Wazuh-Indexer failure

46 views
Skip to first unread message

CIA

unread,
Jan 6, 2026, 4:18:27 AM (4 days ago) Jan 6
to Wazuh | Mailing List

Screenshot 2026-01-06 110003.png
  Hi Team,
I’ve tried all possible methods to resolve the Wazuh Indexer failure. I adjusted the JVM settings and increased the timeout values, but the issue still persists. Please note that I am working with an OVA virtual machine. Could you please assist me with this issue?  

Kasim Mustapha

unread,
Jan 6, 2026, 4:41:03 AM (4 days ago) Jan 6
to Wazuh | Mailing List
Hello,

Kindly share the output of the following commands:
  • cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
  • journalctl -xeu wazuh-indexer.service
  • cat /etc/wazuh-indexer/opensearch.yml
What changes did you make before noticing this error? Have you tried reverting it if any?

I will be waiting for you to reply.

Thank you.
Kasim

Kasim Mustapha

unread,
Jan 6, 2026, 7:07:11 AM (4 days ago) Jan 6
to Wazuh | Mailing List
Hello,

Could you also share the VM specifications?

The following requirements have to be in place before the Wazuh VM can be imported into a host operating system:
  • The host operating system must be 64-bit with x86_64/AMD64 architecture.
  • Enable hardware virtualization in the host firmware.
  • Install a virtualization platform, such as VirtualBox, on the host system.
The Wazuh VM is configured with these specifications by default:
  • CPU (cores): 4
  • RAM (GB): 8
  • Storage (GB): 50
This is the minimum requirement.


Kasim Mustapha

unread,
Jan 6, 2026, 7:16:19 AM (4 days ago) Jan 6
to Wazuh | Mailing List
Hello,

In your third screenshot (the cat output), look closely at the very first line:

YAML files are sensitive to formatting. You cannot have multiple settings (like network.host and node.name) on the same line. The error message expected <block end>, but found '<scalar>' in your logs confirms that the system is confused because it expected a new line after "127.0.0.1".

You need to edit the file and break that long line into separate lines.

sudo nano /etc/wazuh-indexer/opensearch.yml

Change the first part of the file so it looks like this (ensure proper indentation):

network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
  - "node-1"
cluster.name: "wazuh-cluster"

Save and restart the Indexer.

sudo systemctl restart wazuh-indexer

Let me know if this works for you.

Kasim Mustapha

unread,
Jan 6, 2026, 7:42:59 AM (4 days ago) Jan 6
to Wazuh | Mailing List


Hello,

This is actually good news. Seeing "Warnings" instead of "Errors" or "Exceptions" usually means the Wazuh Indexer has successfully read the configuration file and is now starting up the Java engine.

Based on the typical behavior of the Wazuh Indexer (OpenSearch) during startup, you are likely seeing warnings about System::setSecurityManager or jdk.incubator.vector.

1. Why you are seeing this

  • System::setSecurityManager: This is a known warning in newer Java versions used by Wazuh. It is a message for the developers, not a fatal error for you. It does not stop the service from running.

  • jdk.incubator.vector: This is an informational message about performance optimization features. It is also safe to ignore.

2. How to verify if it is actually working

Warnings do not mean the service failed. To verify the actual status, please run this command:

sudo systemctl status wazuh-indexer

  • If it says Active: active (running) (in green):

    The service is working perfectly! The warnings in the log are just "noise" and can be ignored.

  • If it says failed (in red):

    We need to see the logs after the warnings. The warnings likely pushed the real error off the screen. Run this to see the very end of the log:

sudo journalctl -u wazuh-indexer -n 20 --no-pager

3. Check the Cluster Health

If the service shows as active, the final test is to check if the cluster is responding. Run this command:

curl -k -u admin:admin https://127.0.0.1:9200

(Note: Replace admin:admin with your actual credentials if you changed them. The default is often admin:admin or admin:SecretPassword1! depending on your setup).

Can you share the output of the systemctl status wazuh-indexer command?

Kasim Mustapha

unread,
Jan 8, 2026, 2:35:09 AM (yesterday) Jan 8
to Wazuh | Mailing List

Hello,

To help other community users benefit from the troubleshooting process, please reply to all in the Google Group so that the interactions are visible.

Hello,

To help other community users benefit from the troubleshooting process, please reply all in the Google Group so that the interactions are visible.

image.png

Please increase the indexer timeout to 15 minutes (900 seconds) and restart the indexer's service.

After you run the restart command, it might "hang" for a few minutes. Do not interrupt it.

Watch the real status: While it is starting, you can open a second terminal window and check what it is actually doing (so you aren't just staring at a blinking cursor):

tail -f /var/log/wazuh-indexer/wazuh-cluster.log

You are waiting to see a log line that says something like Node 'node-1' initialized or Cluster health status changed from [RED] to [YELLOW/GREEN].

Also check the RAM and disk usage: free -h && df -h

Thank you
Reply all
Reply to author
Forward
0 new messages