New indexes are not created
73 views
Skip to first unread message
Arthur Henrique Oliveira Aparício
Nov 13, 2024, 8:16:30 AM11/13/24
to Wazuh | Mailing List
Hello, hope you are doing well.
I have an all in one instance of wazuh, latest version, installed on alma linux 9.3, and I am facing the following problem: since 20:59 yesterday (11/12), no logs appear anymore. This problem is also present due to the lack of an index today (11/13). However, when executing the command below, it brings the logs being stored and updated. In the logs in /var/ossec/logs/ossec.log, there is no failure, and all modules are running, in addition to having already restarted them all (and tested filebeat)
tail -n 100 /var/ossec/logs/alerts/2024/Nov/ossec-alerts-13.log
Thank you in advance
Peter Santiago
Nov 13, 2024, 8:48:42 AM11/13/24
to Arthur Henrique Oliveira Aparício, Wazuh | Mailing List
Please check the opensearch cluster log. Probably shards are full... you have to delete opd indexes
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/2c4b2187-3a0c-4942-85b8-313d9059264en%40googlegroups.com.
Arthur Henrique Oliveira Aparício
Nov 13, 2024, 9:01:35 AM11/13/24
to Wazuh | Mailing List
Hello, I went to look and actually, I already carried out the processes. Thanks
Peter Santiago
Nov 13, 2024, 9:04:17 AM11/13/24
to Arthur Henrique Oliveira Aparício, Wazuh | Mailing List
Check filebeat logs and config... did you recently update filebeat? There is a known issue... glibc thingy
To view this discussion visit https://groups.google.com/d/msgid/wazuh/50b0f40b-5e88-4f79-989a-46accbc9b780n%40googlegroups.com.
Nahuel Figueroa
Nov 13, 2024, 9:05:05 AM11/13/24
to Wazuh | Mailing List
Hello Arhur, in line with what Peter comments, it seems like a fragment problem.
To solve this you can do any of the following actions:
- Delete indices. This frees shards. You could do it with old indices you don't want/need. Or even, you could automate it with ILM/ISM policies to delete old indices after a period of time as explained in this post: https://wazuh.com/blog/wazuh-index-management.
Note: ILM: Index Lifecycle Management (used by X-Pack).
ISM: Index State Management (used by Open Distro for Elasticsearch and OpenSearch)
Note: ILM: Index Lifecycle Management (used by X-Pack).
ISM: Index State Management (used by Open Distro for Elasticsearch and OpenSearch)
- Add more nodes to your Elasticsearch/Wazuh indexer cluster.
- Increase the max shards per node (not recommended). But if you do this option, make sure you do not increase it too much, as it could cause inoperability and performance issues in your Elasticsearch/Wazuh indexer cluster. To do this: curl -k -u USERNAME:PASSWORD -XPUT ELASTICSEARCH_HOST_ADDRESS/_cluster/settings -H "Content-Type: application/json" \ -d '{ "persistent": { "cluster.max_shards_per_node": "MAX_SHARDS_PER_NODE" } }' replace the placeholders, where: - USERNAME : username to do the request - PASSWORD : password for the user - ELASTICSEARCH_HOST_ADDRESS: Elasticsearch/Wazuh indexer host address. Include the https protocol if needed.
- MAX_SHARDS_PER_NODE: Maximum shards per node. Maybe you could try with 1200 or something like that, depending on your case.
More info: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster
- Increase the max shards per node (not recommended). But if you do this option, make sure you do not increase it too much, as it could cause inoperability and performance issues in your Elasticsearch/Wazuh indexer cluster. To do this: curl -k -u USERNAME:PASSWORD -XPUT ELASTICSEARCH_HOST_ADDRESS/_cluster/settings -H "Content-Type: application/json" \ -d '{ "persistent": { "cluster.max_shards_per_node": "MAX_SHARDS_PER_NODE" } }' replace the placeholders, where: - USERNAME : username to do the request - PASSWORD : password for the user - ELASTICSEARCH_HOST_ADDRESS: Elasticsearch/Wazuh indexer host address. Include the https protocol if needed.
- MAX_SHARDS_PER_NODE: Maximum shards per node. Maybe you could try with 1200 or something like that, depending on your case.
More info: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster
Reply all
Reply to author
Forward
0 new messages