Wazuh Console no longer accepting Admin password

204 views
Skip to first unread message

Brian Kelly

unread,
Jul 9, 2025, 7:49:09 AMJul 9
to Wazuh | Mailing List
Out of the blue, our Wazuh console that has been working for around a month no longer allows us to sign-in.  We still have access to the Ubuntu instance and all services appear to be running.

Restarting the host, attempting to set the admin password or all passwords using wazuh-passwords-tool.sh, have not worked.  In verbose mode, the following error is encountered.

ERR: An unexpected ResponseException occured: method [GET], host [https://127.0.0.1:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 429 Too Many Requests]
{"error":{"root_cause":[{"type":"circuit_breaking_exception","reason":"[parent] Data too large, data for [<http_request>] would be [1052006560/1003.2mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1052006560/1003.2mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=0/0b, in_flight_requests=0/0b]","bytes_wanted":1052006560,"bytes_limit":1020054732,"durability":"TRANSIENT"}],"type":"circuit_breaking_exception","reason":"[parent] Data too large, data for [<http_request>] would be [1052006560/1003.2mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1052006560/1003.2mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=0/0b, in_flight_requests=0/0b]","bytes_wanted":1052006560,"bytes_limit":1020054732,"durability":"TRANSIENT"},"status":429}
Trace:
org.opensearch.client.ResponseException: method [GET], host [https://127.0.0.1:9200], URI [/_plugins/_security/whoami], status line [HTTP/1.1 429 Too Many Requests]
{"error":{"root_cause":[{"type":"circuit_breaking_exception","reason":"[parent] Data too large, data for [<http_request>] would be [1052006560/1003.2mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1052006560/1003.2mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=0/0b, in_flight_requests=0/0b]","bytes_wanted":1052006560,"bytes_limit":1020054732,"durability":"TRANSIENT"}],"type":"circuit_breaking_exception","reason":"[parent] Data too large, data for [<http_request>] would be [1052006560/1003.2mb], which is larger than the limit of [1020054732/972.7mb], real usage: [1052006560/1003.2mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=0/0b, in_flight_requests=0/0b]","bytes_wanted":1052006560,"bytes_limit":1020054732,"durability":"TRANSIENT"},"status":429}
        at org.opensearch.client.RestClient.convertResponse(RestClient.java:479)
        at org.opensearch.client.RestClient.performRequest(RestClient.java:371)

If anyone can offer guidance on (1) why the password stopped working in the first place and (2) how to reset / recover http console access, that would be appreciated.

Md. Nazmur Sakib

unread,
Jul 10, 2025, 8:24:35 AMJul 10
to Wazuh | Mailing List
Hi Brian Kelly,

Sorry for the late resposne. Somehow we missed your query.

First make sure the indexer service is up and running properly.

Based on this error

circuit_breaking_exception","reason":"[parent] Data too large, data for [<http_request>] would be [1052006560/1003.2mb], which is larger than the limit of [1020054732/972.7mb]

The  circuit_breaking_exception  is a mechanism used to prevent operations from causing an  OutOfMemoryError. It seems like Wazuh indexer was using most of the JVM heap configured, and the total memory required for all operations was higher than the memory available, so the operation you requested was aborted.

On the indexer node, start by checking your memory with:

free -h


Then, update the heap size in the /etc/wazuh-indexer/jvm.options file. For example, if your server has 12 GB of RAM, set the heap size to 6 GB as shown below:

-Xms6g

-Xmx6g


Here are some key points to keep in mind to configure heap memory:

Use no more than 50% of your available RAM.

Don’t set the heap size over 32 GB.
Make sure not to add any additional space before -Xm


After making these changes, restart the Wazuh indexer for them to take effect:

systemctl restart wazuh-indexer

Now, check the status

systemctl status wazuh-indexer


You can refer to this link for more details:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#memory-locking


If you still see a similar error even after adjusting the JVM. You need to increase the RAM of your Wazuh server.


