Wazuh Indexer Disk is Full

[Atchyuth P]

Hi Team,

I have two servers in my env one server hosting (wazuh-indexer & wazuh- dashboard) and the other server (wazuh-server) the indexer server disk is full.
when i checked for /var/lib/wazuh-indexer/nodes/0/indices it is consuming 240GB i have deleted the indices but the size of indices is reduced not the disk space. The disk space is completely occupied now and dashboard is unable to open.

when i opened UI this is the error i am facing 

Error: Error Pattern Handler (getPatternList)
    at _callee$ (https://dashboardip/1/bundles/plugin/wazuh/wazuh.chunk.9.js:5:683259)
    at tryCatch (https://dashboardip/1/bundles/plugin/indexManagementDashboards/indexManagementDashboards.plugin.js:1:94916)
    at Generator.invoke [as _invoke]


When i tried to run securityadmin.sh it is giving me error JAVA_HOME is not set
So i set the JAVA_HOME=/etc/wazuh-indexer/jdk after script executed but still showing
opensearch security not initialized.

I checked opensearch.log it is  showing Wazuh- Indexer opensearch not initialized need to run security_admin.sh

Please help me on this error

[Devender Rao]

Hi ,

Thanks for using Wazuh!

I recommend doing a few checks to find out what is taking up so much disk space and then running the script.

First of all, please run du -sh /var/ossec and du -sh /var/lib/wazuh-indexer/ to see how much disk space Wazuh is taking up.

Then, if the problem of disk space is caused by Wazuh, you should check which file is taking up disk space. Usually, those files are logs files, which are located at /var/ossec/logs. You can run the same command as before, but with the specified directory you want to check, for example, du -sh /var/ossec/logs. Old files are rotated into folders sorted by date:

/var/ossec/logs/alerts/year/month/day /var/ossec/logs/archives/year/month/day

Here you can learn more about it: https://wazuh.com/blog/wazuh-index-management/

Best regards.

Devender

[Atchyuth P]

Hi Devendar,

Please allow me to give you a background on this issue. We have wazuh-indexer & wazuh- dashboard running on one server and wazuh-server running on different server.

I received a alert on Saturday stating wazuh-indexer server disk space is full.When checked with du -sh can to know 240GB storage occupied by /var/lib/wazuh-indexer/indices/0.

I have removed few indices and restarted the services but no use till yesterday.Suprisingly disk space got reduced but dashboard is not functioning.

When checked with logs it is stating opesearch security is not initialised.

Regards

Atchyuth

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/87b40c9a-0888-4bef-af6d-290003afb520n%40googlegroups.com.

[Devender Rao]

Hi Atchyuth,

I hope you are doing well! 

Can you confirm now, if you are still facing the issue with disk space or the dashboard?
Also share the output for below command 
filebeat test output 

Regards,
Devender

[S K]

Hello! I have this result:
26G /var/ossec
132G /var/lib/wazuh-indexer/

вторник, 30 мая 2023 г. в 12:38:05 UTC+3, Devender Rao: