[Request] Add instructions for disabling logsdb by default

[marshallmain]

Description

In https://www.elastic.co/guide/en/security/current/detections-logsdb-index-mode-impact.html, we describe the impact of using logsdb with the Elastic Security and recommend that users do not enable logsdb at this time. In 9.0, logsdb will be enabled by default for logs indices and in the upgrade assistant we will be recommending that existing users opt out of logsdb by default. We need to document the process for opting out of logsdb.

To opt out, users need to set cluster.logsdb.enabled: false in their cluster settings. The dev tools request to do this is

PUT _cluster/settings
{
   "persistent": {
       "cluster.logsdb.enabled": false
   }
}

Background & resources

• PRs: n/a
• Issues/metas:
  • https://github.com/elastic/kibana-team/issues/1358
• Point of contact: @marshallmain
• Test environments: n/a

Which documentation set does this change impact?

ESS only

ESS release

8.18 and 9.0

Serverless release

n/a

Feature differences

Opting out is only recommended for ESS

API docs impact

No API changes

Prerequisites, privileges, feature flags

Users must have the manage cluster privilege to update the cluster settings (https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-update-settings.html)

[nicpenning]

Curious to why forcing this as a default if it's not ready? This sounds like a recipe for disaster?

[tylerperk]

Hi @nicpenning appreciate your concern. We are still evaluating whether it makes sense to enable logsdb by default in 9.0 or if it might be too disruptive at this time.

[nicpenning]

Thank you!

If anything, at least automating the disablement for Security with notification would be a an interesting concept. You may need to consider people that may have this enabled already if they are using it some capacity. We are not yet, but have been excited to track its capabilities over time.