Change the password again following this document.
 https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html

You can use the command to change the admin password.bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p Secr3tP4ssw*rdReplace Secr3tP4ssw*rd with your password.The password must have a length between 8 and 64 characters and contain at least one upper case letter, one lower case letter, a number and one of the following symbols: .*+?-. If no password is specified, the script will generate a random one.If you have a distributed environment, you need to update the password in the filebeat keystore.Ref: https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html#changing-the-passwords-in-a-distributed-environment

Let me know if this solves your issue.
Message has been deleted

Brian Kelly

unread,
Jul 10, 2025, 3:31:48 PMJul 10
to Wazuh | Mailing List

Thank-you so very much for the response and guidance.

Our server has 8G of RAM, so I have now set the -Xms and -Xmx values to 4g.  The free memory looks like:

 root@tceat-wzh01:/etc/wazuh-indexer# free -h

               total        used        free      shared  buff/cache   available

Mem:           7.8Gi       1.2Gi       4.3Gi       824Ki       2.6Gi       6.6Gi

Swap:          4.0Gi        12Ki       4.0Gi

 

Having completed the change and attempting to restart the wazuh-indexer, I receive the following errors:

 

root@tceat-wzh01:/etc/wazuh-indexer# systemctl restart wazuh-indexer

Job for wazuh-indexer.service failed because the control process exited with error code.

See "systemctl status wazuh-indexer.service" and "journalctl -xeu wazuh-indexer.service" for details.

root@tceat-wzh01:/etc/wazuh-indexer# systemctl status wazuh-indexer

× wazuh-indexer.service - wazuh-indexer

     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)

     Active: failed (Result: exit-code) since Thu 2025-07-10 12:39:34 UTC; 14s ago

       Docs: https://documentation.wazuh.com

    Process: 4326 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)

   Main PID: 4326 (code=exited, status=1/FAILURE)

        CPU: 19.400s

 

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.Command.main(Command.java:101)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

Jul 10 12:39:34 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 19.400s CPU time.

 

The details from journalctl -xeu wazuh-indexer.service are:

 

Jul 10 09:11:03 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has begun execution.

░░

░░ The job identifier is 146.

Jul 10 09:11:10 tceat-wzh01 systemd-entrypoint[880]: WARNING: A terminally deprecated method in java.lang.System has been called

Jul 10 09:11:10 tceat-wzh01 systemd-entrypoint[880]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)

Jul 10 09:11:10 tceat-wzh01 systemd-entrypoint[880]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch

Jul 10 09:11:10 tceat-wzh01 systemd-entrypoint[880]: WARNING: System::setSecurityManager will be removed in a future release

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]: Jul 10, 2025 9:11:11 AM sun.util.locale.provider.LocaleProviderAdapter <clinit>

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]: WARNING: COMPAT locale provider will be removed in a future release

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.cli.Command.main(Command.java:101)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)

Jul 10 09:11:11 tceat-wzh01 systemd-entrypoint[880]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log

Jul 10 09:11:12 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.

░░

░░ The process' exit code is 'exited' and its exit status is 1.

Jul 10 09:11:12 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.

Jul 10 09:11:12 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has finished with a failure.

░░

░░ The job identifier is 146 and the job result is failed.

Jul 10 09:11:12 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 13.146s CPU time.

░░ Subject: Resources consumed by unit runtime

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service completed and consumed the indicated resources.

Jul 10 12:39:26 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has begun execution.

░░

░░ The job identifier is 1444.

Jul 10 12:39:31 tceat-wzh01 systemd-entrypoint[4326]: WARNING: A terminally deprecated method in java.lang.System has been called

Jul 10 12:39:31 tceat-wzh01 systemd-entrypoint[4326]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)

Jul 10 12:39:31 tceat-wzh01 systemd-entrypoint[4326]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch

Jul 10 12:39:31 tceat-wzh01 systemd-entrypoint[4326]: WARNING: System::setSecurityManager will be removed in a future release

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: Jul 10, 2025 12:39:33 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: WARNING: COMPAT locale provider will be removed in a future release

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.cli.Command.main(Command.java:101)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)

Jul 10 12:39:33 tceat-wzh01 systemd-entrypoint[4326]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.

