Memory locking on Wazuh Indexer

[moosemaimer]

I updated my server from 4.2.5 to 4.3.0 following the migration guide, but I was running some console commands and noticed "mlockall" : false. I tried adapting the directions by editing /etc/wazuh-indexer/opensearch.yml and creating /etc/systemd/system/opensearch.service.d/opensearch.conf, but that resulted in my server going offline; I had to undo everything and restart all the components.

Is this something I need to bother doing any more, and if so, how should I be enabling it?

[Raul Del Pozo Moreno]

Hello moosemaimer, we are currently in the process of incorporating the corresponding documentation for Wazuh indexer, the steps are very similar to elasticsearch:

• https://documentation.wazuh.com/current/user-manual/elasticsearch/elastic-tuning.html

1. Edit /etc/wazuh-indexer/opensearch.yml file, add or edit the following value:

• bootstrap.memory_lock: true

2. Create the following directory:

• mkdir -p /etc/systemd/system/wazuh-indexer.service.d

3. Create this file and add the following value with this command:

cat > /etc/systemd/system/wazuh-indexer.service.d/wazuh-indexer.conf << EOF 

[Service] 

LimitMEMLOCK=infinity 

EOF

4. Edit /etc/wazuh-indexer/jvm.options with the memory values you desire, you have to modify the -Xms and -Xmx values:

# Xms represents the initial size of total heap space 

# Xmx represents the maximum size of total heap space 

-Xms4g 

-Xmx4g

5. Reload and restart the wazuh-indexer service

• systemctl daemon-reload
• systemctl restart wazuh-indexer

6. Check that the memory lock is set

• curl -k -u admin:{password} "https://{indexer_ip}:9200/_nodes?filter_path=**.mlockall&pretty"

You should see something like this:

{ 

   "nodes" : { 

        "Mu8NLTv3SqKeWtisKU8Y6A" : { 

              "process" : { 

                    "mlockall" : true 

               } 

         } 

    } 

}

Regards, Raúl.

[moosemaimer]

It threw an error the first time I tried loading something in the WUI, but then it worked the second time.

Thanks

[Raul Del Pozo Moreno]

I understand then that you have been able to apply the memory lock? Could you tell us more about the error you got in the WUI?

[moosemaimer]

It was just a generic error like "unable to connect," I clicked on a detail box that appeared in the lower right corner but it was just some log data that didn't contain any errors or warnings. The second box disappeared before I could click on it, so I refreshed the page to see if it would come back up, and the dashboard loaded normally. So it's possible that after restarting the indexer it was taking a while to connect to the dashboard, and that's why it errored.