Curator not deleting old indices
Daniel Sullivan
LOG_SIZE_LIMIT=600
CURATOR_ENABLED="yes"
CURATOR_CLOSE_DAYS=10
------
Elastic is well over the limit:
> du /nsm/elasticsearch -h -s
1.5T /nsm/elasticsearch
---------
Here is a sample from /var/log/curator/curator.log:
2018-09-05 14:11:01,586 INFO Preparing Action ID: 1, "delete_indices"
2018-09-05 14:11:01,587 INFO Preparing Action ID: 1, "close"
2018-09-05 14:11:01,592 INFO Trying Action ID: 1, "delete_indices": Delete indices when $disk_space value (in GB) is exceeded.
2018-09-05 14:11:01,594 INFO Trying Action ID: 1, "close": Close indices older than 10 days (based on index name), for logstash- prefixed indices.
2018-09-05 14:11:02,928 INFO Skipping action "delete_indices" due to empty list: <class 'curator.exceptions.NoIndices'>
2018-09-05 14:11:02,928 INFO Action ID: 1, "delete_indices" completed.
2018-09-05 14:11:02,928 INFO Job completed.
2018-09-05 14:11:02,948 INFO Closing selected indices: [u'logstash-syslog-2018.08.23', u'logstash-syslog-2018.08.22', u'logstash-syslog-2018.08.26', u'logstash-syslog-2018.08.25', u'logstash-syslog-2018.08.24', u'logstash-beats-2018.08.24', u'logstash-beats-2018.08.25', u'logstash-beats-2018.08.26', u'logstash-beats-2018.08.22', u'logstash-beats-2018.08.23', u'logstash-bro-2018.08.22', u'logstash-bro-2018.08.23', u'logstash-bro-2018.08.26', u'logstash-bro-2018.08.24', u'logstash-bro-2018.08.25', u'logstash-ids-2018.08.23', u'logstash-ids-2018.08.22', u'logstash-ids-2018.08.25', u'logstash-ids-2018.08.24', u'logstash-ids-2018.08.26']
2018-09-05 14:11:02,953 ERROR Failed to complete action: close. <class 'curator.exceptions.FailedExecution'>: Exception encountered. Rerun with loglevel DEBUG and/or check Elasticsearch logs for more information. Exception: TransportError(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];')
I have the same issues prior to a complete reinstall a few months ago.
Any ideas on this?
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Daniel Sullivan
disk_space: 600
Wes Lambert
Daniel Sullivan
I do not know how many GB/TB/day, but I can tell you that I have been watching this for weeks as it has been creeping up. I don't believe anything has been deleting since 6/21, so it isn't much.
Ran the following and sorted the output: curl 'localhost:9200/_cat/indices?v'
https://pastebin.com/4Mm9xmty
Wes Lambert
Daniel Sullivan
Removed a large number of old indicies and have the volume down to 573GB, which is under the 600GB threshold. Root problem may still exist, though.
"read_only_allow_delete" is true on all open indices. Ran to correct:
curl -XPUT -H 'Content-Type: application/json' localhost:9200/logstash-beats-2018.09.04 -d'{"index.blocks.read_only_allow_delete": null}'
Result:
{"error":{"root_cause":[{"type":"cluster_block_exception","reason":"blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"}],"type":"cluster_block_exception","reason":"blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];"},"status":403}
Wes Lambert
Wes Lambert
Daniel Sullivan
Verified that "read_only_allow_delete" no longer exists after running that revised cmd. Applied successfully to all open indices.
Another look at /var/log/curator/curator.log:
2018-09-06 15:20:02,360 INFO Preparing Action ID: 1, "close"
2018-09-06 15:20:02,367 INFO Trying Action ID: 1, "close": Close indices older than 10 days (based on index name), for logstash- prefixed indices.
2018-09-06 15:20:02,412 INFO Preparing Action ID: 1, "delete_indices"
2018-09-06 15:20:02,420 INFO Trying Action ID: 1, "delete_indices": Delete indices when $disk_space value (in GB) is exceeded.
2018-09-06 15:20:02,986 INFO Skipping action "delete_indices" due to empty list: <class 'curator.exceptions.NoIndices'>
2018-09-06 15:20:02,986 INFO Action ID: 1, "delete_indices" completed.
2018-09-06 15:20:02,987 INFO Job completed.
2018-09-06 15:20:02,989 INFO Skipping action "close" due to empty list: <class 'curator.exceptions.NoIndices'>
2018-09-06 15:20:02,989 INFO Action ID: 1, "close" completed.
2018-09-06 15:20:02,989 INFO Job completed.
Another look at indices shows that they are within limits (I manually deleted only until 2018.08.01, so I know that something automated got in there): https://pastebin.com/YfYQw6r1
This is just a guess on the root cause: The Curator job was dying from being unable to close the open indices. The job then never got to deleting old closed indices when space used is over the 600GB limit?
If that is the case, how do we ensure that "read_only_allow_delete":"True" is not causing this issue again?
Appreciate your help!
Daniel Sullivan
Question still stands: Why was this happening to begin with and how do we ensure it doesn't ?
Erwin
we do have the exact same issue:
https://groups.google.com/forum/#!topic/security-onion/r8o0W6NM1KY
Did you change something?
We also see that older indicies get to Read Only and the curator is not able to delete the old logs. after some period of time, the disk is full and elastic stops working...
Regards,
Erwin
Daniel Sullivan
Tony Butt
> Nothing that I am aware of has been changed other than Ubuntu being upgraded to 16.04 months prior. Haven't checked the state of the indicies in a while. Will do so in a day or so, but can't imagine the issue going away.
We had the same problem, and I found for some reason the cron jobs to run the curator process were not present.
I manually ran the curator-delete task, and copied in the files from the git repos, now seems OK
Francois Lachance
Are you saying that there was no file "curator-delete" in the /etc/cron.d directory?
Tony Butt
That is correct. The cron job is there now, and curator is running, but the indexes are still not being deleted. I'm in the process of working through the other suggestions in this topic.
So far, I have been able to manually delete old indexes, so we are still working OK.
Tony
Francois Lachance
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.