How to apply an Elasticsearch ILM policy to Logstash indices

Logstash can generate indices continuously, which can quietly consume disk space and degrade search performance as shard counts grow. Applying an Elasticsearch Index Lifecycle Management (ILM) policy to Logstash indices enables automated rollovers plus retention, keeping storage predictable without manual index cleanup.

Elasticsearch ILM assigns lifecycle actions through a named policy that is applied by an index template, with rollovers performed through a stable write alias. Logstash can write through that rollover alias so the first index (for example logs-000001) is created with the right template settings, keeping subsequent rollovers enrolled in the same policy.

The index template must match the actual index naming pattern produced by Logstash and must set index.lifecycle.name plus index.lifecycle.rollover_alias to values that exactly match the Logstash output configuration. Secured clusters commonly require https and authentication for both Logstash and curl API checks, and ILM is applied automatically only to indices created after the template is present.

1. Pick an ILM policy name and rollover alias for the Logstash indices.

   Example values: ILM policy logstash-hot-warm with rollover alias logstash-ilm.

2. Create the ILM policy in Elasticsearch.

   Related: How to create an index lifecycle policy in Elasticsearch

3. Create an index template that matches the Logstash index pattern and sets the ILM policy name plus rollover alias.

   {
     "index_patterns": ["logstash-ilm-*"],
     "template": {
       "settings": {
         "index.lifecycle.name": "logstash-hot-warm",
         "index.lifecycle.rollover_alias": "logstash-ilm"
       }
     }
   }

   A template that does not match the Logstash index names leaves indices unmanaged by ILM.

   Related: How to create and manage index templates in Elasticsearch

4. Update the Logstash pipeline configuration under /etc/logstash/conf.d to enable ILM in the elasticsearch output.

   input {
     file {
       path => "/var/lib/logstash/examples/ilm.log"
       start_position => "beginning"
       sincedb_path => "/var/lib/logstash/sincedb-ilm"
     }
   }
   
   output {
     if [log][file][path] == "/var/lib/logstash/examples/ilm.log" {
       elasticsearch {
         hosts => ["http://elasticsearch.example.net:9200"]
         ilm_enabled => true
         ilm_policy => "logstash-hot-warm"
         ilm_rollover_alias => "logstash-ilm"
         ilm_pattern => "000001"
         manage_template => false
       }
     }
   }

   Setting index in the same output can bypass the rollover alias and prevent ILM rollover.

   Related: How to configure Logstash output to Elasticsearch

5. Test the Logstash pipeline configuration.

   $ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
   Configuration OK

   Related: How to test a Logstash pipeline configuration

6. Restart the Logstash service to apply the ILM settings.

   $ sudo systemctl restart logstash

   Related: How to manage the Logstash service with systemctl in Linux

7. Check the Logstash service status for an active state.

   $ sudo systemctl status logstash --no-pager -l
   ● logstash.service - logstash
        Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-01-07 22:47:02 UTC; 3s ago
      Main PID: 39961 (java)
         Tasks: 31 (limit: 28486)
        Memory: 421.1M (peak: 421.1M)
           CPU: 12.196s
   ##### snipped #####

   Related: How to manage the Logstash service with systemctl in Linux

8. Verify the rollover alias exists in Elasticsearch.

   $ curl -s "http://elasticsearch.example.net:9200/_alias/logstash-ilm?pretty"
   {
     "logstash-ilm-000001" : {
       "aliases" : {
         "logstash-ilm" : {
           "is_write_index" : true
         }
       }
     }
   }

   Secured clusters typically require adding authentication (for example -u user:pass) and using https://host:9200.

9. Verify the Logstash index is managed by the intended ILM policy.

   $ curl -s "http://elasticsearch.example.net:9200/logstash-ilm-000001/_ilm/explain?pretty"
   {
     "indices" : {
       "logstash-ilm-000001" : {
         "index" : "logstash-ilm-000001",
         "managed" : true,
         "policy" : "logstash-hot-warm",
         "index_creation_date_millis" : 1767825981053,
         "time_since_index_creation" : "58.53s",
         "lifecycle_date_millis" : 1767825981053,
         "age" : "58.53s",
         "phase" : "hot",
         "phase_time_millis" : 1767825981125,
         "action" : "rollover",
         "action_time_millis" : 1767825981125,
         "step" : "check-rollover-ready",
         "step_time_millis" : 1767825981125,
         "phase_execution" : {
           "policy" : "logstash-hot-warm",
           "phase_definition" : {
             "min_age" : "0ms",
             "actions" : {
               "rollover" : {
                 "max_age" : "1d",
                 "max_primary_shard_size" : "25gb"
               }
             }
           },
           "version" : 1,
           "modified_date_in_millis" : 1767825923346
         }
       }
     }
   }