Elasticsearch keeps crashing

[Eric Vanderveer]

After about 5 to 10 minutes after a reboot Elasticsearch keeps crashing and Kibana shows "Unable to connect to Elasticsearch at http://elasticsearch:9200' What should I be looking at to find out what is causing this and also what can I do to restart elasticsearch without rebooting.
Thanks

Eric

[Wes Lambert]

Eric,

You can try checking the logs in /var/log/elasticsearch/ or /var/log/kibana/ clues.

Thanks,

Wes

Eric

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Eric Vanderveer]

On Tuesday, August 29, 2017 at 10:04:54 AM UTC-4, Wes wrote:
> Eric,
>
>
> You can try checking the logs in /var/log/elasticsearch/ or /var/log/kibana/ clues.
>
>
>
> Thanks,
> Wes
>
>
> On Tue, Aug 29, 2017 at 9:56 AM, Eric Vanderveer <er...@ericvanderveer.com> wrote:
> After about 5 to 10 minutes after a reboot Elasticsearch keeps crashing and Kibana shows "Unable to connect to Elasticsearch at http://elasticsearch:9200'  What should I be looking at to find out what is causing this and also what can I do to restart elasticsearch without rebooting.
>
> Thanks
>
>
>
> Eric
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Ok so I am seeing java.lang.OutOfMemoryError: Java heap space in the docker-cluster.log in elasticsearch. I have 24Gig of memory, do I need more? And if so how to tell how much more.

[Kevin Branch]

Eric,

You might start by setting this line to allocate 8 gig to Elasticsearch  (/etc/nsm/securityonion.conf)

ELASTICSEARCH_HEAP="8g"

While you are in there you may also want to raise Logstash heap space a bit.  It does not need near as much as ES though.

LOGSTASH_HEAP="1g"

Follow that change with running "so-elastic-restart" and see if your OutOfMemoryError issue goes away.  If not, then increase from 8g to something bigger.

Kevin

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Eric Vanderveer]

That did it. Well it's been 15 minutes (better than 2 minutes) and it's still up. Thanks!

[Kevin Branch]

Great, now you can use so-elastic-status to keep an eye on how much of that 8g the so-elasticsearch container is actually making use of.

Kevin

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.