wazuh-packages
wazuh-packages copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Wazuh Indexer ISM: The existent index does not updates the policy modification
| Wazuh version | Install type | Action performed | Platform |
|---|---|---|---|
| 4.3.0-rc6 | Indexer | Install | Any |
Rationale
When editing an existing ISM policy, the changes are not applied to the managed indices.
Steps to reproduce
1. Create Policy
- The policy is applied to the
wazuh-alerts-*index pattern, so every new index should be managed by this policy.
- The policy was created for 30 days in hot storage, 365 days in cold storage, then delete the index.
2. Apply the policy to the current indices
3. Check the managed indices
4. Edit the Policy
- Configured in 1d for hot and 2d for cold in order to check soon about the transitions
5. Check the index state transition
-
We can see the newer index was created with the policy applied, but it seems the index from the previous day is still in
hot, and should be incoldstate. -
Checking the index date
The first index (an already existent index) failed to apply the transitions after the policy modification:
Expected results
After modifying the ISM policy, the transitions for the existent indices (not only for the newly created ones) should be applied as expected, but it seems it is not, it still conserves the previous configuration.
Thank you in advance!
