I am trying arround with Security Analytics Plugin, I have indexes named like this wazuh-archives-%{+YYYY.MM.dd} (for every day a seperate index).
I have read many times, that for indexes like this i need to specify a index-alias which includes all my indexes.
So I have added an index-alias to my index template and all new created indexes are added to that alias.
Now my 1st question:
When creating/editing the Detector I can choose different aliases with the same alias-name but different indexes in braces. So does each alias include only a single index right? How can i configure my detector to automatically use my new created indices?
2nd question:
After switchting to a newly created index/index-alias all field mapping are gone.
I have tried to build a composable template with an alias and a keyword definition for each field mapping needed from my rules.
But that always ended up in a error like described here:
So, How should field mapping be handled correctly to be accessible in every new created index?
Iam working with index template. Right now I have tried to add to that index template a associated component template. The component template had definied for each field mapping a keyword-definition and an alias for the (rule) field name and the mapping to my existing field. Shouldn’t that end up in the same result?
Anyways I will try it now the alias definition directly in the index template and see what happens.
