Elasticsearch service is running but the Cluster is Red on the Web interface

You can setup X-Pack extension or some other monitoring tool to Elasticsearch. They will show where the problem lies.

It seems like you have only one shard? You could start by trying to set up Graylog index retention settins so that the shard size would be about 20-40G. This writing tells about some ES settings, including a rule-of-thumb for how much RAM you need: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster

Other than that the documents are pretty scattered. The monitoring tools are the best bet.

And, to your last question: if the data is corrupt, as it seems according to the result, delete the index:

  1. if you do not have an index graylog_1 already, then go to Graylog UI and manually rotate index.
  2. Delete the index graylog_0 from the Graylog UI.
    (if the step 2 does not work, you can curl -XDELETE http://ip:9200/graylog_0 )

Thank you jtkarvo for the help and guidance. will research and learn some more about each of the components to have a better understanding and then implement the server. Thank you for the help :smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.