wazuh-manager.service failed

[Enekupe Lelevaga]

I am trying to sort out this issue. Any help would be appreciated. I started with kibana not running, and while I'm working on finding a solution for it, Wazuh Manager plays and it all comes down to the error: "No space left on this device." 

[Kevin Ledesma]

Hello!

I will help you resolve your issue, but let me ask you some things first!

1. Just to be sure, did you check that the system where you are installing wazuh-manager has enough space in the drive?
2. What installation method (step-by-step/assistant/packages/etc.) and configuration (all-in-one/distributed) are you using?
3. In what system/platform are you configuring wazuh?

 I'll be patiently waiting for your response! Have a nice day!

[Enekupe Lelevaga]

Hi Kevin

1. just to be sure, did you check that the system where you are installing wazuh-manager has enough space in the drive?

                         We got 2T Disk on the system where the wazuh is installed.  I am not too sure where the full storage is; when I check Host Storage, there are heaps left. I believe is the actual OVA file.

1. What installation method (step-by-step/assistant/packages/etc.) and configuration (all-in-one/distributed) are you using?

                         We used All-in-One installation guide.

1. In what system/platform are you configuring wazuh?

                         Centos7. 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/55ef3af5-8372-4ec4-b0bd-dacfe266f341n%40googlegroups.com.

[Kevin Ledesma]

Hello!

Great, thanks for the information.

Well, now, lets check the state of your filesystem, please share with me the output of the following commands:

• df -h (this is to check the storage space status)
• df -i (this is to check the storage inodes status)

I'll be waiting for your response! Regards!

[Enekupe Lelevaga]

Hi 

Find the screenshot before. 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1eeb8214-5b7e-4eec-b0ef-440063a78735n%40googlegroups.com.

[Kevin Ledesma]

Hello!

Well, there we can see the reason of that error, your root partition storage is full (/dev/sda1) so, to fix it you have two options:

1. Free up some space: here I will left you some useful commands (keep in mind that this will help depending on what you have stored in your root) .
   • yum clean all or rm -rf /var/cache/yum  to clean the packages cache
   • rm -rf /root/.cache/*/* to delete all root's cache
     
   • find /var -name "*.log" \( \( -size +50M -mtime +7 \) -o -mtime +30 \) -exec truncate {} --size 0 \; to truncate any *.log files on the volume /var that are either older than 7 days and greater than 50M or older than 30 days
   • package-cleanup --oldkernels --count=2 to cleanup old kernels
     
2. increase your root storage. you can read this guide to do so
   

Have a nice day! Regards

[Enekupe Lelevaga]

Hi Kevin, 

really appreciate your help. 

Now I have wazuh-manager up and running, but I have some issues with Elasticsearch.

Screenshot below, 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/189f380b-1e76-4c85-acf0-b41d5426e61cn%40googlegroups.com.

[Kevin Ledesma]

Hello!

Great! We're almost there!

This new error is related to the lack of RAM memory in the system, wazuh-server minimum requirements are 2gb of RAM. To check your system's available and total ram you can use the command: grep "Mem" /proc/meminfo or for a more friendly output free -m

To fix this error you need to add more ram to the system. If you are using a Vagrant VM you can add it easily by following this guide, or in the case that you are configuring wazuh in your local machine, you will need to install more RAM (a new memory stick). (the same applies if you have wazuh installed in a Docker Container, as it already has access to you full local machine RAM )

I hope this answer will help you to solve your problem! Have a nice day!

[Enekupe Lelevaga]

Hi Kevin, 

Getting somewhere , 

The dashboard has loaded up, and it's given me this error below. 

When I clicked on Go to Settings, it gave me the error below.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fb71eae2-eae4-44a1-95d4-7c576e8b3e40n%40googlegroups.com.

[Kevin Ledesma]

Hello!

Nice! is great that we are moving forward!

