Skip to content

Elasticsearch Restoration

Elasticsearch Restoration

For more detailed information, refer to the Elasticsearch Restore Snapshot Guide.

Note

For further details, refer to the Data Backup guide.

To perform a restoration, complete the following steps:

  1. Stop the following File Access Manager (FAM) services in the DR environment:

    • File Access Manager Event Manager
    • File Access Manager Scheduled Task Handler
    • File Access Manager Central Data Classification
    • File Access Manager Activity Analytics

  2. For each node in the disaster recovery Elasticsearch, locate the elasticsearch.yml config file and modify the path.repo: value to point to the Production backup base path.

  3. Restart Elasticsearch.

  4. Register the disaster recovery Elasticsearch cluster to the Production continuous repository as Read Only:

    PUT _snapshot/continuous_backup

    {  
   "type": "fs",  
   "settings": {    
      "location": "continuous_backup",    
      "readonly": "true"  
   }
}

  5. For a disaster recovery cluster, temporarily stop indexing and turn off the following features:

    GeoIP database downloader

      PUT _cluster/settings
{  
  "persistent": {    
    "ingest.geoip.downloader.enabled": false  
  }
}

ILM

     `POST _ilm/stop`

Monitoring

   PUT _cluster/settings
{  
  "persistent": {    
    "xpack.monitoring.collection.enabled": false  
  }
}

Machine Learning

POST _ml/set_upgrade_mode?enabled=true

Watcher

POST _watcher/_stop

  1. Use the cluster update settings API to set action.destructive_requires_name to false. This allows you delete data streams and indices using wildcards.

PUT _cluster/settings
{  
  "persistent": {    
    "action.destructive_requires_name": false  
  }
}
7. Delete all existing data streams on the cluster.

  `DELETE _data_stream/*?expand_wildcards=all`

  1. Delete all existing indices on the cluster.

    DELETE *?expand_wildcards=all

  2. Copy the name of the snapshot that you want and restore from the Production repository to the disaster recovery Elasticsearch (see step 5 in full cluster instructions).

    If needing a list of available snapshots: GET _snapshot/continuous_backup/*?order=desc

    Look for the first snapshot with "state": "SUCCESS".

  3. When the restore operation is complete, resume indexing and restart any features you stopped:

GeoIP database downloader 

PUT _cluster/settings
{  
  "persistent": {    
    "ingest.geoip.downloader.enabled": true  
  }
}

ILM

POST _ilm/start

***Machine Learning**

POST _ml/set_upgrade_mode?enabled=false

Monitoring 

PUT _cluster/settings
{  
 "persistent": {    
  "xpack.monitoring.collection.enabled": true  
 }
}

Watcher

POST _watcher/_start

  1. Reset the action.destructive_requires_name cluster setting. 

    PUT _cluster/settings
{  
 "persistent": {    
  "action.destructive_requires_name": null  
 }
}

  2. Unregister the production repository from the disaster recovery cluster, DELETE _snapshot/continuous_backup.

  3. For each node in the disaster recovery Elasticsearch, find the “elasticsearch.yml” config file and change the “path.repo:” value back to the disaster recovery backup base path and restart Elasticsearch.
  4. Register the disaster recovery continuous repository for the disaster recovery Elasticsearch cluster:

PUT _snapshot/continuous_backup 

{  
 "type": "fs",  
 "settings": {    
  "location": "continuous_backup"  
 }
}

  1. When returning back to Production environment, follow the above instructions. However, replace Production with disaster recovery and vice versa.