I am having a problem with my searchguard node (it is a single node only instance) where my auditlogs are being created with what looks like an attempt to write duplicate data to my node, creating unassigned nodes and dropping my es node to a yellow state. How can I fix this?
Below is the output of the following command
curl -XGET https://127.0.0.1:9200/_cat/shards?h=index,shard,prirep,state,unassigned.reason| grep UNASSIGNED
{
“index” : “sg6-auditlog-2018.06.04”,
“shard” : 3,
“primary” : false,
“current_state” : “unassigned”,
“unassigned_info” : {
“reason” : “INDEX_CREATED”,
“at” : “2018-06-04T13:19:11.824Z”,
“last_allocation_status” : “no_attempt”
},
“can_allocate” : “no”,
“allocate_explanation” : “cannot allocate because allocation is not permitted to any of the nodes”,
“node_allocation_decisions” : [
{
“node_id” : “UokknJlMSYeJcwcJIA8oNQ”,
“node_name” : “UokknJl”,
“transport_address” : “127.0.0.1:9300”,
“node_decision” : “no”,
“weight_ranking” : 1,
“deciders” : [
{
“decider” : “same_shard”,
“decision” : “NO”,
“explanation” : “the shard cannot be allocated to the same node on which a copy of the shard already exists [[sg6-auditlog-2018.06.04][3], node[UokknJlMSYeJcwcJIA8oNQ], [P], s[STARTED], a[id=UZ7zsqsxRoGEEqqKBtLQOg]]”
}
]
}
]
}
sg6-auditlog-2018.06.04 3 r UNASSIGNED INDEX_CREATED
sg6-auditlog-2018.06.04 4 r UNASSIGNED INDEX_CREATED
sg6-auditlog-2018.06.04 1 r UNASSIGNED INDEX_CREATED
sg6-auditlog-2018.06.04 2 r UNASSIGNED INDEX_CREATED
sg6-auditlog-2018.06.04 0 r UNASSIGNED INDEX_CREATED
curl -H ‘Content-Type: application/json’ -XPUT ‘https://127.0.0.1:9200/sg6-auditlog-*/_settings’ -d ‘{“number_of_replicas”:0}’
curl -XDELETE ‘https://127.0.0.1:9200/sg6-auditlog*’