Unable to Configure SLM

Greetings. I run the Graylog Open edition that uses ElasticSearch under the hood. Unfortunately, the archive feature is behind a paywall. Nonetheless, I need to backup my data and snapshots are the best way.

I have been following the instructions found here: Create a snapshot | Elasticsearch Guide [8.3] | Elastic (and the links contained therein) but have run into the following error when attempting to set the SLM policy:

curl -X PUT "localhost:9200/_slm/policy/daily-snapshots?pretty" -H 'Content-Type: application/json' -d @elastic_SLM_policy

Here is my @elastic_SLM_policy:

{  
  "schedule": "0 */12 * * * ?",  
  "name": "<every12h-snap-{now/d}>",  
  "repository": "my_fs_backup",  
  "config": {    
    "indices": "*",    
    "include_global_state": true  
  },  
  "retention": {    
    "expire_after": "90d",    
    "min_count": 5,    
    "max_count": 180  
  }
}

And I receive the following error:

{  
  "error" : {    
    "root_cause" : [      
      {        
        "type" : "index_not_found_exception",        
        "reason" : "no such index [_slm]",        
        "resource.type" : "index_expression",        
        "resource.id" : "_slm",        
        "index_uuid" : "_na_",        
        "index" : "_slm"      
      }    
    ],    
    "type" : "index_not_found_exception",    
    "reason" : "no such index [_slm]",    
    "resource.type" : "index_expression",    
    "resource.id" : "_slm",    
    "index_uuid" : "_na_",    
    "index" : "_slm"  
  },  "status" : 404 
}

Thank you for all your help!

What version of Elasticsearch is backing your Graylog? My guess is that it is a version that predates SLM?

I had not even thought about that:

{
  "name" : "graylog",
  "cluster_name" : "graylog",
  "cluster_uuid" : "<redacted>",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "<redacted>",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}```

The critical part is the oss SLM is / was part of X-Pack meaning you have to use the default distribution SLM is not in the oss distribution.

My Suggestion is Upgrade both Version to something newer like 7.17 and use the Basic / Free Forever license (there is no actual OSS distro after 7.10)

ah; that makes sense. The ironic part is that Graylog is not tested against anything higher than 7.10 (that I am aware of) but nonetheless recommends the using the snapshot api in elasticsearch Backup - Configuring Graylog

Thank you for all your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.