Indices deleted as a result of unauthorised access – how to restore?

As a result of compromised security, my ES server was accessed by a third party that deleted all the indices. While I can easily recreate and repopulate my own indices, there are a few that I don't know how to deal with. Here is the data from my ES log:

[.elastichq/uxLuaj6oS0ySf0ofXovsqw] deleting index
[.security-7/-SZSk_LDQcq-b3DB9SL30g] deleting index
[service/Q-HEaeMGTxabmotQ2OJrOw] deleting index
[api/Av2IvqEeRxaMt2mSRtCVXQ] deleting index

Could you explain whether the lack of these indices affects the operation of my ES and what I should do in these conditions?

From this list only the .security-7 index is a system indice, it is where the information about the built-in users are stored.

If this is index is deleted I think you will need to recreate your users and passwords.

The other indices are not part of the stack and are custom indices created by someone or some tool with access to your cluster.

1 Like

Do you have a snapshot of your data?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.