Ok. It's just strange to see that going from 2.4 where I see all the index names to 5.6 where it's random.

I guess my next problem is this, though it might be best on the logstash side, but logstash is throwing an error per event saying it cannot query elasticsearch for previous events in the index.

    {:timestamp=>"2018-02-13T15:11:54.391000-0500", :message=>"Failed to query elasticsearch for previous event", :index=>"firewall-%{+YYYY.MM.dd}"

and at the end of every entry is this...

     @metadata_accessors=#<LogStash::Util::Accessors:0x70ccbbea @store={}, @lut={}>, @cancelled=false>, :error=>#<Faraday::ConnectionFailed>, :level=>:warn}

Every one of these events contains the entire string of data in the log being sent. I had logstash running for about 20 seconds and it has one of these types of errors in the log. As you can guess, the log file filled up rather quickly.

I am not sure if this is normal for having ES on 5.6 while logstash is on 2.4 still. I am just stating some observations during my experience of the upgrade process.