioned this issue May 29, 2025
Open
4 tasks
@f-galland
Copy link
Member

I've been trying to use the opensearch-index-management spi to try to avoid us the hassle of loading the template and creating the index .opendistro-ism-config, but the jar is not separately available as in the case of the job-scheduler.
We will resort to doing these things manually from our plugin for now, though we might revisit the issue later.

@wazuhci wazuhci moved this from In progress to Done in XDR+SIEM/Release 5.0.0 May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-galland f-galland

Labels
level/task Task issue phase/spike type/enhancement Enhancement issue type/research Research issue
Projects
XDR+SIEM/Release 5.0.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a rollover policy to the setup plugin wazuh/wazuh-indexer-plugins
3 participants
@AlexRuiz7 @mcasas993 @f-galland