Decomission Search Node?

[ben-sec]

Hello!

Is it possible to decomission one of two search nodes (not in full cluster mode) in my distributed deployment? I want to remove the server from my 2.3 grid and use it for a new 2.4 grid. In other words, how can I prevent that new logs are written to search node B? Everything should go to search node A, but I still want to be able to query all logs from both servers.

Bonus question: Is there a way to move the stored data to the remaining search node (provided that the search node has enough disk space to hold all the data ...)? How? Is there a documentation around regarding the necessary steps? Or should I rather wait until all the old data has been removed by curator?

Cheers, Ben

[cm-ops]

If you want to continue to search that node, easiest way is to disable Logstash on that node until the data is purged. Then remove it from the cluster settings on the manager https://docs.securityonion.net/en/2.3/removing-a-node.html?#cross-cluster-search

If you wanted to move data from node A to node B, you could try to reindex from remote https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html#reindex-from-remote

[ben-sec]

Thanks, sounds good. But how do I disable Logstash permanently, without Salt restarting it again (I think that's what gonna happen ...)? Or is so-logstash-stop sufficient?

[cm-ops]

If you stop the container the minion will start it again when it checks in. You would want to go into that minion's pillar file and add the below:

logstash:
  enabled: False

Then if you reboot, the node will come up with Logstash showing as "missing" and if you try to start it you will see a state not allowed message.

[ben-sec]

Disabled. Thanks!