Elasticsearch deletes my index out of nowhere

Elastic Stack Elasticsearch
1

I have Elasticsearch server on AWS . And every now and then my Elasticsearch index is being somehow deleted without me doing anything.

Below are the logs from my Elasticsearch server.

    [2021-04-19T01:30:00,001][INFO ][o.e.x.s.SnapshotRetentionTask] [ip-10-0-0-94] starting SLM retention snapshot cleanup task
    [2021-04-19T01:30:00,009][INFO ][o.e.x.s.SnapshotRetentionTask] [ip-10-0-0-94] there are no repositories to fetch, SLM retention snapshot cleanup task complete
    [2021-04-19T02:27:00,000][INFO ][o.e.x.m.MlDailyMaintenanceService] [ip-10-0-0-94] triggering scheduled [ML] maintenance tasks
    [2021-04-19T02:27:00,000][INFO ][o.e.x.m.a.TransportDeleteExpiredDataAction] [ip-10-0-0-94] Deleting expired data
    [2021-04-19T02:27:00,002][INFO ][o.e.x.m.j.r.UnusedStatsRemover] [ip-10-0-0-94] Successfully deleted [0] unused stats documents
    [2021-04-19T02:27:00,002][INFO ][o.e.x.m.a.TransportDeleteExpiredDataAction] [ip-10-0-0-94] Completed deletion of expired ML data
    [2021-04-19T02:27:00,002][INFO ][o.e.x.m.MlDailyMaintenanceService] [ip-10-0-0-94] Successfully completed [ML] maintenance task: triggerDeleteExpiredDataTask
    [2021-04-19T02:58:46,088][INFO ][o.e.c.m.MetadataDeleteIndexService] [ip-10-0-0-94] [read__me/xc6mW05hTV-Xn1TTqX_FEA] deleting index
    [2021-04-19T02:58:46,641][INFO ][o.e.c.m.MetadataDeleteIndexService] [ip-10-0-0-94] [superhero/PHe6S6kSRoSamCaaiPBSFg] deleting index
    [2021-04-19T02:58:47,212][INFO ][o.e.c.m.MetadataCreateIndexService] [ip-10-0-0-94] [read__me] creating index, cause [api], templates [], shards [1]/[1]
    [2021-04-19T02:58:47,823][INFO ][o.e.c.m.MetadataMappingService] [ip-10-0-0-94] [read__me/ODzWqR5FTeeiBhOBG-EMzA] create_mapping [_doc]
    [2021-04-19T07:17:10,800][INFO ][o.e.c.m.MetadataCreateIndexService] [ip-10-0-0-94] [superhero] creating index, cause [api], templates [], shards [1]/[0]

My question is - how do I prevent Elasticsearch from deleting my index?

2

Welcome!

Elasticsearch does not delete existing indices unless those are internals indices or that you have configured something.

The only thing we can tell here:

[2021-04-19T02:58:46,088][INFO ][o.e.c.m.MetadataDeleteIndexService] [ip-10-0-0-94] [read__me/xc6mW05hTV-Xn1TTqX_FEA] deleting index
[2021-04-19T02:58:46,641][INFO ][o.e.c.m.MetadataDeleteIndexService] [ip-10-0-0-94] [superhero/PHe6S6kSRoSamCaaiPBSFg] deleting index

Is that "something" called the Delete Index API at 2021-04-19T02:58:46 and removed indices read__me and superhero.

Is there any chance that you exposed you elasticsearch cluster on internet?
If not, are you running any other tool which can connect to Elasticsearch node?

3

Yes, both Elasticsearch and Kibana are exposed on the Internet.

4

I just restricted access to Elasticsearch only from my home IP address and internal AWS network and I restricted access to Kibana only form my home IP address. Hopefully this helps and my index won't be deleted again.

Thanks!

5

You should definitely read this.

BTW did you look at Cloud by Elastic, also available if needed from AWS Marketplace, Azure Marketplace and Google Cloud Marketplace?

Cloud by elastic is one way to have access to all features, all managed by us. Think about what is there yet like Security, Monitoring, Reporting, SQL, Canvas, Maps UI, Alerting and built-in solutions named Observability, Security, Enterprise Search and what is coming next :slight_smile: ...

6

Thanks, I will definitely read this article!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.