According to Graylog installation guide we need to customize /etc/elasticsearch/elasticsearch.yml “additionally you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file”
What’s the meaning and impact of this setting?
Recently I updated ES to 6.6.1 and it failed to start with error
java.lang.IllegalArgumentException: the [action.auto_create_index] setting value [false] is too restrictive. disable [action.auto_create_index] or set it to [.watches,.triggered_watches,.watcher-history-*]
So set it to action.auto_create_index: .watches,.triggered_watches,.watcher-history-* and that should solve it all. What that setting controls is whether or not indices are automatically created if you index something to an index that doesn’t exist. Graylog wants to be in control of creating indices so it can set up the deflector aliases properly, so if you have disabled that setting at some point a message will be indexed to the deflector alias, which may not exist yet, and Elasticsearch will create it as an index which will stop the index rotation cold.
Thanks a lot for pointing that, @jan, I got this installation from previous engineer and it really uses different repo *(baseurl=https://artifacts.elastic.co/packages/6.x/yum)
In the same time I shall note that documentation’s approach “explain what to do but don’t explain why to do it” sometimes can be confusing so meaning of the setting for Graylog(not for ES) is not really clear.
@benvanstaveren, could you please advise which one of these options is the closest to the recommended configuration?
