Strange indexes

Hi there!
I have an ES Cluster. And everyday strange indexes are creating. It looks like

In logs I see next

root@logstashm:~# cat /var/log/elasticsearch/cloud.log | grep awgasv1.html
[2015-09-29 08:13:36,632][DEBUG][action.search.type       ] [master] [awgasv1.html][0], node[NC2z-jpoSh6uGbllA4fGcQ], [R], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][0]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,634][DEBUG][action.search.type       ] [master] [awgasv1.html][3], node[U0CUUzB8SwKlfzatrCsdFg], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,636][DEBUG][action.search.type       ] [master] [awgasv1.html][1], node[N9Z7j6TbQjaSdIkBIHoSgw], [R], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][1]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,643][DEBUG][action.search.type       ] [master] [awgasv1.html][2], node[mHZaE0aCSQ2lOLzV0AEn-w], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][2]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,646][DEBUG][action.search.type       ] [master] [awgasv1.html][4], node[N9Z7j6TbQjaSdIkBIHoSgw], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][4]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{

Give me please some advice.

Is your ES instance open to the internet? It looks like someone is trying to exploit vulnerabilities in other programs.

What do you mean, world wide internet?
This cluster in my LAN and used only in my network.

Someone is making requests to your cluster that ends up with these being created.
You can disable auto creation of indices if you want - action.auto_create_index: false in elasticsearch.yml.

I need an auto create of logstash index everyday,
this option will disable it?

No because you are leveraging a template for Logstash.

Thanks, I will try!

I didnt have any time to set up this option yesterday, and today in logs i see

[2015-09-30 08:14:24,651][INFO ][cluster.metadata         ] [master] [perl] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:14:31,222][INFO ][cluster.metadata         ] [master] [spipe] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:14:41,712][INFO ][cluster.metadata         ] [master] [webui] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [apps]
[2015-09-30 08:15:04,150][INFO ][cluster.metadata         ] [master] [flex2gateway] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [http]
[2015-09-30 08:15:05,062][INFO ][cluster.metadata         ] [master] [messagebroker] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [http]
[2015-09-30 08:15:05,720][INFO ][cluster.metadata         ] [master] [blazeds] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [messagebroker]
[2015-09-30 08:15:06,719][INFO ][cluster.metadata         ] [master] [lcds] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [messagebroker]
[2015-09-30 08:15:07,206][INFO ][cluster.metadata         ] [master] [asvnpo1.html] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:15:08,015][INFO ][cluster.metadata         ] [master] [phppath] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [php]

so as i understand it creates by index api? how can I prevent it ?
Thanks

It sounds like to me that your injector is misconfigured or that a colleague is sending you some PUT requests.

Looks like you are creating an index instead of documents.

What is your elasticsearch logstash config?

elasticsearch.yml http://pastebin.com/3t29HKfv
logstash.conf http://pastebin.com/cRJqQHnV

So it's not logstash are logstash with this configuration will only write events to logstash-* indices. Definitely someone is sending over your network some PUT requests to your elasticsearch instance.

Thanks for explain.
Can I trace it somehow?

You can probably install Shield plugin and activate auditing.

HI it2,

I also find these strange indexes in my ES cluster.
such as flex2gateway, spipe, arneav1.html etc..
And I find the reason!

Do you ever using vulnerability scanner such as Nessus to scan your ES cluster LAN?

I find these strange indexes and I delete these, after a while I check no these strange indexes in my ES cluster.
I scan the ES cluster via Nessus these strange indexes had created again!

So I think is Nessus do this.

Oh. I have Nessus in my LAN...
I will disable cluster from scanning!
THANKS!

Interesting thread. I also see exactly same name indices in my cluster. However I am not sure whether any scans are happening on it. Could be possible.
index
ngnrge1.html
lcds
ngpsvw1.html
perl
pvwvpp1.html
webui
spipe
messagebroker
blazeds
phppath
evrers1.html
flex2gateway

Answer is above - NESSUS
Chek your network for scaner activity.