Wazuh-indexer is not running and cant start it
879 views
Skip to first unread message
Albert Ashkhatoyan
Mar 14, 2023, 4:52:29 AM3/14/23
to Wazuh mailing list
I'm facing an issue starting the Wazuh-Indexer services and can't access the console, However, I can see Wazuh-dashboard, Wazuh-manager, kibana,elasticserach is up and running fine. Please help me to access the console and start the Wazuh-indexer.
Currently, we are using Wazuh 4.3
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2023-03-14 08:45:04 UTC; 15s ago
Docs: https://documentation.wazuh.com
Process: 12417 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 12417 (code=exited, status=1/FAILURE)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: Error: A fatal exception has occurred. Program will exit.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:139)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:101)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:72)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:152)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:110)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: Failed to start Wazuh-indexer.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: Unit wazuh-indexer.service entered failed state.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: wazuh-indexer.service failed.
[root@vm-benivo-siem-qa-ne bnroot]# systemctl start kibana
[root@vm-benivo-siem-qa-ne bnroot]# systemctl start elasticsearch
[root@vm-benivo-siem-qa-ne bnroot]# systemctl status elasticsearch
JOurnalctl output
https://docs.google.com/document/d/1AO1OV_4k5SU85MpekTEX8f1EAIR6Cp9y1cG0j5Z9UEg/edit?usp=sharing
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2023-03-14 08:45:04 UTC; 15s ago
Docs: https://documentation.wazuh.com
Process: 12417 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 12417 (code=exited, status=1/FAILURE)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: Error: A fatal exception has occurred. Program will exit.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:139)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:101)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:72)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:152)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd-entrypoint[12417]: at org.opensearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:110)
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: wazuh-indexer.service: main process exited, code=exited, status=1/FAILURE
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: Failed to start Wazuh-indexer.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: Unit wazuh-indexer.service entered failed state.
Mar 14 08:45:04 vm-benivo-siem-qa-ne systemd[1]: wazuh-indexer.service failed.
[root@vm-benivo-siem-qa-ne bnroot]# systemctl start kibana
[root@vm-benivo-siem-qa-ne bnroot]# systemctl start elasticsearch
[root@vm-benivo-siem-qa-ne bnroot]# systemctl status elasticsearch
JOurnalctl output
https://docs.google.com/document/d/1AO1OV_4k5SU85MpekTEX8f1EAIR6Cp9y1cG0j5Z9UEg/edit?usp=sharing
Federico Gustavo Galland
Mar 14, 2023, 5:06:31 AM3/14/23
to Wazuh mailing list
Hi Albert,
Thanks for reaching out to us.
From your shared log output, it looks like you are running both the newer OpenSearch-based services alongside the older opendistro-based ones.
You shouldn't have both kibana/elasticsearch and wazuh-dashboard/wazuh-indexer services running at the same time, since they are serving the same purpose
In order to help you fix the issue, we can start by retrieving the current Wazuh Manager version by running:
/var/ossec/bin/wazuh-control info
You can share this as a reply to this e-mail.
It would probably also be handy to know if you followed the procedure outlined in the following link at some point, and whether you have any data still residing within your elasticsearch installation.
I'll be looking forward to your reply.
Regards,
Federico
Albert Ashkhatoyan
Mar 14, 2023, 5:58:28 AM3/14/23
to Wazuh mailing list
WAZUH_VERSION="v4.3.10"
WAZUH_REVISION="40323"
WAZUH_TYPE="server"
this is the output
all resources are up to date.
Thanks for your response.
WAZUH_REVISION="40323"
WAZUH_TYPE="server"
this is the output
all resources are up to date.
Thanks for your response.
Federico Gustavo Galland
Mar 14, 2023, 6:06:59 AM3/14/23
to Albert Ashkhatoyan, Wazuh mailing list
Albert,
Ok, so we know the Manager is up to date. But we still need to know how the old and new services managed to co exist on your server.
We don't want to remove opendistro without first making sure you haven't indexed data into it.
Regards,
Federico
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/9Njx8F_4RvQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/399bf790-e890-48f9-897e-0303030f0a60n%40googlegroups.com.
 |
|
+1 (844) 349 2984
wazuh.com
federico...@wazuh.com
f-gallandFederico Gustavo Galland
Mar 14, 2023, 6:15:28 AM3/14/23
to Albert Ashkhatoyan, Wazuh mailing list
Albert,
Since this is a test environment, I would suggest starting over (removing all installed services, including Kibana and ElasticSearch) and following either the quickstart guide:
Or one of the installation guides:
The quickstart guide includes an automated script that will install the full solution to a single server. It is usually good for running a relatively low number of agents.
Regards,
Federico
Federico Gustavo Galland
Mar 14, 2023, 7:18:19 AM3/14/23
to Albert Ashkhatoyan, Wazuh mailing list
Albert,
I'm glad to hear everything is working now. You can write us via this community group any time you have questions.
Regards,
Federico
Reply all
Reply to author
Forward
0 new messages