After upgrading to version 3.1, two new index sets and 2 new streams were created by default. These new features are great and I would like to thank the Graylog team for them.
I realize graylog 3.1 is a very recent release, however I would like to point out what I consider to be a bad practice.
So far I have not found any documentation regarding the specific configuration of these streams and index sets, they just appear with a default prefix (
gl-system-events_*) that cannot be configured by and administrator in the graylog config file.
In a stack that runs a dedicated ES cluster, this is not a breaking change, however in our case this can impact production, since our ES restricts index usage based on prefix, meaning that graylog cannot create new indices with a prefix not explicitly authorized.
Also should an ES cluster be shared by more than one Graylog cluster, both Graylogs would attempt to write to the same indices.
More importantly, rebuilding these index sets and streams manually to conform to a standard prefix nomenclature does not solve this problem, in fact after restarting a graylog 3.1 cluster, graylog will rebuild these index sets and streams again, regardless of the index set names already existing.
With this in mind I would like to request this behaviour be patched, and an option for prefixing these index sets be introduced or that they be created with the
elasticsearch_index_prefix in order to maintain predictability, and that configuration options regarding the behaviour of these new features be introduced.