Now, could you please share the following log files:

• Wazuh indexer: cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
• Wazuh manager: cat /var/log/filebeat/filebeat | grep -i -E "error|warn" and cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
• Wazuh dashboard: journalctl -u wazuh-dashboard and cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

Also you can try restarting every module to see if that fixes it:

•  Wazuh indexer: systemctl restart wazuh-indexer
•  Wazuh manager: systemctl restart filebeat and systemctl restart wazuh-manager
  
•  Wazuh dashboard: systemctl restart wazuh-dashboard

[Enekupe Lelevaga]

Hi Keven, please see the screenshots below. 

• Wazuh indexer: cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

• Wazuh manager: cat /var/log/filebeat/filebeat | grep -i -E "error|warn" and cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

• Wazuh dashboard: journalctl -u wazuh-dashboard and cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

I think it all comes down to not having enough space. I even try to increase storage, but some commands didn't work. 

I appreciated your help. 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8c8d3ba-c4e5-4a1d-8eef-4bc126befe79n%40googlegroups.com.

[Kevin Ledesma]

Hello!

Oh, so, the lack of space is still the issue. Well, the fix is in a appropriate partitioning, you should be able to give some space from /dev/sda2 (/mnt) to /dev/sda1 (root, /)

Could you try re-sizing the partitions again and sharing me the raised errors? I left you this guide, I hope its useful!

Good luck! I'll be waiting for your response!

[Enekupe Lelevaga]

Hi Kevin

I don't see the home partition after running lsblk

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/03cd0397-9634-4522-a352-b890c2322bfdn%40googlegroups.com.

[Enekupe Lelevaga]

hi Kevin

pvresize command not found when I try to run it

[Kevin Ledesma]

Hello!

Well if you dont have the command pvresize installed, you can run yum install lvm2 to install it.

About the /home partition, it seems like you don't have that partition, you only have the sda1 partition mounted on / that is root, and sda2 partition that is mounted on /mnt, that is just a mounted partition. Your /home is probably just a folder inside the / partition, if you want your /home to be a separate partition from / you can follow this guide, or  you can just increase the / partition size (not recommended, you can check the recommended setup here).

I hope this answer helps you

Have a great week! Regards!

[sahithi]

Hey Guys, I have the same issue. 
INFO: Index pattern id in cookie: no INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 1 INFO: Found default index pattern with title [wazuh-alerts-*]: yes INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... INFO: Default pattern with id [wazuh-alerts-*] exists: yes ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern INFO: Index pattern id exists [wazuh-alerts-*]: yes INFO: Checking the integrity of saved objects. Validating wazuh-alerts-* can be found... INFO: Integrity of saved objects: [ok] ACTION: Index pattern set in cookie: [wazuh-alerts-*] INFO: Retrying the check... INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Getting list of valid index patterns... INFO: Valid index patterns found: 1 INFO: Found default index pattern with title [wazuh-alerts-*]: yes INFO: Checking the app default pattern exists: id [wazuh-alerts-*]... INFO: Default pattern with id [wazuh-alerts-*] exists: yes ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern INFO: Checking the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id exists [wazuh-alerts-*]: yes INFO: Index pattern id in cookie: yes [wazuh-alerts-*] INFO: Checking if the index pattern id [wazuh-alerts-*] exists... INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*] INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*] INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: yes INFO: Index pattern id in cookie: [wazuh-alerts-*] INFO: Getting index pattern data [wazuh-alerts-*]... INFO: Index pattern data found: [yes] INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]... ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*] INFO: Getting settings... INFO: Check Wazuh dashboard setting [timeline:max_buckets]: 200000 INFO: App setting [timeline:max_buckets]: 200000 INFO: Settings mismatch [timeline:max_buckets]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [metaFields]: ["_source","_index"] INFO: App setting [metaFields]: ["_source","_index"] INFO: Settings mismatch [metaFields]: no INFO: Getting settings... INFO: Check Wazuh dashboard setting [timepicker:timeDefaults]: {"from":"now-24h","to":"now"} INFO: App setting [timepicker:timeDefaults]: "{\"from\":\"now-24h\",\"to\":\"now\"}" INFO: Settings mismatch [timepicker:timeDefaults]: no
Could you guys recommend me the suggestion?
We have moves the wazuh+wazuhindexer to the new filesystem which has additional space.
could you let us know how to proceed next?

Regards,

Sahithi