Index 404 error in logstash

mkain · July 5, 2017, 3:53am

I have started getting following error in logstash. I had installed x-pack on on 3 ELK components and it was working fine for a while. but after few hours I started getting following error.

I have even tried to remove x-pack from all 3 ELK components and restarted ELK but I still see this error. can someone please guide me to resolve it ?

[2017-07-05T09:20:10,609][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>404, :action=>["index", {:_id=>nil, :_index=>"logstash-2017.07.05", :_type=>"syslog", :_routing=>nil}, 2017-07-05T03:50:10.577Z 10.91.142.103 <179>Jul 5 09:20:10 10.91.126.1 TMNX: 45006214 Base PORT-MINOR-etherAlarmSet-2017 [Port 5/2/4]: Alarm Remote Fault Set], :response=>{"index"=>{"_index"=>"logstash-2017.07.05", "_type"=>"syslog", "_id"=>nil, "status"=>404, "error"=>{"type"=>"index_not_found_exception", "reason"=>"no such index and [action.auto_create_index] ([.security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*]) doesn't match", "index_uuid"=>"na", "index"=>"logstash-2017.07.05"}}}}
[2017-07-05T09:20:10,610][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>404, :action=>["index", {:_id=>nil, :_index=>"logstash-2017.07.05", :_type=>"syslog", :_routing=>nil}, 2017-07-05T03:50:10.579Z 10.91.142.103 <179>Jul 5 09:20:10 10.91.126.1 TMNX: 45006215 Base PORT-MINOR-etherAlarmClear-2018 [Port 5/2/4]: Alarm Local Fault Cleared], :response=>{"index"=>{"_index"=>"logstash-2017.07.05", "_type"=>"syslog", "_id"=>nil, "status"=>404, "error"=>{"type"=>"index_not_found_exception", "reason"=>"no such index and [action.auto_create_index] ([.security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*]) doesn't match", "index_uuid"=>"na", "index"=>"logstash-2017.07.05"}}}}

TimV · July 5, 2017, 5:15am

The most likely cause is that your action.auto_create_index setting is too restrictive.

Does your elasticsearch.yml contain a value for that setting?

See: https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#index-creation

The X-Pack install instructions advise to set that value If you have disabled automatic index creation. Generally speaking, you're better off leaving at the default value which enables all indices to be automatically created.

mkain · July 5, 2017, 5:41am

Hi Tim,

yes, I had added "action.auto_create_index:
.security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*"
after installing x-pack plugin. So is this creating the problem ?

Regards,
-Manish

TimV · July 5, 2017, 6:37am

Yes. Try removing that setting entirely.

system · August 2, 2017, 6:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.