Unable to install wazuh-indexer

1,681 views
Skip to first unread message

KevinK Leung

unread,
May 30, 2022, 12:39:29 AM5/30/22
to Wazuh mailing list

Dear Team,

 

I am unable to install the Wazuh indexer.

 

Can anyone please help to advise? Thanks.

 

 

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2022.05.30 12:35:28 =~=~=~=~=~=~=~=~=~=~=~=

 

[root@wazuh-system log]#  df -hcat wazuh-install.log  | more

30/05/2022 20:03:19 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.1

30/05/2022 20:03:19 INFO: Verbose logging redirected to /var/log/wazuh-install.log

[wazuh]

gpgcheck=1

gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH

enabled=1

name=EL-${releasever} - Wazuh

baseurl=https://packages.wazuh.com/4.x/yum/

protect=1

30/05/2022 20:03:41 INFO: Wazuh repository added.

30/05/2022 20:03:42 INFO: --- Wazuh indexer ---

30/05/2022 20:03:42 INFO: Starting Wazuh indexer installation.

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: repo.virtualhosting.hk

* extras: repo.virtualhosting.hk

* updates: repo.virtualhosting.hk

Resolving Dependencies

--> Running transaction check

---> Package wazuh-indexer.x86_64 0:4.3.1-1 will be installed

--> Finished Dependency Resolution

 

Dependencies Resolved

 

================================================================================

Package                Arch            Version            Repository      Size

================================================================================

Installing:

wazuh-indexer          x86_64          4.3.1-1            wazuh          361 M

 

Transaction Summary

================================================================================

Install  1 Package

 

Total download size: 361 M

Installed size: 614 M

Downloading packages:

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : wazuh-indexer-4.3.1-1.x86_64                                 1/1

Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore

  Verifying  : wazuh-indexer-4.3.1-1.x86_64                                 1/1

 

Installed:

  wazuh-indexer.x86_64 0:4.3.1-1                                               

 

Complete!

30/05/2022 20:06:02 INFO: Wazuh indexer installation finished.

30/05/2022 20:06:02 INFO: Wazuh indexer post-install configuration finished.

--More--

30/05/2022 20:06:02 INFO: Starting service wazuh-indexer.

Created symlink from /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service to /usr/lib/systemd/system/wazuh-indexer.service.

Job for wazuh-indexer.service failed because a timeout was exceeded. See "systemctl status wazuh-indexer.service" and "journalctl -xe" for details.

30/05/2022 20:07:19 ERROR: wazuh-indexer could not be started.

-- Logs begin at Mon 2022-05-30 19:49:57 HKT, end at Mon 2022-05-30 20:07:19 HKT. --

May 30 19:57:16 wazuh-system systemd[1]: Starting Wazuh-indexer...

May 30 19:58:21 wazuh-system systemd-entrypoint[8915]: WARNING: An illegal reflective access operation has occurred

May 30 19:58:21 wazuh-system systemd-entrypoint[8915]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anoma

ly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause

May 30 19:58:21 wazuh-system systemd-entrypoint[8915]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema

May 30 19:58:21 wazuh-system systemd-entrypoint[8915]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

May 30 19:58:21 wazuh-system systemd-entrypoint[8915]: WARNING: All illegal access operations will be denied in a future release

May 30 19:58:31 wazuh-system systemd[1]: wazuh-indexer.service start operation timed out. Terminating.

May 30 19:58:31 wazuh-system systemd[1]: Failed to start Wazuh-indexer.

May 30 19:58:31 wazuh-system systemd[1]: Unit wazuh-indexer.service entered failed state.

May 30 19:58:31 wazuh-system systemd[1]: wazuh-indexer.service failed.

May 30 20:06:03 wazuh-system systemd[1]: Starting Wazuh-indexer...

May 30 20:07:10 wazuh-system systemd-entrypoint[9642]: WARNING: An illegal reflective access operation has occurred

May 30 20:07:10 wazuh-system systemd-entrypoint[9642]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anoma

ly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause

May 30 20:07:10 wazuh-system systemd-entrypoint[9642]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema

May 30 20:07:10 wazuh-system systemd-entrypoint[9642]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

May 30 20:07:10 wazuh-system systemd-entrypoint[9642]: WARNING: All illegal access operations will be denied in a future release

May 30 20:07:18 wazuh-system systemd[1]: wazuh-indexer.service start operation timed out. Terminating.

May 30 20:07:19 wazuh-system systemd[1]: Failed to start Wazuh-indexer.

May 30 20:07:19 wazuh-system systemd[1]: Unit wazuh-indexer.service entered failed state.

May 30 20:07:19 wazuh-system systemd[1]: wazuh-indexer.service failed.

30/05/2022 20:07:19 INFO: --- Removing existing Wazuh installation ---

30/05/2022 20:07:19 INFO: Removing Wazuh indexer.

Loaded plugins: fastestmirror

Resolving Dependencies

--> Running transaction check

---> Package wazuh-indexer.x86_64 0:4.3.1-1 will be erased

--> Finished Dependency Resolution

 

Dependencies Resolved

 

================================================================================

Package                Arch            Version           Repository       Size

================================================================================

Removing:

wazuh-indexer          x86_64          4.3.1-1           @wazuh          614 M

 

Transaction Summary

================================================================================

Remove  1 Package

 

Installed size: 614 M

Downloading packages:

Running transaction check

Running transaction test

--More--

Transaction test succeeded

Running transaction

Stopping wazuh-indexer service... OK

  Erasing    : wazuh-indexer-4.3.1-1.x86_64                                 1/1

warning: /etc/wazuh-indexer/opensearch.yml saved as /etc/wazuh-indexer/opensearch.yml.rpmsave

warning: /etc/wazuh-indexer/jvm.options saved as /etc/wazuh-indexer/jvm.options.rpmsave

  Verifying  : wazuh-indexer-4.3.1-1.x86_64                                 1/1

 

Removed:

  wazuh-indexer.x86_64 0:4.3.1-1                                               

 

Complete!

