elastic
diff --git a/‎deploy-manage/monitor/orchestrators/ece-monitoring-ece-set-retention.md‎
Lines changed: 3 additions & 3 deletions b/‎deploy-manage/monitor/orchestrators/ece-monitoring-ece-set-retention.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎deploy-manage/tools/snapshot-and-restore/ece-restore-snapshots-into-new-deployment.md‎
Lines changed: 4 additions & 0 deletions b/‎deploy-manage/tools/snapshot-and-restore/ece-restore-snapshots-into-new-deployment.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎manage-data/ingest/ingesting-data-from-applications/ingest-logs-from-nodejs-web-application-using-filebeat.md‎
Lines changed: 277 additions & 343 deletions b/‎manage-data/ingest/ingesting-data-from-applications/ingest-logs-from-nodejs-web-application-using-filebeat.md‎
Lines changed: 277 additions & 343 deletions
diff --git a/‎manage-data/lifecycle/index-lifecycle-management.md‎
Lines changed: 1 addition & 1 deletion b/‎manage-data/lifecycle/index-lifecycle-management.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md‎
Lines changed: 1 addition & 1 deletion b/‎manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/lifecycle/index-lifecycle-management/manage-lifecycle-integrations-data.md‎
Lines changed: 1 addition & 1 deletion b/‎manage-data/lifecycle/index-lifecycle-management/manage-lifecycle-integrations-data.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/lifecycle/index-lifecycle-management/policy-view-status.md‎
Lines changed: 1 addition & 1 deletion b/‎manage-data/lifecycle/index-lifecycle-management/policy-view-status.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md‎
Lines changed: 11 additions & 5 deletions b/‎manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎reference/fleet/migrate-auditbeat-to-agent.md‎
Lines changed: 1 addition & 1 deletion b/‎reference/fleet/migrate-auditbeat-to-agent.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎release-notes/elastic-cloud-serverless/known-issues.md‎
Lines changed: 6 additions & 2 deletions b/‎release-notes/elastic-cloud-serverless/known-issues.md‎
Lines changed: 6 additions & 2 deletions
@@ -20,7 +20,7 @@ You might need to adjust the retention period for one of the following reasons:
 To customize the retention period, set up a custom lifecycle policy for logs and metrics indices:
 
 1. [Create a new index lifecycle management (ILM) policy](../../../manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the logging and metrics cluster.
-2. Create a new, legacy-style, index template that matches the data view (formerly *index pattern*) that you want to customize the lifecycle for.
-3. Specify a lifecycle policy in the index template settings.
-4. Choose a higher `order` for the template so the specified lifecycle policy will be used instead of the default.
+2. Create a new composable index template that matches the data view (formerly *index pattern*) for the data stream you want to customize the lifecycle for.
+3. Specify a custom lifecycle policy in the index template settings.
+4. Choose a higher `priority` for the template so the specified lifecycle policy will be used instead of the default.
 
@@ -16,6 +16,10 @@ products:
 1. First, [create a new deployment](../../deploy/cloud-enterprise/create-deployment.md) and select **Restore snapshot data**. Select the deployment that you want to restore a snapshot *from*. If you don’t know the exact name, you can enter a few characters and then select from the list of matching deployments.
 2. Select the snapshot that you want to restore from. If none is chosen, the latest successful snapshot from the cluster you selected is restored on the new cluster when you create it.
 
+    :::{important}
+    Note that only snapshots from the `found-snapshots` repository are accepted. Snapshots from a custom repository are not allowed.
+    :::
+
     ![Restoring from a snapshot](/deploy-manage/images/cloud-enterprise-restore-from-snapshot.png "")
 
 3. Manually recreate users using the X-Pack security features or using Shield on the new cluster. User information is not included when you restore across clusters.
 
@@ -78,7 +78,7 @@ You can create and manage index lifecycle policies through {{kib}}'s [Index Mana
 * [View the lifecycle status of an index or datastream](/manage-data/lifecycle/index-lifecycle-management/policy-view-status.md)
 * [Update or switch a lifecycle policy](/manage-data/lifecycle/index-lifecycle-management/policy-updates.md)
 * [Restore a managed data stream or index](/manage-data/lifecycle/index-lifecycle-management/restore-managed-data-stream-index.md)
-* [Customize built-in policies](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md)
+* [](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md)
 
 Default {{ilm}} policies are created automatically when you install an [Elastic Integration](integration-docs://reference/index.md), or when you use {{agent}}, {{beats}}, or the {{ls}} {{es}} output plugin to send data to the {{stack}}.
 
