Wazuh indexer won't start
1,523 views
Skip to first unread message
Duncan H
Jun 29, 2023, 5:50:00 AM6/29/23
to Wazuh mailing list
Hi, I didn't make any changes on my testing server and one day the indexer just stopped working. Here is the systemct status and the journalctl -xe and the logs. Can someone help me ?
I did the installation on a Debian 11 (my company standards) with a script I got from the official site.
I did the installation on a Debian 11 (my company standards) with a script I got from the official site.
Thx a lot
Miguel Verdaguer Velazquez
Jun 29, 2023, 6:30:56 AM6/29/23
to Wazuh mailing list
Hi Duncan,
I understand you have an all-in-one installation, with all components in the same server. Are the other components working correctly? You could check it with "systemctl status" for wazuh-manager and wazuh-dashboard and with command "filebeat test output". Is there no error in any of the logs you send, outside of the screenshot? To get the more detailed systemctl logs only for the indexer you may use "journalctl -xeu wazuh-indexer". Search in the rest of the logs for any WARNING or ERROR so we can find out where the indexer failed.
Best regards,
Miguel
Duncan Haillot
Jun 29, 2023, 9:04:08 AM6/29/23
to Miguel Verdaguer Velazquez, Wazuh mailing list
Hi Miguel,
Both Wazuh-dashboard and Wazuh-manager are active and running, with some messages that state that they can't reach localhost;9200 wich is indexer ?
I have an all-in-one yes, I'm a beginner in terms of Wazuh and didn't search about how to make an efficient stack I just wanted to do some testing with 10 agent maximum.
Here are what you asked for. Thank a lot for helping me.
I don't have any ERROR when I grep the journalctl but I have a ton of warning.
I don't have any ERROR when I grep the journalctl but I have a ton of warning.
Duncan
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/gVmYjn66daM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bbc40ec2-11f6-45b1-a3bf-f7c63ca5a59an%40googlegroups.com.
Message has been deleted
Miguel Verdaguer Velazquez
Jun 29, 2023, 12:31:37 PM6/29/23
to Wazuh mailing list
Yeah, all errors are from the other components saying that the indexer is not available. The fact that there is no error in the journalctl is weird, I understand you have tried to restart it again, right? And I would need you to grep for errors and warning too in "/var/log/wazuh-indexer/wazuh-cluster.log" Lets see if that can give us any insight.
Best regards,
Miguel
Duncan H
Jun 30, 2023, 3:21:07 AM6/30/23
to Wazuh mailing list
Yes, I already tried to restart it more than once. The CPU get really high, so I added some vCPU to my VM but could not start the indexer anyway.
Here are the errors and warning in /var/log/wazuh-indexer/wazuh-cluster.log :
As you can see, there is none...
I got you a screen of the log anyway.
Thanks a lot !
Duncan.
Miguel Verdaguer Velazquez
Jul 3, 2023, 11:55:50 AM7/3/23
to Wazuh mailing list
Hi Duncan,
After investigating a bit, it seems it may be a memory problem. First of all, to see if we can find the error, can you run a "grep -r 'ERROR' /var/log/wazuh-indexer" to check recursively on all files?
Please also check the memory the machine has and how much is the wazuh-indexer allowed to use in /etc/wazuh-indexer/jvm.options. Maybe increasing it may allow the wazuh-indexer to start.
Regards,
Miguel
Miguel Verdaguer Velazquez
Jul 4, 2023, 4:54:20 AM7/4/23
to Wazuh mailing list
Hi Duncan,
What value was it previously and how much memory have you got in the machine? With that, we can see if that was the problem in the first place. Also, I suppose you have tried to restart it, but just in case, you have to do it for the change to be applied.
Regards,
Miguel
Duncan H
Jul 4, 2023, 5:05:02 AM7/4/23
to Wazuh mailing list
Hi Miguel ! Good news, it works again !
After set the memory to 4GB I restarted the indexer, then I took a look at the journalctl -xe | grep indexer and I saw lines that states that the indexer have some problems of rights for execution, so I did something you are not supposed to do ( but I did it because it's a test server) : chmod +xwr /etc/wazuh-indexer/* and chmod +xwr /lib/systemd/system/wazuh-*
After set the memory to 4GB I restarted the indexer, then I took a look at the journalctl -xe | grep indexer and I saw lines that states that the indexer have some problems of rights for execution, so I did something you are not supposed to do ( but I did it because it's a test server) : chmod +xwr /etc/wazuh-indexer/* and chmod +xwr /lib/systemd/system/wazuh-*
I think that my problem was a mix between the memory and the rights (because there were no such lines about executions rights before).
Thanks a lot for your help !!!
Have a beautiful day.
Duncan
Miguel Verdaguer Velazquez
Jul 4, 2023, 7:02:30 AM7/4/23
to Wazuh mailing list
Hi Duncan,
As you know, you are not supposed to do that and there was probably a better way of it working, but being a test server, and if it works, go on. I'm glad I could help
Best regards,
Miguel
Reply all
Reply to author
Forward
0 new messages