So the only index template is the gl_failures 
I was actually going to say about the security plugin. When you disabled it I assumed you restart service for Opensearch & Graylog?
The cluster health screenshot tells me that Graylog doesnt have permissions fro ES/OS. It seasm like a connection issue between those two.
I have couple suggestions for troubleshooting and one is relating to the following HTTPS
elasticsearch_hosts = https://user:password@<node-4-fqdn>:9200,https://user:password@<node-5-fqdn>:9200,https://user:password@<node-6-fqdn>:9200
#### External Graylog URI
#
# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
#
# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
#
# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
#
# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header.
#
# Default: $http_publish_uri
#http_external_uri =
Noticed it talks about
n the Graylog REST API (see $http_bind_address).
So here is mine, I also use certs.
[root@graylog graylog_user]# cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = epOqmLi7r7CdZxl76QOQxr8bRSKlKXjMQG9ojc0bn22EBUJgbD
root_password_sha2 = 5e884898da28047151d0e5ef721d1542d8
root_email = "greg.smith@domain.com"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = graylog.enseva-labs.net:9000
http_publish_uri = https://graylog.enseva-labs.net:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
http_tls_key_password = secret
elasticsearch_hosts = http://192.168.1.100:9200,http://192.168.1.102:9200,http://192.168.1.103:9200
rotation_strategy = count
I think one of the reason why Graylog configuration only shows HTTP
# Default: http://127.0.0.1:9200
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
Because there not a configuration for HTTPS, Hence why the documentation states "Disable the Security " plugin on OPENSEARCH.
So if this was mine I would adjust the following setting s , along with the proper restarts as follow.
## Just set publish_uri & comment out *http_external_uri*
http_publish_uri = https://<node-1-fqdn>:9000/
### set URI HTTP
elasticsearch_hosts = http://<node-4-fqdn>:9200,http://<node-5-fqdn>:9200,http://<node-6-fqdn>:9200
Then disable Securit Plugin as showin the doc’s
Restart services.