Wazuh dashboard FAILED
682 views
Skip to first unread message
Ximena C.
May 8, 2023, 11:19:28 PM5/8/23
to Wazuh mailing list
Hi everyone!
When i restart the wazuh-dashboard, the console prints this error:
FATAL {"error":{"root_cause":[{"type":"validation_exception","reason":"Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1000]/[1000]
Thanks!
Abdullah Al Rafi Fahim
May 8, 2023, 11:50:04 PM5/8/23
to Wazuh mailing list
Hi Ximena,
This error means you have already reached the maximum number of shards per node. There are two possible solutions:
PUT _cluster/settings
{
"persistent" : {
"cluster.routing.allocation.total_shards_per_node" : 1200
}
}
or curl the API directly from a terminal:
curl -X PUT "localhost:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d'
{
"persistent" : {
"cluster.routing.allocation.total_shards_per_node" : 1200
}
}
'
2. Reduce the number of shards:
Reaching the limit of shards means no retention policies are applied to the environment. This could lead to storing the data forever and cause failure in the system. It is necessary to delete old indices to reduce the number of shards. You can check what the indices stored in the environment, the following API call can help:
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
We always recommend This option.
Hope this information helps you. Please feel free to reach out to us for any information/issues.
This error means you have already reached the maximum number of shards per node. There are two possible solutions:
1. Increase the shards limit:
This option will quickly solve the solution but it is not advisable for the long run as it will bring more problems in the future. However, this guide will explain how to do it in case it is needed.
The following setting is the one responsible for this limit: cluster.routing.allocation.total_shards_per_node
It is possible to change the setting using the Wazuh Indexer API. You can either use the Dev tools option within the management section in the Wazuh Dashboard:
This option will quickly solve the solution but it is not advisable for the long run as it will bring more problems in the future. However, this guide will explain how to do it in case it is needed.
The following setting is the one responsible for this limit: cluster.routing.allocation.total_shards_per_node
It is possible to change the setting using the Wazuh Indexer API. You can either use the Dev tools option within the management section in the Wazuh Dashboard:
PUT _cluster/settings
{
"persistent" : {
"cluster.routing.allocation.total_shards_per_node" : 1200
}
}
or curl the API directly from a terminal:
curl -X PUT "localhost:9200/_cluster/settings?pretty" -H 'Content-Type: application/json' -d'
{
"persistent" : {
"cluster.routing.allocation.total_shards_per_node" : 1200
}
}
'
2. Reduce the number of shards:
Reaching the limit of shards means no retention policies are applied to the environment. This could lead to storing the data forever and cause failure in the system. It is necessary to delete old indices to reduce the number of shards. You can check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
We always recommend This option.
Hope this information helps you. Please feel free to reach out to us for any information/issues.
Reply all
Reply to author
Forward
0 new messages