i have a problem with the elastic indices after i upgrade from 4.2 to 4.3.
after the update elastic won’t be start because:
the files of elastic journal was corrupt. so i did repair with fsck.
the elastic- service started again but the state- files (state-x.st) couldn’t be read by elastic.
i did a flush but i didn’ t help:
curl -X POST “localhost:9200/some_index/_flush”
so i moved all state-files and elastic/ graylog works.
Is their a solution to get the old logs in graylog again?
If you removed/deleted the indices then your logs are gone.
If the journal was corrupted you could have just flush the journal out a different way & restarted service, BUT then again those logs are also gone. This might be from the method of the upgrade executed but I don’t know for sure.
I haven’t heard of Elasticsearch Journal, But Graylog Journal yes. Not sure how familiar you are with journal segments but that where your message are stored before they get ingested to Elasticsearch.
As stated above, if you deleted Graylog Journal or Elasticsearch indices without having backups, I’m sorry for you lose man.
Yes a snap shot would be best for index redundancy for sure. Then you can also migrate it or store it on a different partition if need be. I have took snap shot of all my indices and migrated them to a completed different node and upload them into Elasticsearch.
The best backup you can have, is making a backup of your Virtual machine incase things go bad you can restore the whole node in seconds.