░░

░░ The process' exit code is 'exited' and its exit status is 1.

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.

Jul 10 12:39:34 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has finished with a failure.

░░

░░ The job identifier is 1444 and the job result is failed.

Jul 10 12:39:34 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 19.400s CPU time.

░░ Subject: Resources consumed by unit runtime

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service completed and consumed the indicated resources.

Jul 10 12:49:23 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has begun execution.

░░

░░ The job identifier is 1554.

Jul 10 12:49:28 tceat-wzh01 systemd-entrypoint[4521]: WARNING: A terminally deprecated method in java.lang.System has been called

Jul 10 12:49:28 tceat-wzh01 systemd-entrypoint[4521]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)

Jul 10 12:49:28 tceat-wzh01 systemd-entrypoint[4521]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch

Jul 10 12:49:28 tceat-wzh01 systemd-entrypoint[4521]: WARNING: System::setSecurityManager will be removed in a future release

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]: Jul 10, 2025 12:49:30 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]: WARNING: COMPAT locale provider will be removed in a future release

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.cli.Command.main(Command.java:101)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)

Jul 10 12:49:30 tceat-wzh01 systemd-entrypoint[4521]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log

Jul 10 12:49:31 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.

░░

░░ The process' exit code is 'exited' and its exit status is 1.

Jul 10 12:49:31 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.

Jul 10 12:49:31 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ A start job for unit wazuh-indexer.service has finished with a failure.

░░

░░ The job identifier is 1554 and the job result is failed.

Jul 10 12:49:31 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 17.966s CPU time.

░░ Subject: Resources consumed by unit runtime

░░ Defined-By: systemd

░░ Support: http://www.ubuntu.com/support

░░

░░ The unit wazuh-indexer.service completed and consumed the indicated resources.

Md. Nazmur Sakib

unread,
Jul 11, 2025, 1:43:46 AMJul 11
to Wazuh | Mailing List
Please share your JVM configuration file. Please recheck if you have made any syntax errors.
cat /etc/wazuh-indexer/jvm.options

Here are some key points to keep in mind to configure heap memory:
  • Use no more than 50% of your available RAM.
  • Don’t set the heap size over 32 GB.
  • Make sure not to add any additional space before -Xm
Also, share the logs from the indexer log files.
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Looking forward to your update.

Brian Kelly

unread,
Jul 11, 2025, 8:31:28 AMJul 11
to Wazuh | Mailing List
As requested.

## JVM configuration

################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://opensearch.org/docs/opensearch/install/important-settings/
## for more information
##
################################################################

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms4g
-Xmx4g

################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################

## GC configuration
8-10:-XX:+UseConcMarkSweepGC
8-10:-XX:CMSInitiatingOccupancyFraction=75
8-10:-XX:+UseCMSInitiatingOccupancyOnly

## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10:-XX:-UseConcMarkSweepGC
# 10:-XX:-UseCMSInitiatingOccupancyOnly
11-:-XX:+UseG1GC
11-:-XX:G1ReservePercent=25
11-:-XX:InitiatingHeapOccupancyPercent=30

## JVM temporary directory
-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}

## heap dumps

# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError

# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=/var/lib/wazuh-indexer

# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log

## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/wazuh-indexer/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m

# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m

# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
18-:-Djava.security.manager=allow

# JDK 20+ Incubating Vector Module for SIMD optimizations;
# disabling may reduce performance on vector optimized lucene
20:--add-modules=jdk.incubator.vector

# HDFS ForkJoinPool.common() support by SecurityManager
-Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory

## OpenSearch Performance Analyzer
-Dclk.tck=100
-Djdk.attach.allowAttachSelf=true
-Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy
--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED


