TL;DR The default settings for Logstash index rotation are bad and will break your cluster after a few months unless you change the rotation strategy. If you’re anything like me, you probably read somebody’s cool blog about how awesome ELK stack is and just had to have a piece of it. So you went through the quick start guide, googled your way through getting it up and running, then BAM you had an awesome logging system with all the bells and whistles!
With the move from sysvinit to systemd, there were lots of small but important changes to the Linux ecosystem. One of them was the move from traditional syslog daemons to Systemd Journald. Now I’m not going to say this is a good or bad thing, as it entirely depends on your old habits and new optimism. What it does mean is a move to a faster and more flexible system log format but at the cost of some added complexity.