I am facing a recurring issue in my Graylog setup where the deflector alias (e.g., graylog_deflector, gl-events_deflector) becomes an index instead of an alias. This causes logs to stop flowing, and queries fail with the error:
Elasticsearch exception [type=index_not_found_exception, reason=no such index ]
Observations:
Running curl -X GET âhttp://10.13.10.20:9200/_cat/aliases?vâ shows:
alias index filter routing.index routing.search is_write_index
gl-events_deflector gl-events_0 - - - -
graylog_deflector gl-events_0 - - - -
gl-system-events_deflector gl-system-events_0 - - - -
The deflector should be an alias but sometimes turns into an index.
Running curl -X GET âhttp://10.13.10.20:9200/_cat/indices?vâ shows only these indices:
pgsql
Copy
Edit
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .geoip_databases Trcn78hNRquTZMd3ztâOg 1 1 37 9 77.9mb 38.9mb
green open read_me cSygCrtEQG2t68yNSuFodQ 1 1 1 0 8.8kb 4.4kb
green open gl-events_0 1IY_fxpSSAagbooCywP2cQ 4 0 0 0 904b 904b
green open gl-system-events_0 a4AH-3MoScO2PX8pjeTYZw 4 0 0 0 904b 904b
However, the issue arises when Graylog rotates the index.
Steps I Tried to Fix It:
Manually deleting and recreating the deflector alias
curl -X POST âhttp://10.13.10.20:9200/_aliasesâ -H âContent-Type: application/jsonâ -d â
{
âactionsâ: [
{ âaddâ: { âindexâ: âgl-events_0â, âaliasâ: âgraylog_deflectorâ } }
]
}â
This temporarily fixes the issue, but it happens again after 2-3 days.
Manually rotating the index in Graylog UI under:
System â Indices â Rotate Active Write Index
This also works temporarily.
Restarting Graylog (systemctl restart graylog-server) to refresh the index mapping.
Issue Persists:
Even after deleting the incorrect deflector index, Graylog automatically recreates it incorrectly after 2-3 days.