[2025-07-10T09:04:34,128][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:36,627][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:39,128][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:41,629][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:44,131][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:46,638][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:49,133][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:51,639][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:54,136][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:56,637][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:04:59,138][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:00,973][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-07-10T09:05:01,639][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:04,146][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:06,643][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:09,145][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:11,646][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:14,145][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:16,646][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:19,149][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:21,650][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:24,150][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:26,650][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:29,152][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:30,981][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-07-10T09:05:31,730][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:34,153][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:36,653][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:39,217][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:41,718][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:44,219][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:46,720][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:49,284][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:51,721][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:54,222][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:56,723][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:05:59,225][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:00,989][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-07-10T09:06:01,683][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:04,116][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:06,813][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:09,230][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:11,728][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:14,229][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:16,733][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:19,232][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:21,732][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:24,233][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 127.0.0.1:59520
[2025-07-10T09:06:31,021][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.


FYI: I have increased the disk space allocated to /dev/mapper/ubuntu--vg-ubuntu--lv, after I discovered this only had 2% free (now 46% and 100GB).

Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                              794M  740K  794M   1% /run
efivarfs                           256K   63K  189K  25% /sys/firmware/efi/efivars
/dev/mapper/ubuntu--vg-ubuntu--lv  194G   85G  100G  46% /
tmpfs                              3.9G   80K  3.9G   1% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
/dev/sda2                          2.0G  192M  1.6G  11% /boot
/dev/sda1                          1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                              794M   12K  794M   1% /run/user/1000

Md. Nazmur Sakib

unread,
Jul 14, 2025, 4:09:43 AMJul 14
to Wazuh | Mailing List

I can see you had a high disk watermark issue based on your log. I believe the issue is resolved now after allocating more disk space.

Can you restart the indexer now?

The configuration of the JVM looks fine to me.


Can you run this command and share the output?

systemctl restart wazuh-indexer

Also, share the output of these commands.

systemctl status wazuh-indexer

cat /var/log/wazuh-indexer/wazuh-cluster.log



Looking forward to your update.

Brian Kelly

unread,
Jul 14, 2025, 10:02:17 AMJul 14
to Wazuh | Mailing List
Unfortunately not.  Please find below the requested information (and wazuh-cluster.log attached)

root@tceat-wzh01:~# systemctl restart wazuh-indexer

Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xeu wazuh-indexer.service" for details.


root@tceat-wzh01:~# systemctl status wazuh-indexer

× wazuh-indexer.service - wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Mon 2025-07-14 11:24:04 UTC; 1min 21s ago
       Docs: https://documentation.wazuh.com
    Process: 27597 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
   Main PID: 27597 (code=exited, status=1/FAILURE)
        CPU: 26.396s

Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE
Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
Jul 14 11:24:04 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.
Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 26.396s CPU time.
wazuh-cluster.log

Md. Nazmur Sakib

unread,
Jul 16, 2025, 1:08:54 AMJul 16
to Wazuh | Mailing List

The last log in the indexer log file is from 2025-07-10T09:06:33,672.

And based on this, wazuh-indexer.service: Consumed 26.396s CPU time, It seems to me it can be a resource issue.

Share your indexer configuration.

cat /etc/wazuh-indexer/opensearch.yml


Share the version of your Wazuh indexer and filebeat.
deb (debian, ubuntu):

sudo apt list --installed | grep wazuh

rpm (Centos, Redhat, etc)

sudo rpm -qa | grep wazuh

/usr/share/filebeat/bin/filebeat version

Also, share the output of these commands

cat /var/log/filebeat/filebeat*

ll /etc/wazuh-indexer/certs/

free -h

htop

cat /etc/filebeat/filebeat.yml


Let me know the update on the issue.

