Logstash is not running after 5 minutes of initialization

[Sam Asselborn]

Hi!

I installed a fresh version of security onion (04.5.13)
Everthing works fine and I also can access from my remote host to Kibana..

The problem is that Kibana is showing me as a start up window the index pattern window. (see attachment)

after entering sostat-redacted I realized that my logstash is taking very long to start ->

=========================================================================
Logstash
=========================================================================

Logstash is running.

CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
2decb05d9038 so-logstash 100.40% 561.4MiB / 3.842GiB 14.27% 27.8kB / 196kB 1.28MB / 5.72MB 30

Logstash Queue Stats:

Logstash has started, but has not completed initialization.
To obtain queue stats, try running sostat again in a few minutes.

I tried this several time and after the initialization Logstash jumps to not running..
Here my last messages in my my logstash.log :

[2018-05-04T13:29:17,597][ERROR][logstash.agent ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::JavaLang::OutOfMem$
[2018-05-04T13:29:20,466][ERROR][org.logstash.Logstash ] java.lang.OutOfMemoryError: Java heap space

You got any idea how I can build up Kibana properly and finally see my Snort alerts also in Kibana... Everything works fine with SGUIL.

Here my whole sostat-redacted:

[Sam Asselborn]

https://pastebin.com/PgCtZWbq

[Wes Lambert]

You may want to try checking the Logstash log in /var/log/logstash/logstash.log.

Thanks,

Wes

On Fri, May 4, 2018 at 9:52 AM, Sam Asselborn <sam.as...@gmail.com> wrote:

https://pastebin.com/PgCtZWbq

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Sam Asselborn]

I did that. I quote this in my first message.

seems that the logstash has a problem with java..

Wes Lambert <wlamb...@gmail.com> schrieb am Fr. 4. Mai 2018 um 19:17:

You may want to try checking the Logstash log in /var/log/logstash/logstash.log.

Thanks,

Wes

On Fri, May 4, 2018 at 9:52 AM, Sam Asselborn <sam.as...@gmail.com> wrote:

https://pastebin.com/PgCtZWbq

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/ap5omEiU14o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.

[Wes Lambert]

It looks like you are running with 4GB of RAM.  Please try adjusting to 8GB and re-run setup.

https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#elastic-stack

Thanks,

Wes

On Fri, May 4, 2018 at 1:26 PM, Sam Asselborn <sam.as...@gmail.com> wrote:

I did that. I quote this in my first message.

seems that the logstash has a problem with java..

Wes Lambert <wlamb...@gmail.com> schrieb am Fr. 4. Mai 2018 um 19:17:

You may want to try checking the Logstash log in /var/log/logstash/logstash.log.

Thanks,

Wes

On Fri, May 4, 2018 at 9:52 AM, Sam Asselborn <sam.as...@gmail.com> wrote:

https://pastebin.com/PgCtZWbq

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/ap5omEiU14o/unsubscribe.

To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Sam Asselborn]

On Friday, 4 May 2018 19:38:11 UTC+2, Wes wrote:
> It looks like you are running with 4GB of RAM.  Please try adjusting to 8GB and re-run setup.
>
>
> https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#elastic-stack
>
>
>
> Thanks,
> Wes
>
>
> On Fri, May 4, 2018 at 1:26 PM, Sam Asselborn <sam.as...@gmail.com> wrote:
>
>
> I did that. I quote this in my first message.
>
>
> seems that the logstash has a problem with java..
>
>
>
>
>
> Wes Lambert <wlamb...@gmail.com> schrieb am Fr. 4. Mai 2018 um 19:17:
>
>
>
> You may want to try checking the Logstash log in /var/log/logstash/logstash.log.
>
>
> Thanks,
> Wes
>
>
>
>
> On Fri, May 4, 2018 at 9:52 AM, Sam Asselborn <sam.as...@gmail.com> wrote:
>
>
> https://pastebin.com/PgCtZWbq
>
>
>
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
>
>
>
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
>
>
>
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/ap5omEiU14o/unsubscribe.
>

> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
>
> --
>
>
> https://twitter.com/therealwlambert
>
> https://securityonion.net/

Thank you this solved my problem!