Max Shards after upgrading
233 views
Skip to first unread message
Nacho Herrerías
Nov 16, 2023, 4:37:57 AM11/16/23
to Wazuh | Mailing List
Hi everyone,
I tried to upgrade those plugins manually, but due to external circunstances, I couldnt. Then I thought I could remove those plugins, while I tried to solve the external circunstances. So I removed those plugins and tried to restart the dashboard service, but then I got this new error: "Validation Failed 1: this action would add [2] total shards, but this cluster currently has [999]/[1000] maximum...
Yesterday I upgraded Wazuh to the 4.6. I was able to upgrade the indexer and server correctly. However, I got an error when I tried to update the dashboard. The error was about incompatibility of 3 plugins with the new opensearch version (2.8).
I tried to upgrade those plugins manually, but due to external circunstances, I couldnt. Then I thought I could remove those plugins, while I tried to solve the external circunstances. So I removed those plugins and tried to restart the dashboard service, but then I got this new error: "Validation Failed 1: this action would add [2] total shards, but this cluster currently has [999]/[1000] maximum...
How can I increase the max shards allowed? Is it possible?
Hola a todos,
Ayer actualicé Wazuh a la 4.6. Fui capaz de actualizar el indexer y el server sin más problemas. Sin embargo, tuve un error cuando intenté actualizar el dashboard. El error era relativo a la incompatibilidad de 3 plugins con la nueva versión de openseach (2.8).
Intenté actualizar esos plugins manualmente pero, debido a circunstancias externas, no pude. Entonces pensé en eliminar esos plugins, mientras resolvía los otros probelmas. Así que los eliminé e intenté reiniciar el servicio del dashboard pero dio un nuevo error:
"Validation Failed 1: this action would add [2] total shards, but this cluster currently has [999]/[1000] maximum...
Se puede incrementar el número max de shards? como/donde?
Ayomide David Shoyemi
Nov 17, 2023, 8:52:18 PM11/17/23
to Wazuh | Mailing List
Hi Nacho,
Thank you for using Wazuh. I will get back to you on this.
Kind Regards,
Ayomide
Thank you for using Wazuh. I will get back to you on this.
Kind Regards,
Ayomide
Nicolas Agustin Guevara Pihen
Feb 14, 2024, 9:57:24 AM2/14/24
to Wazuh | Mailing List
Hi Nacho, apologies for the late response.
This means you reached the shards limit count (1000 by default in the indexer node). To fix this issue, there are multiple options:
- Delete indices. This frees shards. You could do it with old indices you don't want/need using the Indexer's dev tools. You can run commands like DELETE wazuh-alerts-4.x-2023.*, that will delete all the alerts indices from 2023. You can also specify a specific index to be removed. This process can also be automated with ILM/ISM policies to delete old indices after a period of time as explained in this documentation.
- Add more nodes to your Elasticsearch/Wazuh indexer cluster.
- Increment the max shards per node (not recommended). But if you do this option, make sure you do not increase it too much, as it could provoke inoperability and performance issues in your Wazuh indexer cluster. To do this:
curl -k -u USERNAME:PASSWORD -XPUT INDEXER_HOST_ADDRESS/_cluster/settings -H "Content-Type: application/json" \
-d '{ "persistent": { "cluster.max_shards_per_node": "MAX_SHARDS_PER_NODE" } }'
replace the placeholders, where:
- USERNAME : username to do the request
- PASSWORD : password for the user
- INDEXER_HOST_ADDRESS: Wazuh indexer host address. Include the protocol https if needed.
- MAX_SHARDS_PER_NODE: Maximum shards by node. Maybe you could try with 1200 o something like that, depending of your case
I hope you find this information helpful.
Regards,
This means you reached the shards limit count (1000 by default in the indexer node). To fix this issue, there are multiple options:
- Delete indices. This frees shards. You could do it with old indices you don't want/need using the Indexer's dev tools. You can run commands like DELETE wazuh-alerts-4.x-2023.*, that will delete all the alerts indices from 2023. You can also specify a specific index to be removed. This process can also be automated with ILM/ISM policies to delete old indices after a period of time as explained in this documentation.
- Add more nodes to your Elasticsearch/Wazuh indexer cluster.
- Increment the max shards per node (not recommended). But if you do this option, make sure you do not increase it too much, as it could provoke inoperability and performance issues in your Wazuh indexer cluster. To do this:
curl -k -u USERNAME:PASSWORD -XPUT INDEXER_HOST_ADDRESS/_cluster/settings -H "Content-Type: application/json" \
-d '{ "persistent": { "cluster.max_shards_per_node": "MAX_SHARDS_PER_NODE" } }'
replace the placeholders, where:
- USERNAME : username to do the request
- PASSWORD : password for the user
- INDEXER_HOST_ADDRESS: Wazuh indexer host address. Include the protocol https if needed.
- MAX_SHARDS_PER_NODE: Maximum shards by node. Maybe you could try with 1200 o something like that, depending of your case
I hope you find this information helpful.
Regards,
Reply all
Reply to author
Forward
0 new messages