-
|
I have been running Security Onion 2.3.130 for a while now without any issues. Two days ago I stopped getting alerts. I checked disk space on the Storage node and it was fairly full, so I made some space but that didn't help. Checking logs I saw that the LogStash log is saying that the maximum number of shards has been reached and that the action would require the addition of 1 shard: "Validation Failed: 1: this action would add [1] shards, but this cluster currently has [1000]/[1000] maximum normal shards open I have looked for if this is my issues and if so, how to fix it but have come up empty on both. There have been no changes to any configuration and as stated this has been working without issues for over a year. Any insight and assistance would be greatly appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
You need to close older indices. https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-close.html You most likely need to reduce the amount of days you are keeping. |
Beta Was this translation helpful? Give feedback.
-
|
How do I do this in relation to Security Onion's interface? |
Beta Was this translation helpful? Give feedback.
-
|
https://docs.securityonion.net/en/2.3/so-elasticsearch-query.html |
Beta Was this translation helpful? Give feedback.
You need to close older indices. https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-close.html You most likely need to reduce the amount of days you are keeping.