Job for wazuh-indexer.service failed because a timeout was exceeded

692 views
Skip to first unread message

Raymond Gonsalves

unread,
Jan 24, 2025, 12:47:33 AM1/24/25
to Wazuh | Mailing List
I've tried the following commands:

sudo mkdir /etc/systemd/system/wazuh-indexer.service.d
echo -e "[Service]\nTimeoutStartSec=240" | sudo tee /etc/systemd/system/wazuh-indexer.service.d/startup-timeout.conf
[Service]

I have set the heap size in y /etc/wazuh-indexer/jvm.options file to

-Xms6g
-Xmx6g


On my VM I've allocated:

 4 CPUs
10GB RAM


Any help will be appreciated. 

Thank you
ray

Stuti Gupta

unread,
Jan 24, 2025, 2:07:09 AM1/24/25
to Wazuh | Mailing List

Hi  Raymond

The recommended indexer server resources are 16 GB and 8 cores https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html#hardware-recommendations 

Can you please share the following details and information to know the cause of the issue:

Could you let us know when you encountered this error? Did you follow any specific steps or documentation before this issue occurred?

Please check the cluster health by running the following command: curl -XGET -k -u user:pass "https://localhost:9200/_cluster/health"

Additionally, please share the relevant logs from the Wazuh Indexer to identify any errors or warnings: cat /var/log/wazuh-indexer/wazuh-cluster.log

It would also be helpful to know which version of Wazuh you are using and whether your setup is an all-in-one deployment (Wazuh manager, indexer, and dashboard on the same server) or a distributed deployment.

This issue could potentially be related to resource limitations, so ensure there is enough memory and disk space on your system. You can verify this with:

free -h

df -h

In case you have all-in-one deployment try to add an indexer node https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.html

Hope to hear from you soon

Raymond Gonsalves

unread,
Jan 26, 2025, 10:47:18 PM1/26/25
to Wazuh | Mailing List
Hello Stuti

Thank you for your response. I"m a TOTAL newbie to Linux and CyberSecurity and I'm struggling. BUT I WILL NOT GIVE UP!!!! :)  I very appreciate all the help I can get.





Could you let us know when you encountered this error? Did you follow any specific steps or documentation before this issue occurred?

I've trying to create a homelab SIEM so I've been following this setup documentation:


I've increased my RAM to 16GB and cores to 9 on the VM

When I run the following : curl -XGET -k -u user:pass "https://localhost:9200/_cluster/health"

I get the following error:

curl: (7) Failed to connect to localhost port 9200 after 0 ms: Couldn't connect to server

I've run the following command:   sudo ufw statu  

And it returned:

root@RGUbantu:/etc# ufw status

Status: active

To                         Action      From
--                         ------      ----
9200                       ALLOW       Anywhere                  
9200 (v6)                  ALLOW       Anywhere (v6)            

Additionally, please share the relevant logs from the Wazuh Indexer to identify any errors or warnings: cat /var/log/wazuh-indexer/wazuh-cluster.log

See attached file RGWazuh.log

It would also be helpful to know which version of Wazuh you are using and whether your setup is an all-in-one deployment (Wazuh manager, indexer, and dashboard on the same server) or a distributed deployment.

Version of Wazuh-Indexer is 4.10.1-1

My deployment will be all one one server. However I've only setup the Indexer at this point.

The results of the free -h command are as follows

        total        used        free      shared  buff/cache   available
Mem:            16Gi       1.2Gi        14Gi        44Mi       1.0Gi        14Gi
Swap:          2.6Gi        20Mi       2.6Gi

The results of  df-h are as follows:
Filesystem      Size  Used    Avail    Use%    Mounted on
tmpfs           1.7G  1.5M  1.7G   1%      /run
/dev/sda3        24G   19G  4.7G  80%  /
tmpfs           8.1G     0  8.1G   0%         /dev/shm
tmpfs           5.0M  4.0K  5.0M   1%     /run/lock
/dev/sda2       512M  6.1M  506M   2%  /boot/efi
Downloads       931G  221G  711G  24% / media/sf_Downloads
tmpfs           1.7G  112K  1.7G   1% /run/user/1000
RGWazuh.log

Stuti Gupta

unread,
Jan 29, 2025, 2:33:51 AM1/29/25
to Wazuh | Mailing List

I recommend installing Wazuh using the official documentation. You can refer to this guide for a step-by-step installation: Wazuh Indexer Installation Guide. As you can see, there are several permission and ownership errors included in the installation process. Following the official guide should help address these issues and ensure a smoother setup.

Let me know if you need ant further assistance 

Raymond Gonsalves

unread,
Jan 30, 2025, 12:16:25 AM1/30/25
to Stuti Gupta, Wazuh | Mailing List
OK Suti,

I will uninstall and try again. Thank you for not forgetting me.

ray

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/PEaeh7j9MQ0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/189dcf82-4560-47a4-b1ac-775e3669e813n%40googlegroups.com.

Sheheryar Amur

unread,
Jan 30, 2025, 1:06:12 AM1/30/25
to Raymond Gonsalves, Stuti Gupta, Wazuh | Mailing List
Can we integrate a sound system (like an alarm) when an alert triggers ?


You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/CAP4rANRpm0yPWb7Qn3x8QCNp8FEk%2BgXDUywbQmQu1JQ4hVcOdQ%40mail.gmail.com.

Sheheryar Amur

unread,
Jan 30, 2025, 1:06:53 AM1/30/25
to Raymond Gonsalves, Stuti Gupta, Wazuh | Mailing List
In wazuh

Reply all
Reply to author
Forward
0 new messages