Fail to start after fresh installation

[martin ceroceroseissiete]

Dear all, I'm trying for the third time to install Wazuh (all-in-one) on Ubuntu 24.04.3. 

After running `install wazuh-install.sh` without errors, I'm having problems with the index file when I log in. 

Upon investigation, I found that the filebeat.service "failed." I've tried to initialize it without success. 

@wazuh-allinone:/var/ossec/bin$ sudo journalctl -u filebeat -f

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Failed with result 'exit-code'.

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 4.

Dec 29 14:46:44 wazuh-allinone systemd[1]: Started filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch..

Dec 29 14:46:44 wazuh-allinone filebeat[126354]: Exiting: Error getting filesets for module wazuh: open /usr/share/filebeat/module/wazuh: no such file or directory

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Failed with result 'exit-code'.

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Start request repeated too quickly.

Dec 29 14:46:44 wazuh-allinone systemd[1]: filebeat.service: Failed with result 'exit-code'.

Dec 29 14:46:44 wazuh-allinone systemd[1]: Failed to start filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch..

^C

 

The folder "/usr/share/filebeat/module/wazuh" does not exist.

Any suggestions on how to find the problem?

[Nicolai Romero]

Hi Martin!

Could you please share the installation procedure that you followed and the Wazuh version used? It looks like a broken installation of filebeat, as the logs about the missing directory suggest. Once you share this information I would be able to reproduce the installation in my environment and help you identify the problem. Until then, you may try uninstalling filebeat and following the official installation guide in case a configuration step was missing.

I'll be attentive. Best regards!
- Nicolai R.

[martin ceroceroseissiete]

Hi Nicolai

1st I run:

sudo wazuh-install.sh

Once finished, I run as its mentioned in installation log:

sudo systemctl daemon-reload

sudo systemctl enable wazuh-indexer.service

Version installed is 4.14.1

Please find attached installation log in case you find it usefull

Thank you for answering

Regards

Martin

[Nicolai Romero]

Hi Martin.

Thanks for the information. In the logs you just shared I could find the following lines:

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Based on that, I would say that the file download was interrupted in the process, causing the broken installation. Also, please note that the guide described in the documentation for Wazuh 4.14.1 uses the wazuh-install.sh script but with different parameters for each step. As described before, please start by uninstalling and reinstalling but following these guide in detail
- Start with the Indexer installation. It uses wazuh-install to generate the certificates and set the indexer information.
- Follow the step-by-step installation procedure for the Wazuh server, which has steps to install and configure filebeat and test the connection.
- Use the troubleshooting section for potential errors in the process.

Best regards,
- Nicolai R.