Missing step to apply shards configuration

[juliamagan]

Description

During the tests carried out in wazuh/wazuh#21365, it was found that a step is missing in the documentation to apply the shards configuration. In this part of the documentation it is indicated that shards should be modified for single node:

A few steps later it checks it:

However, the configuration is not applied if the following command is not executed:

filebeat setup --index-management

[davidjiglesias]

I think we should also review Sources installation

[AlexRuiz7]

Although it looks like a simple change in the documentation, it's slightly complex as we need to think about it together with the ISM rollover + alias feature added also in version 4.8.0.

I believe it does not interfere, but depending on the sequence of steps given to the user during installation, the changes won't take effect until new indices are created, in other words, until the ISM policy rotates the indices.

Let's take a brief look at the installation process:

1. wazuh-indexer installation: the initialization script uploads the wazuh-template.json (as present in wazuh/wazuh) along with other indices templates and ISM configuration. As a result, 2 initial indices are created, configured and aliased, so Filebeat can write to them straightaway (wazuh-alerts and wazuh-archives).
2. wazuh-server and Filebeat installation: as the wazuh-template.json is being uploaded by the wazuh-indexer initialization script, it's not needed to upload it using Filebeat anymore. It was decided with the CTO not to remove these steps from the documentation yet to avoid confusing the users. As a result, the wazuh-template.json is uploaded twice, with identical content. In case of modifying the Filebeat's template, the changes won't take effect until running the command filebeat setup --index-management AND new indices are created (remember that the initialization of wazuh-indexer creates the initial indices).

The modification of the number of shards is only indicated in the offline installation. Neither in the step-by-step nor in the assisted installation is it indicated to modify the template. Moreover, as the command filebeat setup --index-management has been missing, this step has never been effective: it has never worked.

Having said so, the best solution in my opinion would be to migrate this step to the wazuh-indexer installation process, so the initial indices and the wazuh-template are created properly from the very beginning, but, as we plan to update the documentation in the future to remove the upload of the template using Filebeat, it would be better to simply wait until then (in other words, tag this issue as a known bug), or remove this step from the offline installation.

[davidjiglesias]

Please remove the step from the offline installation if it is causing problems. We still support it.