Wazuh indexer error
460 views
Skip to first unread message
rene.v...@gmail.com
Apr 30, 2024, 6:11:28 AM4/30/24
to Wazuh | Mailing List
Hello team! Suddenly this morning our indexer stoppede working, we could't login using our admin user, but after searching around we could see that the indexer was not running, it just stopped with error and now we cant get it to start. Any ideas as to what has gone wrong?
Thanks
Rolly Davany Mougoue Kakanou
Apr 30, 2024, 6:33:56 AM4/30/24
to Wazuh | Mailing List
Hello Rene,
For more insights on the issue, could you provide us with the last 100 lines of the log file /var/log/wazuh-indexer/wazuh-indexer-cluster.log.
looking forward for your feedback
Regards
Rolly Mougoue
Rolly Davany Mougoue Kakanou
Apr 30, 2024, 7:07:58 AM4/30/24
to Wazuh | Mailing List
Thanks for sharing the above. After going through it I notice the following line which comes repeatedly:
[2024-04-30T09:55:49,614][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [-Waz-Index1] uncaught exception in thread [main] org.opensearch.bootstrap.StartupException: java.lang.RuntimeException: can not run opensearch as root.
The error message you're seeing indicates that OpenSearch is attempting to run as the root user, which is not allowed for security reasons. OpenSearch, like many server-based applications, restricts running under the root user to avoid potential security risks that could affect the entire operating system.
To resolve you need to set ownership of opensearch to the Wazuh-indexer user.
sudo chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/
Then restart the wazuh-indexer service: sudo systemctl restart wazuh-indexer
Hope this solves your issue.
Regards
Rolly Mougoue
rene.v...@gmail.com
Apr 30, 2024, 7:33:04 AM4/30/24
to Wazuh | Mailing List
Thank you for your response! unfortunately this didnt solve the issue, when i try to restart the wazuh-indexer it just says
"Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xe" for details."
See "systemctl status wazuh-indexer.service" and "journalctl -xe" for details."
And about the root issue, there hasnt been any issue up until now, and we've been running wazuh for about a month
Any other ideas?
Thanks
Rolly Davany Mougoue Kakanou
Apr 30, 2024, 7:35:20 AM4/30/24
to Wazuh | Mailing List
Okay sorry this didn't work. Could you provide the updated log file please
Thanks
Rolly Davany Mougoue Kakanou
Apr 30, 2024, 8:10:44 AM4/30/24
to Wazuh | Mailing List
Okay will look in to this and get back to you ASAP
rene.v...@gmail.com
Apr 30, 2024, 8:14:49 AM4/30/24
to Wazuh | Mailing List
Thank you very much!
Message has been deleted
Rolly Davany Mougoue Kakanou
May 3, 2024, 5:42:15 AM5/3/24
to Wazuh | Mailing List
Hello Rene and sorry for the late response. again in the journalctl I can see an error message relating to permission issues. So there definitely is an issue with permissions for some of your indexer files. Could you please share the output of ll /etc/wazuh-indexer
and /usr/share/wazuh-indexer/bin/indexer-security-init.sh
and /usr/share/wazuh-indexer/bin/indexer-security-init.sh
Regards
Rolly Mougoue
rene.v...@gmail.com
Jun 4, 2024, 8:04:35 AM6/4/24
to Wazuh | Mailing List
Hello Rolly,
Sorry for the late response, you were absolutely correct, it was a permission issue, we deleted the files in the backup folder after determing the files were unnecessary, after that it started right up and created new files as needed.
Regards
Sorry for the late response, you were absolutely correct, it was a permission issue, we deleted the files in the backup folder after determing the files were unnecessary, after that it started right up and created new files as needed.
Thank you for your help
Regards
René
Reply all
Reply to author
Forward
0 new messages