Can't start Demo ElasticSearch after clean install

[Andy Shepherd]

Hi Guys,

Some problems with install, and not sure if the problem is Moloch, Java, or Linux...

Fresh CentOS 7, 4 cores, 12GB Ram, 2 x 50GB drives, 4 Nic

Running as root, because I'm naughty

yum update

[cut]

yum -y install vim net-tools wget perl-libwww-perl perl-JSON libyaml-devel java

[cut]

[root@localhost ~]# wget https://files.molo.ch/builds/centos-7/moloch-1.1.1-1.x86_64.rpm

--2018-07-13 12:42:24--  https://files.molo.ch/builds/centos-7/moloch-1.1.1-1.x86_64.rpm

Resolving files.molo.ch (files.molo.ch)... 52.222.232.89, 52.222.232.104, 52.222.232.231, ...

Connecting to files.molo.ch (files.molo.ch)|52.222.232.89|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 50710827 (48M) [application/x-rpm]

Saving to: ‘moloch-1.1.1-1.x86_64.rpm’

100%[=====================================================================================================>] 50,710,827  6.38MB/s   in 7.7s

2018-07-13 12:42:31 (6.31 MB/s) - ‘moloch-1.1.1-1.x86_64.rpm’ saved [50710827/50710827]

[root@localhost ~]# rpm --install moloch-1.1.1-1.x86_64.rpm

READ /data/moloch/README.txt and RUN /data/moloch/bin/Configure

[root@localhost ~]# vim /data/moloch/bin/Configure +151

(correct the typo https://github.com/aol/moloch/issues/872)

[root@localhost ~]# /data/moloch/bin/Configure

Found interfaces: ens32;ens33;ens34;ens35;lo

Semicolon ';' seperated list of interfaces to monitor [eth1] ens33

Install Elasticsearch server locally for demo, must have at least 3G of memory, NOT recommended for production use (yes or no) [no] yes

/usr/bin/java

Password to encrypt S2S and other things [no-default] <<removed>>

Moloch - Creating configuration files

Installing systemd start files, use systemctl

Moloch - Downloading and installing demo Elasticsearch

Loaded plugins: fastestmirror

elasticsearch-5.6.7.rpm                                                                                                 |  32 MB  00:00:08

Examining /var/tmp/yum-root-u2DDjm/elasticsearch-5.6.7.rpm: elasticsearch-5.6.7-1.noarch

Marking /var/tmp/yum-root-u2DDjm/elasticsearch-5.6.7.rpm to be installed

Resolving Dependencies

--> Running transaction check

---> Package elasticsearch.noarch 0:5.6.7-1 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================================

 Package                            Arch                        Version                        Repository                                 Size

===============================================================================================================================================

Installing:

 elasticsearch                      noarch                      5.6.7-1                        /elasticsearch-5.6.7                       36 M

Transaction Summary

===============================================================================================================================================

Install  1 Package

Total size: 36 M

Installed size: 36 M

Is this ok [y/d/N]: y

Downloading packages:

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Warning: RPMDB altered outside of yum.

Creating elasticsearch group... OK

Creating elasticsearch user... OK

  Installing : elasticsearch-5.6.7-1.noarch                                                                                                1/1

### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd

 sudo systemctl daemon-reload

 sudo systemctl enable elasticsearch.service

### You can start elasticsearch service by executing

 sudo systemctl start elasticsearch.service

  Verifying  : elasticsearch-5.6.7-1.noarch                                                                                                1/1

Installed:

  elasticsearch.noarch 0:5.6.7-1

Complete!

Moloch - Installing /etc/logrotate.d/moloch to rotate files after 7 days

Moloch - Installing /etc/security/limits.d/99-moloch.conf to make core and memlock unlimited

Moloch - Downloading GEO files

2018-07-13 12:44:02 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23043/23043] -> "ipv4-address-space.csv" [1]

WARNING: timestamping does nothing in combination with -O. See the manual

for details.

2018-07-13 12:44:02 URL:https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country [1742530/1742530] -> "GeoLite2-Country.mmdb.gz" [1]

WARNING: timestamping does nothing in combination with -O. See the manual

for details.

