After upgrade to Wazuh 4.9 indexer doesn't start
449 views
Skip to first unread message
Wilco
Sep 9, 2024, 5:22:23 AM9/9/24
to Wazuh | Mailing List
Hi,
After the upgrade to Wazuh 4.9 (from 4.8) my wazuh-indexer doesn't start anymore. I don't understand the errors in the logfile. I'm using Ubuntu 22.0. If I can provide more information, please let me know.
Output error /var/log/wazuh-indexer-cluster.log
[2024-09-09T11:11:29,708][ERROR][o.o.b.Bootstrap ] [node-1] node validation exception
[1] bootstrap checks failed
[1]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2024-09-09T11:11:29,711][INFO ][o.o.s.a.r.AuditMessageRouter] [node-1] Closing AuditMessageRouter
[2024-09-09T11:11:29,712][INFO ][o.o.s.a.s.SinkProvider ] [node-1] Closing DebugSink
[2024-09-09T11:11:29,712][INFO ][o.o.n.Node ] [node-1] stopping ...
[2024-09-09T11:11:29,759][INFO ][o.o.n.Node ] [node-1] stopped
[2024-09-09T11:11:29,759][INFO ][o.o.n.Node ] [node-1] closing ...
[2024-09-09T11:11:29,767][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [node-1] fatal error in thread [Thread-3], exiting
java.lang.NoClassDefFoundError: Could not initialize class com.sun.jna.Native
at org.opensearch.systemd.Libsystemd.lambda$static$0(Libsystemd.java:48) ~[?:?]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?]
at org.opensearch.systemd.Libsystemd.<clinit>(Libsystemd.java:47) ~[?:?]
at org.opensearch.systemd.SystemdPlugin.sd_notify(SystemdPlugin.java:126) ~[?:?]
at org.opensearch.systemd.SystemdPlugin.close(SystemdPlugin.java:152) ~[?:?]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:89) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:131) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:114) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.node.Node.close(Node.java:1690) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:89) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:131) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:81) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap$4.run(Bootstrap.java:206) ~[opensearch-2.13.0.jar:2.13.0]
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.UnsatisfiedLinkError: /var/log/wazuh-indexer/tmp/jna2751280432153302182.tmp: /var/log/wazuh-indexer/tmp/jna2751280432153302182.tmp: failed to map segment from shared object [in thread "main"]
at java.base/jdk.internal.loader.NativeLibraries.load(Native Method) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries$NativeLibraryImpl.open(NativeLibraries.java:331) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:197) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:139) ~[?:?]
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2418) ~[?:?]
at java.base/java.lang.Runtime.load0(Runtime.java:852) ~[?:?]
at java.base/java.lang.System.load(System.java:2025) ~[?:?]
at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:1045) ~[jna-5.13.0.jar:5.13.0 (b0)]
at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:1015) ~[jna-5.13.0.jar:5.13.0 (b0)]
at com.sun.jna.Native.<clinit>(Native.java:221) ~[jna-5.13.0.jar:5.13.0 (b0)]
at java.base/java.lang.Class.forName0(Native Method) ~[?:?]
at java.base/java.lang.Class.forName(Class.java:421) ~[?:?]
at java.base/java.lang.Class.forName(Class.java:412) ~[?:?]
at org.opensearch.bootstrap.Natives.<clinit>(Natives.java:60) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:123) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:191) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.13.0.jar:2.13.0]
at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-2.13.0.jar:2.13.0]
[1] bootstrap checks failed
[1]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2024-09-09T11:11:29,711][INFO ][o.o.s.a.r.AuditMessageRouter] [node-1] Closing AuditMessageRouter
[2024-09-09T11:11:29,712][INFO ][o.o.s.a.s.SinkProvider ] [node-1] Closing DebugSink
[2024-09-09T11:11:29,712][INFO ][o.o.n.Node ] [node-1] stopping ...
[2024-09-09T11:11:29,759][INFO ][o.o.n.Node ] [node-1] stopped
[2024-09-09T11:11:29,759][INFO ][o.o.n.Node ] [node-1] closing ...