Brian Kelly

unread,
Jul 16, 2025, 8:01:18 AMJul 16
to Wazuh | Mailing List
Thank-you for your further assistance.  Please find below my responses and attached outputs.

cat /etc/wazuh-indexer/opensearch.yml - attached.
sudo apt list --installed | grep wazuh - attached.
/usr/share/filebeat/bin/filebeat version - attached.

cat /var/log/filebeat/filebeat* - attached putty.log.

ll /etc/wazuh-indexer/certs/ - attached putty.log.

free -h - attached putty.log.

cat /etc/filebeat/filebeat.yml - attached putty.log.


htop command was not recognised (on Ubuntu).


sudo apt list --installed.txt
cat etcwazuh-indexeropensearch.yml.txt
putty.zip
usr share filebeat bin filebeat version.txt

Md. Nazmur Sakib

unread,
Jul 21, 2025, 1:34:15 AMJul 21
to Wazuh | Mailing List

Sorry, I was out of the office due to sickness, and that’s why it took me a long time to follow up.
I couldn't find anything in what you shared that points to the case of this indexer issue.

Are you still facing this issue?

If you are still having the issue with the indexer, I will try to forward it to someone from the team who has more expatriates on this.

Brian Kelly

unread,
Jul 21, 2025, 1:08:37 PMJul 21
to Wazuh | Mailing List
Sorry to hear you were unwell. Unfortunately we are still unable to start the wazuh indexer. Your escalation of this matter would be appreciated…

Kevin Ledesma

unread,
Jul 22, 2025, 6:51:23 AMJul 22
to Wazuh | Mailing List
Hello Brian! 

Checking the output of `systemctl status wazuh-indexer` we can see part of a trace of an error:
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)

The full trace is not present on the cluster.log you've shared, could you please run the following commands and share the output
systemctl restart wazuh-indexer
systemctl status wazuh-indexer
journalctl -xeu wazuh-indexer.service

(It is a plus if you can get the last logs from /var/log/wazuh-indexer/wazuh-cluster.log, with the corresponding to this last restart is enough)

Probably the error traceback is from AccessDeniedException: /etc/wazuh-indexer/backup, run this command and share the output
ls -l /etc/wazuh-indexer/

Also run the command for the backup directory (ls -l /etc/wazuh-indexer/backup) probably the indexer has no access to that directory, or it does not exist

Brian Kelly

unread,
Jul 22, 2025, 8:12:08 AMJul 22
to Wazuh | Mailing List
Hi Kevin,

Please find below the responses as requested.

root@tceat-wzh01:~# systemctl restart wazuh-indexer
Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xeu wazuh-indexer.service" for details.

root@tceat-wzh01:~# systemctl status wazuh-indexer
× wazuh-indexer.service - wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2025-07-22 11:06:18 UTC; 55s ago
       Docs: https://documentation.wazuh.com
    Process: 95128 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
   Main PID: 95128 (code=exited, status=1/FAILURE)
        CPU: 24.654s

Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
Jul 22 11:06:18 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 24.654s CPU time.

root@tceat-wzh01:~# journalctl -xeu wazuh-indexer.service
Jul 11 12:17:56 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has begun execution.
░░
░░ The job identifier is 162.
Jul 11 12:18:02 tceat-wzh01 systemd-entrypoint[915]: WARNING: A terminally deprecated method in java.lang.System has been called
Jul 11 12:18:02 tceat-wzh01 systemd-entrypoint[915]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)
Jul 11 12:18:02 tceat-wzh01 systemd-entrypoint[915]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jul 11 12:18:02 tceat-wzh01 systemd-entrypoint[915]: WARNING: System::setSecurityManager will be removed in a future release
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]: Jul 11, 2025 12:18:04 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]: WARNING: COMPAT locale provider will be removed in a future release
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 11 12:18:04 tceat-wzh01 systemd-entrypoint[915]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 11 12:18:05 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jul 11 12:18:05 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.
Jul 11 12:18:05 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has finished with a failure.
░░
░░ The job identifier is 162 and the job result is failed.
Jul 11 12:18:05 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 18.973s CPU time.

