Elasticsearch Curator

Elasticsearch Curator helps to curate, or manage, the Elasticsearch indices and snapshots by getting the full list of indices from the Elasticsearch cluster as actionable list and iterate through the list with user defined filters and to perform various actions on the items.

Standard operations  performed on both indices and snapshots include

  • Add or remove indices from an alias
  • Change shard routing allocation
  • Close indices
  • Create index
  • Delete indices
  • Delete snapshots
  • Open closed indices
  • forceMerge indices
  • reindex indices, including from remote clusters
  • Change the number of replicas per shard for indices
  • rollover indices
  • Take a snapshot (backup) of indices
  • Restore snapshots

Curator installation on CentOS 7 using yum

Elastic use the PGP key D88E42B4, Elastic’s Signing Key, with fingerprint 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4 to sign all our packages. It is available from http://pgp.mit.edu.

Download and install the public signing key:

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Create curator.repo file in /etc/yum.repos.d/

[root@myhost ~]# cd /etc/yum.repos.d/
[root@myhost yum.repos.d]#

[root@myhost yum.repos.d]# vim curator.repo
[curator-5]
name=CentOS/RHEL 7 repository for Elasticsearch Curator 5.x packages
baseurl=http://packages.elastic.co/curator/5/centos/7
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

Install Curator using the following command

[root@myhost yum.repos.d]# yum install elasticsearch-curator

Modify the Curator config files

[root@myhost yum.repos.d]# cd /usr/share/curator/
[root@myhost curator]# ls
action_file.yml curator.yml

Elasticsearch IP and port are defined in the curator.yml file.

[root@myhost curator]# vim curator.yml
---
client:
hosts:
- 127.0.0.1
port: 9200
url_prefix:
use_ssl: False
certificate:
client_cert:
client_key:
aws_key:
aws_secret_key:
aws_region:
ssl_no_validate: False
http_auth:
timeout: 30
master_only: False

The action file is configured to delete indices older than 7 days, each index is configured separately.

[root@myhost curator]# vim action_file.yml
actions:
1:
action: delete_indices
description: >-
Delete indices older than 7 days (based on index name), for logstash-
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: syslog-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 7
exclude:
2:
action: delete_indices
description: >-
Delete indices older than 15 days (based on index name), for winlogbeat-
options:
ignore_empty_list: True
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: winlogbeat-
exclude:
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 15
exclude:

You can issue curator –help to get Curator usage with various options available

[root@myhost curator]# curator --help
Usage: curator [OPTIONS] ACTION_FILE

Curator for Elasticsearch indices.

See http://elastic.co/guide/en/elasticsearch/client/curator/current

Options:
--config PATH Path to configuration file. Default: ~/.curator/curator.yml
--dry-run Do not perform any changes.
--version Show the version and exit.
--help Show this message and exit.

Curator is executed with the following command

[root@myhost curator]# /usr/bin/curator --config /usr/share/curator/curator.yml /usr/share/curator/action_file.yml

You can add a contrab entry of curator for scheduled run

[root@myhost curator]# crontab -e

0 8 * * * /usr/bin/curator --config /usr/share/curator/curator.yml /usr/share/curator/action_file.yml

Curator will be scheduled to run 8.00 AM everyday.

Crontab entry format

* * * * * *
| | | | | |
| | | | | +– Year (range: 1900-3000)
| | | | +—- Day of the Week (range: 1-7, 1 standing for Monday)
| | | +—— Month of the Year (range: 1-12)
| | +——– Day of the Month (range: 1-31)
| +———- Hour (range: 0-23)
+———— Minute (range: 0-59)

Elasticsearch log entry

[root@myhost elasticsearch]# tail -f MY-SIEM.log
[2018-04-23T08:03:15,516][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.02.23/NvGVXFlxReCMg-iVEodMfw] deleting index
[2018-04-23T08:03:15,516][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.02.08/57YPi-xETL2an-HaAQ1qRg] deleting index
[2018-04-23T08:03:15,516][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.04.14/WvSpP8C6TzWvbHVPqhoJBg] deleting index
[2018-04-23T08:03:15,517][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.03.17/Ibd1SNvsScaERqfxjOuj3g] deleting index
[2018-04-23T08:03:15,517][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.02.07/qDOP9Eh9RbmABhhfpPGvWg] deleting index
[2018-04-23T08:03:15,517][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.02.05/0EctcN7nTW6Pl1to8bdG-Q] deleting index
[2018-04-23T08:03:15,517][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.04.02/PAW6MtANQviwZluhCacq8Q] deleting index
[2018-04-23T08:03:15,517][INFO ][o.e.c.m.MetaDataDeleteIndexService] [0Wtoamx] [winlogbeat-2018.01.28/lLEH0ST_QCS1MpqaBLPwwA] deleting index

Disk usage before executing Curator:

[root@myhost elasticsearch]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/centos-root 209751040 196268592 13482448 94% /

Disk usage after executing Curator:

[root@myhost curator]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/centos-root 209751040 47807144 161943896 23% /