[2024-09-09T11:11:29,767][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [node-1] fatal error in thread [Thread-3], exiting
java.lang.NoClassDefFoundError: Could not initialize class com.sun.jna.Native
at org.opensearch.systemd.Libsystemd.lambda$static$0(Libsystemd.java:48) ~[?:?]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?]
at org.opensearch.systemd.Libsystemd.<clinit>(Libsystemd.java:47) ~[?:?]
at org.opensearch.systemd.SystemdPlugin.sd_notify(SystemdPlugin.java:126) ~[?:?]
at org.opensearch.systemd.SystemdPlugin.close(SystemdPlugin.java:152) ~[?:?]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:89) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:131) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:114) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.node.Node.close(Node.java:1690) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:89) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:131) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.common.util.io.IOUtils.close(IOUtils.java:81) ~[opensearch-common-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap$4.run(Bootstrap.java:206) ~[opensearch-2.13.0.jar:2.13.0]
Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.UnsatisfiedLinkError: /var/log/wazuh-indexer/tmp/jna2751280432153302182.tmp: /var/log/wazuh-indexer/tmp/jna2751280432153302182.tmp: failed to map segment from shared object [in thread "main"]
at java.base/jdk.internal.loader.NativeLibraries.load(Native Method) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries$NativeLibraryImpl.open(NativeLibraries.java:331) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:197) ~[?:?]
at java.base/jdk.internal.loader.NativeLibraries.loadLibrary(NativeLibraries.java:139) ~[?:?]
at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:2418) ~[?:?]
at java.base/java.lang.Runtime.load0(Runtime.java:852) ~[?:?]
at java.base/java.lang.System.load(System.java:2025) ~[?:?]
at com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:1045) ~[jna-5.13.0.jar:5.13.0 (b0)]
at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:1015) ~[jna-5.13.0.jar:5.13.0 (b0)]
at com.sun.jna.Native.<clinit>(Native.java:221) ~[jna-5.13.0.jar:5.13.0 (b0)]
at java.base/java.lang.Class.forName0(Native Method) ~[?:?]
at java.base/java.lang.Class.forName(Class.java:421) ~[?:?]
at java.base/java.lang.Class.forName(Class.java:412) ~[?:?]
at org.opensearch.bootstrap.Natives.<clinit>(Natives.java:60) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:123) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:191) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.13.0.jar:2.13.0]
at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-2.13.0.jar:2.13.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-2.13.0.jar:2.13.0]
Facundo Dalmau
Sep 9, 2024, 5:54:55 AM9/9/24
to Wazuh | Mailing List
Hi Wilco. The issue seems to be related to the fact that the temporary directory used by the java embedded package does not have execution permissions (java.lang.NoClassDefFoundError: Could not initialize class com.sun.jna.Native error) . Could you describe the upgrade process and the installation type you have?
Wilco
Sep 9, 2024, 9:40:29 AM9/9/24
to Wazuh | Mailing List
Hi Facundo,
This time I upgraded via apt-upgrade (and the official Wazuh repository). I have installed Indexer, manager and dashboard in 1 machine. I see no errors in the dashboard/manager logging.
Op maandag 9 september 2024 om 11:54:55 UTC+2 schreef Facundo Dalmau:
Wilco
Sep 10, 2024, 8:38:27 AM9/10/24
to Wazuh | Mailing List
Hi Facundo,
Some extra information. I tried the upgrade again. This time I followed the official upgrade guide from Wazuh. Same error after trying to start Wazuh-indexer. Files created in the /var/log/wazuh-indexer/tmp are getting no execution rights by default on this system, because of security requirements. Do you know why there is a temp directory in a logdirectory?
Op maandag 9 september 2024 om 15:40:29 UTC+2 schreef Wilco:
Facundo Dalmau
Sep 18, 2024, 7:01:13 AM9/18/24
to Wazuh | Mailing List
Hi Wilco. Sorry for the late response. We should check the permissions of the folder with the following command:
ls -lR /var/log/wazuh-indexer
The temporary directory is created as part of the upgrade process.
Fabian Riechsteiner
Oct 1, 2024, 1:18:22 AM10/1/24
to Wazuh | Mailing List
Hi Wilco,
You can change the path within /usr/lib/systemd/system/wazuh-indexer.service to a path which is not mounted as noexec by default. I would recommend /var/lib/wazuh-indexer/tmp this does make more sense than /var/log/..
BR,
Fabian
Fabian
Wilco
Nov 4, 2024, 3:54:22 AM11/4/24
to Wazuh | Mailing List
Hi all,
Thank you for the replies! In the end I followed the advice from Fabian, so I have changed the path in the service file. After the change I could update Wazuh without any problems.
Case closed:)
Op dinsdag 1 oktober 2024 om 07:18:22 UTC+2 schreef Fabian Riechsteiner:
Reply all
Reply to author
Forward
0 new messages