░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service completed and consumed the indicated resources.
Jul 11 12:42:42 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has begun execution.
░░
░░ The job identifier is 794.
Jul 11 12:42:46 tceat-wzh01 systemd-entrypoint[4640]: WARNING: A terminally deprecated method in java.lang.System has been called
Jul 11 12:42:46 tceat-wzh01 systemd-entrypoint[4640]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)
Jul 11 12:42:46 tceat-wzh01 systemd-entrypoint[4640]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jul 11 12:42:46 tceat-wzh01 systemd-entrypoint[4640]: WARNING: System::setSecurityManager will be removed in a future release
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]: Jul 11, 2025 12:42:47 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]: WARNING: COMPAT locale provider will be removed in a future release
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 11 12:42:47 tceat-wzh01 systemd-entrypoint[4640]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 11 12:42:48 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jul 11 12:42:48 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.
Jul 11 12:42:48 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has finished with a failure.
░░
░░ The job identifier is 794 and the job result is failed.
Jul 11 12:42:48 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 17.927s CPU time.

░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service completed and consumed the indicated resources.
Jul 14 11:23:49 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has begun execution.
░░
░░ The job identifier is 19804.
Jul 14 11:24:01 tceat-wzh01 systemd-entrypoint[27597]: WARNING: A terminally deprecated method in java.lang.System has been called
Jul 14 11:24:01 tceat-wzh01 systemd-entrypoint[27597]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)
Jul 14 11:24:01 tceat-wzh01 systemd-entrypoint[27597]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jul 14 11:24:01 tceat-wzh01 systemd-entrypoint[27597]: WARNING: System::setSecurityManager will be removed in a future release
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: Jul 14, 2025 11:24:03 AM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: WARNING: COMPAT locale provider will be removed in a future release
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)

Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 14 11:24:03 tceat-wzh01 systemd-entrypoint[27597]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.
Jul 14 11:24:04 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.
░░ Subject: A start job for unit wazuh-indexer.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has finished with a failure.
░░
░░ The job identifier is 19804 and the job result is failed.

Jul 14 11:24:04 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 26.396s CPU time.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service completed and consumed the indicated resources.
Jul 22 11:06:02 tceat-wzh01 systemd[1]: Starting wazuh-indexer.service - wazuh-indexer...

░░ Subject: A start job for unit wazuh-indexer.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has begun execution.
░░
░░ The job identifier is 72346.
Jul 22 11:06:13 tceat-wzh01 systemd-entrypoint[95128]: WARNING: A terminally deprecated method in java.lang.System has been called
Jul 22 11:06:13 tceat-wzh01 systemd-entrypoint[95128]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.1.jar)
Jul 22 11:06:13 tceat-wzh01 systemd-entrypoint[95128]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Jul 22 11:06:13 tceat-wzh01 systemd-entrypoint[95128]: WARNING: System::setSecurityManager will be removed in a future release
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: Jul 22, 2025 11:06:16 AM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: WARNING: COMPAT locale provider will be removed in a future release
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: Exception in thread "main" org.opensearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: Likely root cause: java.nio.file.AccessDeniedException: /etc/wazuh-indexer/backup
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/sun.nio.fs.UnixException.asIOException(UnixException.java:115)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:501)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:301)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:374)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at java.base/java.nio.file.Files.walkFileTree(Files.java:2833)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:227)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.common.logging.LogConfigurator.configure(LogConfigurator.java:146)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:373)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.cli.Command.main(Command.java:101)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
Jul 22 11:06:16 tceat-wzh01 systemd-entrypoint[95128]: For complete error details, refer to the log at /var/log/wazuh-indexer/wazuh-cluster.log
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStart= process belonging to unit wazuh-indexer.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.

░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service has entered the 'failed' state with result 'exit-code'.
Jul 22 11:06:18 tceat-wzh01 systemd[1]: Failed to start wazuh-indexer.service - wazuh-indexer.

░░ Subject: A start job for unit wazuh-indexer.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit wazuh-indexer.service has finished with a failure.
░░
░░ The job identifier is 72346 and the job result is failed.
Jul 22 11:06:18 tceat-wzh01 systemd[1]: wazuh-indexer.service: Consumed 24.654s CPU time.

