automatically disable `auto_create_index` for Graylog managed indices in Elasticsearch

[jalogisch]

Fresh installations run regular in the problem that the deflector alias is created as an index.

We have documented what you need to configure to avoid that plus how you can resolve the situation.

http://docs.graylog.org/en/3.1/pages/faq.html#how-do-i-fix-the-deflector-exists-as-an-index-and-is-not-an-alias-error-message

In the mean elastic has improved the ability to set some settings via API and not only via configuration.

That is why I purpose that Graylog will set the index creation for the indices Graylog manage to off automatically:

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/docs-index_.html#index-creation

This way we would solve the problem users run into - either because they already had elasticsearch running and just blindly point Graylog to it or because they do not notice that in the documentation.

[tboeghk]

Fun fact: If you configure your Elasticsearch cluster with

action.auto_create_index: false

your cluster will not start up due to this error:

[2019-09-23T13:25:44,120][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [XXXXXX] uncaught exception in thread [main]
Sep 23 15:25:44 XXXXXX docker[48147]: org.elasticsearch.bootstrap.StartupException: 
[...]
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.watcher.Watcher]
 Caused by: java.lang.IllegalArgumentException: the [action.auto_create_index] setting value [false] is too restrictive. disable [action.auto_create_index] or set it to [.watches,.triggered_watches,.watcher-history-*]

Tested with Elasticsearch 6.8.3 and Graylog 3.1.2

[jalogisch]

@tboeghk

that happens only if you install elasticsearch - but our documentation is written with the intention to install elasticsearch-oss what makes the difference.

The error in elasticsearch does indicate how to solve the problem ...

action.auto_create_index: [.watches,.triggered_watches,.watcher-history-*]