 
@@ -220,7 +220,7 @@ The name of the index must match the pattern defined in the index template and e
 This step is required only when you're planning to use {{ilm-init}} with rolling indices. It is not required when you're using data streams, where the initial managed index is created automatically.
 
 ::::{important}
-When you enable {{ilm}} for {{beats}}, {{agent}}, or for the {{agent}} or {{ls}} {{es}} output plugins, the necessary policies and configuration changes are applied automatically. If you'd like to create a specialized ILM policy for any data stream, refer to our tutorial [Customize built-in policies](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md).
+When you enable {{ilm}} for {{beats}}, {{agent}}, or for the {{agent}} or {{ls}} {{es}} output plugins, the necessary policies and configuration changes are applied automatically. If you'd like to create a specialized ILM policy for any data stream, refer to our tutorial [](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md).
 ::::
 
 ::::{tab-set}
 
@@ -61,5 +61,5 @@ For any data stream that you're interested in, you can [view its current lifecyc
 
 After you've identified one or more data streams for which you'd like to customize how the data is managed over time, refer to our tutorials:
 
-* For a general guide about configuring a custom ILM policy for any managed data stream, try out our [Customize built-in policies](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md) tutorial in the data lifecycle documentation.
+* For steps to customize an {{ilm-init}} policy for a data stream, try out the [](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md) tutorial in the data lifecycle documentation.
 * For the steps to customize an ILM policy for a set of data streams, such as all logs or metrics data streams across all namespaces, across only a selected namespace, and others, check the set of tutorials in [Customize data retention policies](/reference/fleet/data-streams-ilm-tutorial.md) in the {{fleet}} and {{agent}} reference documentation.
@@ -36,7 +36,7 @@ If you're investigating an {{ilm-init}}-related problem, refer to [Troubleshoot
 :::{tip}
 {{es}} comes with many built-in ILM policies. For standard Observability or Security use cases, you will have two {{ilm-init}} policies configured automatically: `logs@lifecycle` for logs and `metrics@lifecycle` for metrics.
 
-To learn how to create a specialized ILM policy for any data stream, such as those created when you install an Elastic Integration, refer to our tutorial [Customize built-in policies](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md).
+To learn how to create and adjust copies of built-in {{ilm-init}} policies for managed data streams, such as those created when you install an Elastic Integration, refer to our tutorial [](/manage-data/lifecycle/index-lifecycle-management/tutorial-customize-built-in-policies.md).
 :::
 
 **To view the current lifecycle status for a datastream:**
 
@@ -7,13 +7,13 @@ products:
   - id: elasticsearch
 ---
 
-# Customize built-in policies
+# Customize duplicates of built-in {{ilm-init}} policies
 
-{{es}} includes a set of built-in {{ilm-init}} policies that govern how managed indices transition as they age. This guide demonstrates how you can customize the lifecycle of a managed index, to adjust how the index transitions across [data tiers](/manage-data/lifecycle/data-tiers.md) and what [actions](/manage-data/lifecycle/index-lifecycle-management/index-lifecycle.md#ilm-phase-actions), such as downsampling or shrinking, are performed on the index during each lifecycle phase.
+{{es}} includes a set of built-in {{ilm-init}} policies that define how managed indices transition across [data tiers](/manage-data/lifecycle/data-tiers.md) and what [actions](/manage-data/lifecycle/index-lifecycle-management/index-lifecycle.md#ilm-phase-actions), such as rollover, downsampling, or shrinking, are performed at each phase.
 
-Setting a custom {{ilm-init}} policy is useful when you have a specific set of indices, for example a set of Kubernetes logs which can grow to be quite large in volume, for which you don't want to use the default data retention duration and other {{ilm-init}} settings.
+This tutorial demonstrates how to create a customized copy of a built-in {{ilm-init}} policy to better fit your data retention, performance, or storage requirements. You should never edit managed policies directly, because updates to {{es}} or Elastic integrations might overwrite those changes. Instead, you can duplicate a built-in policy, modify the duplicate, and assign it to your index or component templates.
 