░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit wazuh-indexer.service completed and consumed the indicated resources.

root@tceat-wzh01:~# ls -l /etc/wazuh-indexer/
total 72
drw------- 2 root          root           4096 Jul 10 09:02 backup
dr-x------ 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 certs
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 Jul 10 09:02 internalusers-backup
-rw-rw---- 1 wazuh-indexer wazuh-indexer  3063 Jul 10 12:38 jvm.options
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 Apr 30 10:58 jvm.options.d
-rw-rw---- 1 wazuh-indexer wazuh-indexer 17919 Apr 30 10:57 log4j2.properties
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-notifications
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-notifications-core
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-observability
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-performance-analyzer
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-reports-scheduler
drwxr-x--- 2 wazuh-indexer wazuh-indexer  4096 May 30 08:16 opensearch-security
-rw-rw---- 1 wazuh-indexer wazuh-indexer   196 May 30 08:16 opensearch.keystore
-rw-rw---- 1 wazuh-indexer wazuh-indexer  2152 May 30 08:16 opensearch.yml

root@tceat-wzh01:~# ls -l /etc/wazuh-indexer/backup
total 76
-rw------- 1 root root    50 Jul 17 08:55 action_groups.yml
-rw------- 1 root root  1973 Jul 17 08:55 allowlist.yml
-rw------- 1 root root  2541 Jul 17 08:55 audit.yml
-rw------- 1 root root 10063 Jul 17 08:55 config.yml
-rw------- 1 root root  1491 Jul 17 08:55 internal_users.yml
-rw------- 1 root root   154 Jul 17 08:55 nodes_dn.yml
-rw------- 1 root root 12381 Jul 17 08:55 opensearch.yml.example
-rw------- 1 root root 13387 Jul 17 08:55 roles.yml
-rw------- 1 root root  1509 Jul 17 08:55 roles_mapping.yml
-rw------- 1 root root   170 Jul 17 08:55 tenants.yml
-rw------- 1 root root  1973 Jul 17 08:55 whitelist.yml

Attached is the wazuh-cluster.log
wazuh-cluster.zip

Kevin Ledesma

unread,
Jul 23, 2025, 10:06:27 AMJul 23
to Wazuh | Mailing List
Hi Brian! 

I see, the reason of the error is the /etc/wazuh-indexer/backup and its archives being owned by root instead of wazuh-indexer, use the following command to fix it:
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/backup
Then check the directories again with the ls -l command, the owner of the backup directory and its archives should be shown as the rest of the Wazuh Indexer files.

Once validated all the files and directories has the correct permissions and access, restart the Wazuh Indexer service once again, it should be working fine now
systemctl restart wazuh-indexer

This scenario is uncommon, was the /etc/wazuh-indexer/backup created manually at some point? Or modified by any way?

Brian Kelly

unread,
Jul 24, 2025, 5:14:12 AMJul 24
to Wazuh | Mailing List
Hi Kevin,

Resetting the backup folder permissions and then resetting all the passwords using wazuh-passwords-tool.sh script, enabled me to restart the wazuh-indexer service and regain access to the platform.

It appears this issue came about due to the host running out of space and then attempting to use the above referenced script to reset passwords - whilst still experiencing a (yet to be realised) space issue.  With that being said, I cannot explain why (1) the ownership of the backup folder changed and (2) why the admin password originally stopped working - unless this was the visible impact of running out of space(?)

Thank-you for your help.

Kind regards, Brian

Kevin Ledesma

unread,
Jul 25, 2025, 7:29:04 AMJul 25
to Wazuh | Mailing List

Hi Brian,

We've reviewed this with the team, and as you pointed out, the system had run out of space. This caused the Indexer service to malfunction, likely leading to failed write operations and leaving those files in an invalid state.

As long as the system doesn't run out of space again, this issue shouldn't reoccur.

Best regards,
Kevin

Reply all
Reply to author
Forward
0 new messages