GET /cowrie-*/_ilm/explain - Step 1 Load this template in Index Templates - Step 2 Create a Index Lifecycle Policy (5GB and 30 days -> Shrink with 1 primary shard and no priority) - Ensure Logstash ILM is configured in the script (see below) PUT _ilm/policy/cowrie { "policy": { "phases": { "hot": { "actions": { "rollover": { "max_primary_shard_size": "5GB", "max_age": "30d" } } }, "warm": { "min_age": "30d", "actions": { "set_priority": { "priority": 50 }, "allocate": { "number_of_replicas": 1 }, "shrink": { "number_of_shards": 1 }, "forcemerge": { "max_num_segments": 1 } } }, "cold": { "min_age": "30d", "actions": { "set_priority": { "priority": 0 } } } } } } #---------------------------- PUT _index_template/cowrie { "index_patterns": ["cowrie-*"], "template": { "settings": { "number_of_shards": 1, "number_of_replicas": 1, "max_docvalue_fields_search" : "200", "index": { "refresh_interval": "5s", "lifecycle": { "name": "cowrie", "rollover_alias": "cowrie" } } }, "mappings" : { "numeric_detection": true, "_meta" : { "beat" : "cowrie" }, "dynamic_templates": [ { "strings_as_keyword": { "match_mapping_type" : "string", "mapping": { "ignore_above" : 1024, "type": "keyword" } } }, { "strings_as_ip": { "match_mapping_type": "string", "match": "ip*", "runtime": { "type": "ip" } } } ], "properties": { "@timestamp" : { "type" : "date" }, "tags": { "ignore_above" : 1024, "type": "keyword" }, "id": { "ignore_above" : 1024, "type": "keyword" }, "name": { "ignore_above" : 1024, "type": "keyword" }, "hostname": { "ignore_above" : 1024, "type": "keyword" }, "version": { "ignore_above" : 1024, "type": "keyword" }, "type": { "ignore_above" : 1024, "type": "keyword" }, "host": { "properties": { "ip": { "type": "ip" } } }, "ecs": { "properties": { "version": { "ignore_above" : 1024, "type": "keyword" } } }, "agent": { "properties": { "ephemeral_id": { "ignore_above" : 1024, "type": "keyword" } } }, "log": { "properties": { "file": { "properties": { "path": { "ignore_above" : 1024, "type": "keyword" } } } } }, "process": { "properties": { "name": { "ignore_above" : 1024, "type": "keyword" }, "pid": { "type": "long" }, "start": { "type": "date" }, "end": { "type": "date" }, "exit_code": { "type": "long" }, "args_count":{ "type": "long" }, "uptime": { "type": "long" } } }, "event": { "properties": { "category": { "ignore_above" : 1024, "type": "keyword" }, "start": { "type": "date" }, "end": { "type": "date" }, "dataset": { "ignore_above" : 1024, "type": "keyword" }, "duration": { "type": "long" }, "id": { "ignore_above" : 1024, "type": "keyword" }, "hash": { "ignore_above" : 1024, "type": "keyword" }, "kind": { "ignore_above" : 1024, "type": "keyword" }, "type": { "ignore_above" : 1024, "type": "keyword" }, "risk_score": { "type": "float" }, "risk_score_norm": { "type": "float" }, "severity": { "type": "long" }, "original": { "type": "keyword" }, "outcome": { "type": "keyword" }, "code": { "type": "keyword" } } }, "source": { "properties": { "ip": { "type": "ip" }, "domain": { "ignore_above": 1024, "type": "keyword" }, "bytes": { "type": "long" }, "packets": { "type": "long" }, "port": { "type": "long" }, "address": { "ignore_above" : 1024, "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "location": { "type": "geo_point" }, "country_name": { "type": "keyword" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } } } }, "dns": { "properties": { "resolved_ip": { "type": "ip" }, "answer": { "properties": { "ttl": { "type": "long" } } } } }, "destination": { "properties": { "ip": { "type": "ip" }, "port": { "type": "long" }, "address": { "ignore_above" : 1024, "type": "keyword" }, "geo": { "properties": { "city_name": { "type": "keyword" }, "continent_code": { "type": "keyword" }, "continent_name": { "type": "keyword" }, "country_iso_code": { "type": "keyword" }, "location": { "type": "geo_point" }, "country_name": { "type": "keyword" }, "name": { "type": "keyword" }, "postal_code": { "type": "keyword" }, "region_iso_code": { "type": "keyword" }, "region_name": { "type": "keyword" }, "timezone": { "type": "keyword" } } } } }, "related": { "properties": { "ip": { "type": "ip" }, "hosts": { "ignore_above" : 1024, "type": "keyword" }, "hash": { "ignore_above" : 1024, "type": "keyword" }, "user": { "ignore_above" : 1024, "type": "keyword" } } }, "user": { "properties": { "name": { "ignore_above" : 1024, "type": "keyword" }, "password": { "ignore_above" : 1024, "type": "keyword" }, "email": { "ignore_above" : 1024, "type": "keyword" }, "full_name" : { "ignore_above": 1024, "type": "keyword" }, "hash" : { "ignore_above" : 1024, "type": "keyword" }, "id": { "ignore_above" : 1024, "type": "keyword" }, "roles": { "ignore_above" : 1024, "type": "keyword" } } }, "interface": { "properties": { "alias": { "ignore_above": 1024, "type": "keyword" }, "id": { "ignore_above" : 1024, "type": "keyword" }, "name": { "ignore_above": 1024, "type": "keyword" } } }, "network": { "properties": { "name": { "ignore_above" : 1024, "type": "keyword" }, "protocol": { "ignore_above" : 1024, "type": "keyword" }, "transport": { "ignore_above" : 1024, "type": "keyword" }, "type": { "ignore_above" : 1024, "type": "keyword" }, "direction": { "ignore_above" : 1024, "type": "keyword" }, "application": { "ignore_above" : 1024, "type": "keyword" } } } } } } }