I have read through numerous posts on this issue, but between the fixes being somewhat vague, and my lack of knowledge in the graylog, and ubuntu world, have been unable to resolve the issue.
I have tried (possibly incorrectly) to add the action.auto_create_index: false to the elasticsearch.yml file. I have removed the deflector indice, but it repopulates within a minute or so. I am sure others will need some more info to help me diagnose the issue, and if you are willing to point me in the direction of what is needed, and how to get it, I will gladly acquire such info.
What I do know is I am running this on a VM with Ubuntu 16.04.5 LTS. I followed the instructions on docs.graylog.org/en/2.4/pages/installation/os/ubuntu.html I should be running some vesion of 2.4 for GL, and 5.X for elastic search. Mongo DB should be up to date.
(OPTIONAL) If you want to keep the already ingested messages, reindex them into the Elasticsearch index with the greatest number, e. g. graylog_23 if you want to fix the deflector graylog_deflector, via the Elasticsearch Reindex API.
Delete the graylog_deflector index via the Elasticsearch Delete Index API.
Add action.auto_create_index: false to the configuration files of all Elasticsearch nodes in your cluster and restart these Elasticsearch nodes
Start the Graylog master node.
Manually rotate the active write index of the index set on the System / Indices / Index Set page in the Maintenance dropdown menu.
(OPTIONAL) Start all remaining Graylog slave nodes.
Steps I took when attempting this, in case someone sees an issue. I only have one node.
When logged into my server directly. #1 sudo systemctl stop graylog-server.service #2 curl -XDELETE http://localhost:9200/graylog_deflector #3 curl http://localhost:9200/_cat/indices to verify deletion #4 sudo nano /etc/elasticsearch/elasticsearch.yml #5 add “action.auto_create_index: false”, save file, and exit file. as seen in image below #6 sudo systemctl restart graylog-server.service #7 From browser-System/Indices/GraylogDeflector/Maintenance/Rotate Active Write Index
No other nodes to start, so done.
After a reboot this appears to be holding. I now however, have Index failures stacking up for graylog_deflector. Are these something i can ignore, or do I need to address this?
After a reboot this appears to be holding. I now however, have Index failures stacking up for graylog_deflector. Are these something i can ignore, or do I need to address this?
without a verification that this is not something new - maybe.
