Recommended approach to detach a data node

parthmaniar · June 6, 2020, 12:05pm

My ELK deployment is in a distributed format.

An always on VM on a NAS that is ingesting data via elasticsearch.
A Raspberry Pi running logstash with 5 pipelines.
9 log sources sending data to the 5 pipelines.
A laptop which has Kibana and Elasticsearch. On this laptop I have secondary node of elastic which I need for me college as I cannot always VPN into to show my teacher my research. More details are here and the diagram is as below (except that now logstash is on RPi)

I wanted to know the recommended approach to detach and remove the mobile datanode (on my laptop.) As of now I put following commands before detaching, do I need to do something else?

Secondly, what configuration is needed to make the laptop as primary node for compute whenever I am using Kibana?

Shutdown process

    https://IP OF PRIMARY ELASTICSEARCH NODE:9200/_cluster/settings
    {
      "transient" : {
        "cluster.routing.allocation.exclude._ip" : "IP of LAPTOP NODE"
      }
    }

and

    PUT: https://P OF PRIMARY ELASTICSEARCH NODE:9200/_cluster/settings
  {
  "persistent": {
    "cluster.routing.allocation.enable": "none"
  }

I still get following error right after I detach the mobile data node when querying for health of the cluster:

{
    "error": {
        "root_cause": [
            {
                "type": "master_not_discovered_exception",
                "reason": null
            }
        ],
        "type": "master_not_discovered_exception",
        "reason": null
    },
    "status": 503
}

Also, this is the final failure of the cluster before I have to restore the VM. I lose important logs as part of my final year studies due to this process. I cannot afford to restore the VM and lose logs.

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "failed to authenticate user [elastic]",
                "header": {
                    "WWW-Authenticate": [
                        "Bearer realm=\"security\"",
                        "ApiKey",
                        "Basic realm=\"security\" charset=\"UTF-8\""
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "failed to authenticate user [elastic]",
        "header": {
            "WWW-Authenticate": [
                "Bearer realm=\"security\"",
                "ApiKey",
                "Basic realm=\"security\" charset=\"UTF-8\""
            ]
        }
    },
    "status": 401
}

Do I need to any other steps to make sure my indices do not fail when I restart the mobile elastic node?

Thank you.

magnalite · June 6, 2020, 4:18pm

If I understand correctly, this sounds like a good scenario to use a remote cluster / cross-cluster replication. https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-remote-clusters.html

parthmaniar · June 10, 2020, 11:45am

I will test this and get back to you, thank you very much for your suggestion.