Problem with a node (all in one)

[Kodoku Zetsuna]

Hello, I am trying to update my wazuh following this guide https://documentation.wazuh.com/current/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html (basic license with elasticstak) (all on one).
I don't understand what happens, when I execute the command "https://ip_address:9200/_cat/health?v" my node appears in yellow
I have been waiting about 2 hours for it to finish but it does not advance from 98.2%.
Where can I check logs of what happens?

Any Ideas? Thanks

[John Soliani]

Hello Kodoku,

The reason here is that you have 23 unassigned shards, therefore, active/allocated shards will not reach 100% and the cluster health status will remain in a yellow state. Green (no warnings and no errors) when you have all the shards active and red (error) when you are missing some primary shards in the cluster.

Remember that in a single node cluster, you will not be able to allocate replicas since primary and replica data will never be stored in the same server (so no HA config is possible).

In your case, you have a total of 1254 shards and 23 are unassigned.

You can get an explanation for each unassigned shard using this command:

• curl https://localhost:9200/_cluster/allocation/explain -k -u <USER>:<PASSWORD> # from the UI in Dev Tools, use this instead: GET _cluster/allocation/explain
  You will get something like this in return explaining why that shard is not being allocated:{ "index": "security-auditlog-2021.12.28", "shard": 0, "primary": false, "current_state": "unassigned", "unassigned_info": { "reason": "CLUSTER_RECOVERED", "at": "2023-04-24T09:21:38.788Z", "last_allocation_status": "no_attempt" }, "can_allocate": "no", "allocate_explanation": "cannot allocate because allocation is not permitted to any of the nodes", "node_allocation_decisions": [ { "node_id": "SRCXflvxTyKsVrZNP2gkuw", "node_name": "node-1", "transport_address": "192.168.11.30:9300", "node_attributes": { "shard_indexing_pressure_enabled": "true" }, "node_decision": "no", "deciders": [ { "decider": "same_shard", "decision": "NO", "explanation": "a copy of this shard is already allocated to this node [[security-auditlog-2021.12.28][0], node[SRCXflvxTyKsVrZNP2gkuw], [P], s[STARTED], a[id=3msowiPySQ6RGuIhlZtPJA]]" } ] } ] } In this sample, we can see primary: false (it’s a replica) and the allocate_explanation cannot allocate because allocation is not permitted to any of the nodes, since it’s also an AIO server and it has only 1 indexer server.

If this would be your case, you could solve this by changing the config to NO_REPLICAS and only 1 SHARD for those indices. First, change the existent indices with this:

For indices already created, we can change their settings:

PUT /security-auditlog-*/_settings { "index": { "number_of_replicas": 0 } }

Then, create a template to avoid new indices to follow those settings:

PUT _template/security-auditlog-template { "index_patterns": ["security-auditlog-*"], "settings": { "number_of_replicas": 0 } }

This will solve the issue with the indices security-auditlog-*, you can search for more explanations and fix them all to turn the health state to GREEN.

Hope this helps!

​