Elasticsearch indices are managed by both the so-elasticsearch-indices-delete utility and Index Lifecycle Management (ILM). so-elasticsearch-indices-delete is primarily designed for single-node deployments like EVAL and STANDALONE configurations. Running it on a multi-node deployment with one or more search nodes has the possibility of getting into a corner case state where more data is deleted than intended. Because of this, we will disable this script on multi-node deployments in the upcoming 2.4.150 release.
In the meantime, if you have a multi-node deployment then we HIGHLY recommend that you go ahead and manually disable this script. You can find this setting at Administration –> Configuration –> elasticsearch –> index_clean. You will also need to ensure that ILM is configured properly to delete indices before disk usage reaches the Elasticsearch watermark setting. Otherwise, Elasticsearch may stop ingesting new data.
For more information, please see:
https://docs.securityonion.net/en/2.4/elasticsearch.html#index-management
No comments:
Post a Comment