|
| 1 | +--- |
| 2 | +navigation_title: Default `logs` index template |
| 3 | +description: Learn what the default component templates and ingest pipeline hooks for logs do. |
| 4 | +applies_to: |
| 5 | + stack: all |
| 6 | + serverless: all |
| 7 | +products: |
| 8 | + - id: observability |
| 9 | +--- |
| 10 | + |
| 11 | +# Default `logs` index template |
| 12 | + |
| 13 | +Elastic applies a managed index template to data streams that follow the `logs-*-*` index pattern. This index template references a set of reusable component templates and an optional `@custom` ingest pipeline that standardizes how log data streams are mapped, indexed, and preprocessed. |
| 14 | + |
| 15 | +The managed `logs` index template has a priority of `100` and is automatically applied to any data stream following the `logs-*-*` index pattern, unless you override it with your own higher-priority index template. |
| 16 | + |
| 17 | +By default, this index template also enables [LogsDB index mode](../../..//manage-data/data-store/data-streams/logs-data-stream.md), which optimizes storage and query performance for log data streams. |
| 18 | + |
| 19 | +Depending on your deployment, the `logs` index template applies one of the following data retention policies by default: |
| 20 | + |
| 21 | +* In {{stack}} (self-managed and {{ecloud}}): lifecycle is managed by [Index Lifecycle Management (ILM)](../../../manage-data/lifecycle/index-lifecycle-management.md). By default, rollover occurs when the primary shard reaches 50 GB or the index age reaches 30 days. |
| 22 | +* In {{serverless-full}}: lifecycle is managed by [Data Stream Lifecycle (DSL)](../../../manage-data/lifecycle/data-stream.md). By default, logs are retained for 30 days. |
| 23 | + |
| 24 | +Refer to [Logs index template reference](logs-index-template-reference.md) for instructions on how to view or edit the logs index template in {{kib}}. |
| 25 | + |
| 26 | +## Component templates |
| 27 | + |
| 28 | +The managed `logs` index template is composed of the following component templates: |
| 29 | + |
| 30 | +### `logs@mappings` |
| 31 | + |
| 32 | +Provides general mappings for logs data streams: |
| 33 | + |
| 34 | +* Disables automatic date detection for string fields to avoid mis-parsing. |
| 35 | +* Defines ECS `data_stream.*` fields: |
| 36 | + * [`data_stream.type`](ecs://reference/ecs-data_stream.md#field-data-stream-type): constant_keyword, value `logs` |
| 37 | + * [`data_stream.dataset`](ecs://reference/ecs-data_stream.md#field-data-stream-dataset): constant_keyword, for example `nginx.access` (must be ≤ 100 characters, no `-`) |
| 38 | + * [`data_stream.namespace`](ecs://reference/ecs-data_stream.md#field-data-stream-namespace): constant_keyword, for example `production` (must be ≤ 100 characters, no `-`) |
| 39 | + |
| 40 | +### `logs@settings` |
| 41 | + |
| 42 | +Configures default index settings for logs data streams: |
| 43 | + |
| 44 | + * References the managed ingest pipeline `logs@default-pipeline`, which: |
| 45 | + * Sets `@timestamp` to the ingest time if it is missing. |
| 46 | + * Contains a hook to the optional [`logs@custom`](#customize-preprocessing-with-logscustom) pipeline. |
| 47 | + * Sets `ignore_malformed` to `true` globally. With this setting, documents with malformed fields can be indexed without causing ingestion failures. Refer to [ignore_malformed](elasticsearch://reference/elasticsearch/mapping-reference/ignore-malformed.md) for a list of supported fields. |
| 48 | + * Sets `ignore_dynamic_beyond_limit` to `true`, which allows dynamically mapped fields to be added even when the total field limit is exceeded. Extra fields are ignored instead of causing ingestion to fail. Refer to [Mapping limit settings](elasticsearch://reference/elasticsearch/index-settings/mapping-limit.md) for more information. |
| 49 | + |
| 50 | +### `ecs@mappings` |
| 51 | + |
| 52 | +* Adds dynamic templates that automatically align fields with [Elastic Common Schema (ECS)](ecs://reference/index.md). |
| 53 | + |
| 54 | +Alignment with ECS helps ensure that dashboards, queries, and ML jobs can work consistently across different log sources. |
| 55 | + |
| 56 | + |
| 57 | +## Customize preprocessing with `logs@custom` |
| 58 | + |
| 59 | +Each logs data stream runs through the default ingest pipeline. However, you can use the `logs@custom` component template to customize your {{es}} indices. The `logs@custom` component template is not installed by default, but you can create a component template named `logs@custom` to override and extend default mappings or settings. Refer to [Edit the `logs` index template](../logs/logs-index-template-reference.md#custom-logs-template-edit) for more information. |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | +## Using logs templates without naming conventions |
| 64 | + |
| 65 | +If your logs data streams do not follow the `logs-*-*` naming scheme, the managed logs index template will not apply automatically. |
| 66 | + |
| 67 | +You can still use the default component templates by adding them to your own index template. For example: |
| 68 | + |
| 69 | +```json |
| 70 | +PUT _index_template/my-logs-template |
| 71 | +{ |
| 72 | + "index_patterns": ["my-logs-template"], |
| 73 | + "composed_of": ["ecs@mappings", "logs@mappings", "logs@settings"], |
| 74 | + "priority": 200 |
| 75 | +} |
| 76 | +``` |
| 77 | + |
| 78 | +::::{warning} |
| 79 | +Avoid bypassing the `logs-*-*` naming scheme unless you have a specific need. Many {{kib}} features (such as Discover views and Logs ML jobs) expect the managed logs template. |
| 80 | +:::: |
0 commit comments