Newly installed Elasticsearch (in distributed mode) is not being start

[Naser Aslam]

Hi Community!

I am new to wazuh, I installed wazuh in distributed mode on debian 10 on Vmware.

I followed step by step following documentation, but elasticsearch is not being start.

https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/elasticsearch-cluster/elasticsearch-single-node-cluster.html

[Federico Pacher]

Hi there,

Thank you for using Wazuh.

Could you please share the output of the following commands in order to help you:

# systemctl status elasticsearch.service

and 

# journalctl -xe

Also, I would need you to share the file instances.yml in order to check the configuration. This file you should have downloaded and edited in step 2.b of the Certificate creation and deployment.

And, for the last,  I would need you to share the file located in /etc/elasticsearch/elasticsearch.yml. This file you should have downloaded in Elasticsearch configuration step

I wait for this information in order to guide you to solve your problem.

Regards

[Naser Aslam]

#systemctl status elasticsearch.service

root@elasticsearch:/home/debian# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Tue 2022-04-12 13:12:21 CDT; 9h ago
     Docs: https://www.elastic.co
  Process: 2461 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=143)
 Main PID: 2461 (code=exited, status=143)

Apr 12 13:11:05 elasticsearch systemd[1]: Starting Elasticsearch...
Apr 12 13:12:20 elasticsearch systemd[1]: elasticsearch.service: Start operation timed out. Terminating.
Apr 12 13:12:21 elasticsearch systemd[1]: elasticsearch.service: Failed with result 'timeout'.

Apr 12 13:12:21 elasticsearch systemd[1]: Failed to start Elasticsearch.

#journalctl -xe

root@elasticsearch:/home/debian# journalctl -xe
Apr 12 23:00:23 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:23.204 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:25 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:25 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:25.188 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:27 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:27.617 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:30 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:30 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:30.200 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:32 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:32.657 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: Apr 12, 2022 11:00:35 PM org.jooq.tools.JooqLogger info
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: INFO: Single batch             : No bind variables have been provided with a single statement batch execution. This may b
Apr 12 23:00:35 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:35.366 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
Apr 12 23:00:37 elasticsearch performance-analyzer-agent-cli[1733]: 23:00:37.671 [pa-reader] ERROR com.amazon.opendistro.elasticsearch.performanceanalyzer.reader.ReaderMetricsProcessor - Er
lines 959-1001/1001 (END)

#Both of the requested files have been attached below.

[Federico Pacher]

Hi there,

Thank you for sharing the requested information.

Please, check that the environment where you are running Elasticsearch meets the requirement of the documentation.
To check the available memory ram you can type the following command:

# free -m

To check how many CPUs you have in your environment, you can type the following command:

# lscpu

Once you have met the requirement, please read the following link in order to avoid the ELK malfunctions.


I hope this information can help you to solve your problem.

Regards

[Redouane]

Hi, 

OS ?

[Federico Pacher]

Hi Redouane,

The specifications I sent you before are for a Linux environment.

The commands I sent you to check CPUs and memory are for a Debian distribution.

I  hope this information can help you to solve your problem.

Regards

[Naser Aslam]

Here is the screenshot of RAM and CPU,

The journactl logs are attached below, I also implemented the memory locking concept mentioned on the following link. 
https://documentation.wazuh.com/current/user-manual/elasticsearch/elastic-tuning.html#memory-locking

Regards

Hafiz Naser Aslam

Research Officer in "High Performance Computing & Networking Lab"

Al-Khawarizmi Institute Of Computer Science (KICS)

University Of Engineering and Technology (UET), Lahore

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f6d087cd-43ec-48af-b44b-b634d6db36f4n%40googlegroups.com.

[Naser Aslam]

Sorry for the late reply, I was just implementing the techniques to get rid of the above mentioned issue. I am using Debian 10 on Vmware.

Can we have a zoom or google meeting?  if yes then let's have a meeting at the following link to save time.

https://meet.google.com/ebg-fxmv-rmf

Regards

Hafiz Naser Aslam

Research Officer in "High Performance Computing & Networking Lab"

Al-Khawarizmi Institute Of Computer Science (KICS)

University Of Engineering and Technology (UET), Lahore

[Federico Pacher]

Hi Hafiz,

At the moment I am not available for a call but, I noticed, from the picture you sent me, that the RAM memory of your environment is only 2GB.

As the documentation says, the minimum memory RAM for an Elasticsearch node is 4GB otherwise the operation cannot be guaranteed.

Once you create a VM with the specified requirements, install again the Elasticsearch following one of these steps, according to your needs:

- Elasticsearch single-node cluster installation

- All-in-one deployment - Step-by-step installation

I hope this information works for you

Regards

[ROBERTO CARLOS BAUTISTA RAMOS]

Good evening can you help me because the solaris operating system does not appear please

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d695743-3253-4d30-baa3-51b84bf0f068n%40googlegroups.com.

[Federico Pacher]

Hi robcar80,

Could you please open another thread with your doubts in order to keep clean the channel?

Regards