Elasticsearch problem in kubernetes

[Aravind Krish]

Hello,

I am deploying Wazuh 3.13.0 in Google Cloud and following the steps mentioned in the Wazuh document.

The elasticsearch is giving me issues. Can you help to fix.?

When I connect to Elasticsearch pod bash, I see this message in console.

"Defaulted container "wazuh-elasticsearch" out of: wazuh-elasticsearch, volume-mount-hack (init), increase-the-vm-max-map-count (init)"

But the in elasticsearch-sts.yml, we already have settings for vm-maz-map-count to 262144

I also read in another blog that Elasticsearch needs more resources, and hence created an n2standard4 instance in the pool.

Attached is yml file for elasticsearch and elasticsearch logs.

Regards,

Arav

[Cesar Moreno]

Hello Arav,

Thanks for posting on Wazuh mailing list. Hope you are very well.

As the the next Elastic link says, to get this configuration permanent, even after recycle the pod, you have to do the following:

https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html

Virtual memory:

Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts is likely to be too low, which may result in out of memory exceptions.

On Linux, you can increase the limits by running the following command as root:

"sysctl -w vm.max_map_count=262144"

To set this value permanently, update the vm.max_map_count setting in /etc/sysctl.conf. To verify after rebooting, run sysctl vm.max_map_count.

To make it persistent, you can add this line "vm.max_map_count=262144" in your /etc/sysctl.conf and run "$ sudo sysctl -p" to reload configuration with new value.

As this answer, The setting for vm.max_map_count can be changed on the host level. Your can read the current value like this: "sysctl vm.max_map_count". To change it run: "sudo sysctl -w vm.max_map_count=262144". This will be reverted by the next boot. Most Elasticsearch setups for Kubernetes use an Init Container to make sure this value is set like required. The drawback here is that it needs to in privileged mode: Elasticsearch Helm Chart. It is also possible to set sysctls in the securityContext of a Pod.

Hope this helps. Any questions, please let me know, I'll follow up on this.

Kind regards,

Cesar Moreno

[Aravind Krish]

Hello Cesar,

Thanks for your response.

I understand your point of setting vm.max_map_count to 262144.

My point is I have already done the setup of that in elasticsearch yaml. (the yaml used was attached in the earlier mail).

When I kubectl describe pod command, the vm.max_map_count value is 262144

So i am not sure where the issue is.

Also in elasticsearch, I received below error. It seems, the index are not loaded.

Elastic is up - executing command
./load_settings.sh: line 41: [: =: unary operator expected
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [null] and no indices exist","resource.type":"index_expression","resourc
e.id":"_all"}],"type":"index_not_found_exception","reason":"no such index [null] and no indices exist","resource.type":"index_expression","resource.id":"_al

l"},"status":404}Elasticsearch is ready.

So can you suggest how to resolve this.

Regards,

Arav

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d6d0eed9-518f-488c-9486-7dd651116cb5n%40googlegroups.com.

[Aravind Krish]

Hello, you can ignore the below mail.

The issue is solved with some workaround

Regards

Arav

[Cesar Moreno]

Hello Arav,

OK, good news! 

Any questions or anything you need, please let me know. I'm glad to help you.

Kind regards,
Cesar Moreno.