What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Index Blocked — Symptoms, Causes, and Manual Rotation in Graylog

    Taylor Walton

    22-Aug-2025

    Index Blocked — Symptoms, Causes, and Manual Rotation in Graylog

    What "blocked index" means

    OpenSearch can set an index to read-only (or otherwise block writes) to protect cluster stability—most commonly when the flood-stage disk watermark is exceeded, or when an admin/automation sets index block flags.

    Typical block settings on an index:

    • index.blocks.read_only_allow_delete = true (most common)
    • index.blocks.read_only = true
    • index.blocks.write = true

    Common symptoms in Graylog / OpenSearch

    Graylog UI / logs

    • Streams show 0 msg/s despite inputs receiving data.
    • Errors in server.log:
      blocked by: [FORBIDDEN/12/index read-only / allow delete (api)]
    • Deflector alias points to a write index that won't accept documents.

    OpenSearch side

    • /_cat/indices?v shows the active index but indexing fails.
    • /{index}/_settings reveals one of the block flags.
    • Cluster health may be yellow or red; nodes near 90–95% disk.

    Step 1 — Verify which indices are blocked

    # List indices and health
curl -sS "$OS_URL/_cat/indices?v"

# Show block-related settings across all indices
curl -sS "$OS_URL/_all/_settings?flat_settings=true&filter_path=**.blocks.*" | jq

# Inspect a specific index
curl -sS "$OS_URL/<index>/_settings?flat_settings=true" | jq

    Step 2 — Check common root causes

    • Disk flood-stage triggered (very common).
    • Manual/automation block (admin set block flags).
    • Index closed (cannot receive writes).
    • Security/privilege issues (less common if it worked before).

    Quick disk checks:

    # Watermark configuration
curl -sS "$OS_URL/_cluster/settings?include_defaults=true"

# Node disk usage
curl -sS "$OS_URL/_cat/allocation?v"
curl -sS "$OS_URL/_cat/nodes?v&h=name,ip,diskAvail,diskUsedPct"

    Step 3 — Unblock the affected indices

    # Clear write-block flags on all indices
curl -sS -X PUT "$OS_URL/_all/_settings" -H 'Content-Type: application/json' -d '{
 "index.blocks.read_only_allow_delete": false,
 "index.blocks.read_only": false,
 "index.blocks.write": false
}'

# Reopen a closed index
curl -sS -X POST "$OS_URL/<index>/_open"

    Optional: tune watermarks (persistent):

    curl -sS -X PUT "$OS_URL/_cluster/settings" -H 'Content-Type: application/json' -d '{
 "persistent": {
 "cluster.routing.allocation.disk.watermark.low": "85%",
 "cluster.routing.allocation.disk.watermark.high": "90%",
 "cluster.routing.allocation.disk.watermark.flood_stage": "95%",
 "cluster.info.update.interval": "1m"
 }
}'

    Step 4 — Manually rotate the Graylog write index

    Via Graylog UI

    1. Go to System → Indices → Index Sets.
    2. Open the affected Index Set.
    3. Click Rotate active write index.

     

    Step 5 — Post-rotation checks

    • Graylog inputs show a non-zero ingest rate again.
    • /_cat/aliases?v shows the deflector alias pointing to the newest index.
    • /_cat/indices?v shows the new index increasing in docs.count.
    • No new read-only / allow delete errors in Graylog logs.

    Check alias and index activity:

    curl -sS "$OS_URL/_cat/aliases?v"
curl -sS "$OS_URL/_cat/indices?v&s=pri.store.size:desc"

    FAQ

    Q: Rotation succeeded but writes still fail.
    A: Re-check disk watermarks and block flags on the new index. Confirm the deflector alias moved.
    Q: Cluster is red.
    A: Fix shard allocation (disk space, node health). Rotation won't help if primaries are unassigned.
    Summary: Free disk → clear index blocks → rotate Graylog's active index → verify alias & ingest.
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.