At first it's seem to be easy task since the config for creating this index is in /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.mm.dd",
"ignore_failure": false
}
},
But changing the index_name_format to 'xxxx.ww' and restart filebeat, it still write to old index format. Anyone know if I need to do anything else to let filebeat recognizes new pipeline config?
OK, so problem resolved after digging into Wazuh documentation.
First, the format for weekly index should be 'YYYY.ww'
Second, turned out that pipeline.json is cached into elasticsearch, and need to be purged by:
DELETE _ingest/pipeline/filebeat-7.10.2-wazuh-alerts-pipeline