-[{{agent}}](/reference/fleet/index.md) uses the following set of built-in {{ilm-init}} policies to manage backing indices for its data streams:
+While this tutorial uses [{{agent}}](/reference/fleet/index.md) and its built-in `logs@lifecycle` policy as an example, the same process can be applied to any built-in policies. Common examples include:
 
 * `logs@lifecycle`
 * `logs-otel@lifecycle`
@@ -23,11 +23,17 @@ Setting a custom {{ilm-init}} policy is useful when you have a specific set of i
 * `traces@lifecycle`
 * `traces-otel@lifecycle`
 
-This tutorial covers customizing the way ingested logging data is managed. Rather than use the default lifecycle settings from the built-in `logs@lifecycle` {{ilm-init}} policy, you can use the **Index Lifecycle Policies** feature in {{kib}} to tailor a new policy based on your application’s specific performance, resilience, and retention requirements. This involves three main steps:
+Customizing an {{ilm-init}} policy is useful when you have specific data retention or rollover requirements. For example, large log or metrics data streams might need different retention periods than the built-in defaults.
+
+This tutorial covers customizing the way ingested logging data is managed. Rather than use the default lifecycle settings from the built-in `logs@lifecycle` {{ilm-init}} policy, you can use the **Index Lifecycle Policies** feature in {{kib}} to tailor a new policy based on your application’s specific performance, resilience, and retention requirements. You can adapt the same steps for any policy that manages your data streams.
+
+The process involves three main steps:
  1. [Create a duplicate of the `logs@lifecycle` policy](#example-using-index-lifecycle-policy-duplicate-ilm-policy).
  2. [Modify the new policy to suit your requirements](#ilm-ex-modify-policy).
  3. [Apply the new policy to your log data using a `logs@custom` component template](#example-using-index-lifecycle-policy-apply-policy).
 
+Once applied, your customized policy will govern any new indices created after the change. Existing indices will continue to use their current lifecycle policy until they roll over. If you want the policy to take effect immediately, you can manually [roll over](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-rollover) the data stream.
+
 :::{tip}
 * If you're using [Elastic integrations](https://docs.elastic.co/en/integrations) and are not yet familiar with which data streams are associated with them, refer to [Manage the lifecycle policy for integrations data](/manage-data/lifecycle/index-lifecycle-management/manage-lifecycle-integrations-data.md).
 
 
@@ -34,7 +34,7 @@ The following table describes the integrations you can use instead of {{auditbea
 | {{fleet}} [system](integration-docs://reference/system/index.md) integration | Collect login events for Windows through the [Security event log](integration-docs://reference/system/index.md#security). |
 | [System.package](beats://reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](integration-docs://reference/system_audit/index.md) integration | This integration is a direct replacement of the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br> |
 | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Schedule collection of information like:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br>* [apps](https://www.osquery.io/schema/5.1.0/#apps) (MacOS)<br>* [programs](https://www.osquery.io/schema/5.1.0/#programs) (Windows)<br>* [npm_packages](https://www.osquery.io/schema/5.1.0/#npm_packages)<br>* [atom_packages](https://www.osquery.io/schema/5.1.0/#atom_packages)<br>* [chocolatey_packages](https://www.osquery.io/schema/5.1.0/#chocolatey_packages)<br>* [portage_packages](https://www.osquery.io/schema/5.1.0/#portage_packages)<br>* [python_packages](https://www.osquery.io/schema/5.1.0/#python_packages)<br> |
-| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](integration-docs://reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). |
+| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](integration-docs://reference/index.md) format and has excellent integration in {{kib}}. |
 | [Custom Windows event log](integration-docs://reference/winlog/index.md) and [Sysmon](integration-docs://reference/sysmon_linux/index.md) integrations | Provide process data. |
 | [Osquery](integration-docs://reference/osquery/index.md) or[Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSeswithout polling. |
 | [System.socket](beats://reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |
 
@@ -62,6 +62,8 @@ Set the alert delay value to 1 or turn on **Alert flapping detection**.
 
 ::::
 
+## Resolved
+
 :::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents
 
 On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up.
@@ -93,9 +95,11 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin
 
 After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**.
 
-:::
+**Resolved**
 
-## Resolved
+This was resolved on June 17, 2025.
+
+:::
 
 :::{dropdown} Installing the {{elastic-defend}} integration or a new agent policy in {{sec-serverless}} forces an upgrade of prebuilt rules