Elastic Search indexes gets deleted frequently
As answered by some people here, your cluster has been attacked by meow.
Since 6.8, security is available for free within the default distribution of elasticsearch. So the ability to protect from meow is free. Have a look at this blog post to see how to prevent an Elasticsearch server breach.
Update: Elastic also released a new blog post covering this specific Meow attack.
It looks like you are getting hit by a meow attack.
Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation.
The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web.
From this tweet, you can see that you are experiencing the same behavior seen by these attacks:
From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow
Please ensure that you are not using a default username and password for your DB and that your configuration is set up to avoid public-facing interactions. If you need to give access to your DB, use an API with key based auth, and only the bare minimum capabilities allowed.
Edit #1: You can obvserve the attacked databases here on shodan.io.
Edit #2: Some more advice for protecting from this (and other) attacks (from HackerNews user contrarianmop):
Also as a rule of thumb never ever expose anything but port 80 and 443 if hosting a webapp.
If you must expose services other than http/s then be sure to not leak its version, have it secured properly and always up to date. The user running such services should also be a non privileged user, the daemon chrooted, and the OS should have appropriate process and filesystem permissions in place.
Edit #3: An interesting theory as to why the attacker used the term "meow" is because cats like to drop (or knock) items from tables.
You've been meowed:
https://www.bleepingcomputer.com/news/security/new-meow-attack-has-deleted-almost-4-000-unsecured-databases/
Double check all configurations (firewall, elastic search etc.) to ensure the instance is not publicly accessible and access to elastic search is secured (it must not have been before hand).