2018-07-13 12:44:03 URL:https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN [3376616/3376616] -> "GeoLite2-ASN.mmdb.gz" [1]

2018-07-13 12:44:03 URL:https://raw.githubusercontent.com/wireshark/wireshark/master/manuf [1473209/1473209] -> "oui.txt" [1]

Moloch - Configured - Now continue with step 4 in /data/moloch/README.txt

      https://www.elastic.co/downloads/past-releases

 4b) If using the demo Elasticsearch, these won't work with real Elasticsearch installs

      /sbin/start elasticsearch # for upstart/Centos 6/Ubuntu 14.04

      systemctl start elasticsearch.service # for systemd/Centos 7/Ubuntu 16.04

 5) Initialize/Upgrade Elasticsearch Moloch configuration

  a) If this is the first install, or want to delete all data

      /data/moloch/db/db.pl http://ESHOST:9200 init

  b) If this is an update to moloch package

      /data/moloch/db/db.pl http://ESHOST:9200 upgrade

 6) Add an admin user if a new install or after an init

      /data/moloch/bin/moloch_add_user.sh admin "Admin User" THEPASSWORD --admin

 7) Start everything

   a) If using upstart (Centos 6 or sometimes Ubuntu 14.04):

      /sbin/start molochcapture

      /sbin/start molochviewer

   b) If using systemd (Centos 7 or Ubuntu 16.04 or sometimes Ubuntu 14.04)

      systemctl start molochcapture.service

      systemctl start molochviewer.service

 8) Look at log files for errors

      /data/moloch/logs/viewer.log

      /data/moloch/logs/capture.log

 9) Visit http://molochhost:8005 with your favorite browser.

      user: admin

      password: password from step #6

Additional information can be found at:

  * https://github.com/aol/moloch/wiki/FAQ

  * https://github.com/aol/moloch/wiki/Settings

[root@localhost ~]# sudo systemctl daemon-reload

[root@localhost ~]#  sudo systemctl enable elasticsearch.service

Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.

[root@localhost ~]#  systemctl start elasticsearch.service

[root@localhost ~]#

[root@localhost ~]# netstat -anlp | grep LISTEN

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1051/sshd

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2004/master

tcp6       0      0 :::22                   :::*                    LISTEN      1051/sshd

tcp6       0      0 ::1:25                  :::*                    LISTEN      2004/master

Here is where I get stuck, Elastic isn't running on port 9200.  The next command wont work.

### My debug time

[root@localhost ~]# wc -l /var/log/elasticsearch/

wc: /var/log/elasticsearch/: Is a directory

0 /var/log/elasticsearch/

Try running the systemctl command by hand

[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch -p /var/run/elasticsearch/elasticsearch.pid -Edefault.path.logs=/var/log/elasticsearch -Edefault.path.data=/var/lib/elasticsearch -Edefault.path.conf=/etc/elasticsearch

Exception in thread "main" 2018-07-13 12:49:44,757 main ERROR No log4j2 configuration file found. Using default configuration: logging only errors to the console. Set system property 'log4j2.debug' to show Log4j2 internal initialization logging.

ElasticsearchParseException[duplicate settings key [cluster.name] found at line number [35], column number [15], previous value [Moloch], current value [Moloch]]

[root@localhost ~]# cat /etc/elasticsearch/elasticsearch.yml | egrep -v "#"

cluster.name: Moloch

node.name: "${ES_NODE_NAME}"

node.max_local_storage_nodes: 1

path.data: "${ES_DIR}/data"

path.logs: "${ES_DIR}/logs"

gateway.recover_after_nodes: 1

gateway.recover_after_time: 5m

gateway.expected_nodes: 1

discovery.zen.minimum_master_nodes: 1

discovery.zen.ping.multicast.enabled: false

bootstrap.mlockall: true

http.port: "${ES_HTTP_PORT}"

transport.tcp.port: "${ES_TRANSPORT_PORT}"

transport.ping_schedule: 30s

index.number_of_replicas: 0

cluster.routing.allocation.node_initial_primaries_recoveries: 1

cluster.name: Moloch

node.name: localhost.localdomain

path.data: /data/moloch/data

path.logs: /data/moloch/logs

I'm new to elastic and Molocho, any help appreciated :)

Andy

[Andy Shepherd]

Big thanks to Erik./Andy for the fix

 

Dont do the fix I suggest

https://github.com/aol/moloch/issues/872

The file that isn't copied over, which I thought should be copied over, is the problem.

Like your Mum said... don't touch something you don't understand lol