Where are data files of elasticsearch on a standard debian install?

Question

Now I'm in a very problematic situation...

My data server has been hacked and now I can't request my elasticsearch server by curl or any other method. I have a bunch of very critical data which was not yet backuped (2 days late, hell, I didn't see the alert that backup failed).

I've tried to restart the service but no way, it say nothing and I get nothing in processes when I'm watching with ps. I think that comes from my hoster which runs my server in a secure mode...

So I tried to locate the physical files but I didn't find them. I've a non-customized install so in my config file, I have this :

# Path to directory where to store index data allocated for this node.
#
# path.data: /path/to/data
#
# Can optionally include more than one location, causing data to be striped across
# the locations (a la RAID 0) on a file level, favouring locations with most free
# space on creation. For example:
#
# path.data: /path/to/data1,/path/to/data2

Great explined but finally, where are my files ?

Is someone there who can help me ? Thanks in advance to all great people in this place

Dan Tuffery · Accepted Answer · 2015-11-26T09:07:38.680

19

The index files are in:

/var/lib/elasticsearch/nodes/0/indices/{nameOfYourIndex}/(0-4}/index

edited Nov 26 '15 at 09:07

answered Jul 11 '14 at 09:30

Dan Tuffery

5,874
29
28

Can I copy them directly to a newer install and it will works as before ? I don't find any humanly readable file in it. There is a lot of files, but I prefer to be sure. That's why my question. Thank you for help :) – MathKimRobin Jul 11 '14 at 09:48
That is the Lucene index. You can copy the 'data' directory to another install of the same version of Elasticsearch but back it up first, if the index is not corrupt it will work. Is your Elasticseach a cluster or one node? On the new install you'll need to add any custom mappings/settings if you have them. – Dan Tuffery Jul 11 '14 at 10:05
Only one node. I have stopped the server, copy my files, started. No data getted with curl. I have tried to create the index before. Closing it and reopening it after copy, similar problem. It says that index is here but non data in it. In one of my originbal indexes, I had more than 200000 documents :s – MathKimRobin Jul 11 '14 at 10:25
Thank you Dan, I will find how to. I have saved files, maybe now I will find how to use them, but the main thing is there, I have my files. – MathKimRobin Jul 11 '14 at 10:47

score 8 · Answer 2 · answered May 04 '15 at 09:17

8

I found them in /var/lib/elasticsearch/.

answered May 04 '15 at 09:17

Christophe Quintard

1,858
1
22
30

Where are data files of elasticsearch on a standard debian install?

2 Answers2

Linked