30/05/2022 20:07:27 INFO: Wazuh indexer removed.

30/05/2022 20:07:27 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue.

[root@wazuh-system log]# 

[root@wazuh-system log]#

[root@wazuh-system log]#

[root@wazuh-system log]#

[root@wazuh-system log]#

 

 

Jonathan Martín Valera

unread,
May 30, 2022, 4:23:52 AM5/30/22
to Wazuh mailing list

Hi,

Yes, as you say, you can see that it is trying to start wazuh-indexer after the installation, and the next minute it gives a timeout because it has not been able to start. Notice that it makes several retries to start wazuh-indexer without success.

  • (1) Can you run the journalctl -u wazuh-indexer command after the first failure to see if the logs indicate the possible reason?
  • (2) How are you performing the installation of the wazuh-indexer? Can you share the steps and files you have used (be careful if there is sensitive information)?
  • (3) Does the host you are installing have sufficient resources? See the hardware recommendations 
  • (4) Is the installation and deployment all in one (wazuh-manager + Filebeat + wazuh-indexer + wazuh-dashboard all on the same host), or is it distributed (you install wazuh-indexer for example on another host different from the rest)?
  • (5) Have you followed the steps in the documentation? For example, here you have the guide Installing the Wazuh indexer using the assistant

Please try the above and answer the questions (1-5) in order to understand what may be the problem you are having.

Best regards.

KevinK Leung

unread,
May 30, 2022, 8:56:13 PM5/30/22
to Wazuh mailing list
2) the steps are come from your documentation. 
     b)curl -sO https://packages.wazuh.com/4.3/config.yml
      c) edit config.yml
     d) bash wazuh-install.sh --generate-config-files
     e) bash wazuh-install.sh --wazuh-indexer node-1  (the error is occured after this step)
3) yes. CPU is 2 core and more then 4GB RAM
4) yes. i want to do the all in one installation. but the task is failed in very inital step
5) yes. my steps are come from the documentation. 

Jonathan Martín Valera

unread,
Jun 1, 2022, 4:02:05 AM6/1/22
to Wazuh mailing list

Hi,

You would need to check for errors in the log with the journalctl -u wazuh-indexer command (request (1) in the previous message) to see exactly what the problem might be.

I just tried the following steps and everything seems fine. I indicate below for you to compare and you can see if there is any difference.

  • Download the installation script: curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh
  • Download the config file: curl -sO https://packages.wazuh.com/4.3/config.yml

  • Edit the config file: ./config.yml (In my case):

    nodes:

  indexer:
    - name: node-1
      ip: 172.16.1.70

  server:
    - name: wazuh-1
      ip: 172.16.1.70

  dashboard:
    - name: dashboard
      ip: 172.16.1.70

  • Generate the config files (certificates, password…): bash wazuh-install.sh --generate-config-files

  • Run the wazuh-indexer installation: bash wazuh-install.sh --wazuh-indexer node-1

    # bash wazuh-install.sh --wazuh-indexer node-1
01/06/2022 07:43:36 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.3
01/06/2022 07:43:36 INFO: Verbose logging redirected to /var/log/wazuh-install.log
01/06/2022 07:43:42 INFO: --- Dependencies ----
01/06/2022 07:43:42 INFO: Installing apt-transport-https.
01/06/2022 07:43:44 INFO: Installing software-properties-common.
01/06/2022 07:43:51 INFO: Wazuh repository added.
01/06/2022 07:43:51 INFO: --- Wazuh indexer ---
01/06/2022 07:43:51 INFO: Starting Wazuh indexer installation.
01/06/2022 07:44:44 INFO: Wazuh indexer installation finished.
01/06/2022 07:44:44 INFO: Wazuh indexer post-install configuration finished.
01/06/2022 07:44:44 INFO: Starting service wazuh-indexer.
01/06/2022 07:44:55 INFO: wazuh-indexer service started.
01/06/2022 07:44:55 INFO: Initializing Wazuh indexer cluster security settings.
01/06/2022 07:44:57 INFO: Wazuh indexer cluster initialized.
01/06/2022 07:44:57 INFO: Installation finished.

As you can see, the wazuh-indexer has been installed without problem. To see what could be the cause of the error in your environment, it would be convenient to check the logs with journalctl -u wazuh-indexer. Try again and try to check the logs as I indicated in the previous message.

Observation.

Note that with this process you are installing only the wazuh-indexer component. As you told me, you want to deploy an all in one, so I recommend you to use the script with the -a parameter to install all the components unattended. The command would be as follows

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

and related documentation can be found here https://documentation.wazuh.com/current/quickstart.html#installing-wazuh

From here you can do the following:

  • Run the above steps again, and in case of error, check the logs with journalctl -u wazuh-indexer and share the results obtained in order to find the possible problem in your environment.

  • Try the unattended installation of all the components I mentioned in the comment. In case of any error, remember to consult the logs and attach them in the mail to be able to help you better.

I hope this information is useful to you. Try all of the above and let us know the results.

Best regards.

Reply all
Reply to author
Forward
0 new messages