Indexer logs in Wazuh Kubernetes deployment
47 views
Skip to first unread message
aishuvinod0911 1995
Aug 14, 2024, 2:37:50 AM8/14/24
to Wazuh | Mailing List
Hi Team,
As I have deployed Wazuh on Kubernetes, trying to figure out from where I can get the indexer logs. As per the documentation, path for indexer log is /var/log/wazuh-indexer/wazuh-cluster.log . I saw cluster.log inside master pod in path var/ossec/logs/cluster.log. However when logging into indexer pod, I see that no logs are available :
Defaulted container "wazuh-indexer" out of: wazuh-indexer, volume-mount-hack (init), increase-the-vm-max-map-count (init)
sh-5.2$ ls
LICENSE.txt jdk logs opensearch-performance-analyzer performance-analyzer-rca
NOTICE.txt jvm.options modules opensearch-reports-scheduler plugins
VERSION jvm.options.d opensearch-notifications opensearch-security
bin lib opensearch-notifications-core opensearch.keystore
certs log4j2.properties opensearch-observability opensearch.yml
sh-5.2$ cd logs
sh-5.2$ ls -lrt
total 0
Can someone confirm , if I am going to the right folder for indexer logs ? PWD of indexer pod is /usr/share/wazuh-indexer
Thanks!
Defaulted container "wazuh-indexer" out of: wazuh-indexer, volume-mount-hack (init), increase-the-vm-max-map-count (init)
sh-5.2$ ls
LICENSE.txt jdk logs opensearch-performance-analyzer performance-analyzer-rca
NOTICE.txt jvm.options modules opensearch-reports-scheduler plugins
VERSION jvm.options.d opensearch-notifications opensearch-security
bin lib opensearch-notifications-core opensearch.keystore
certs log4j2.properties opensearch-observability opensearch.yml
sh-5.2$ cd logs
sh-5.2$ ls -lrt
total 0
Can someone confirm , if I am going to the right folder for indexer logs ? PWD of indexer pod is /usr/share/wazuh-indexer
Thanks!
Facundo Dalmau
Aug 14, 2024, 3:10:42 AM8/14/24
to Wazuh | Mailing List
Hi. You can use the kubectl logs command with the specific container name (wazuh-indexer) to view the indexer logs and check if the pod is healthy and running.To:
The Defaulted container "wazuh-indexer" out of: wazuh-indexer, volume-mount-hack (init), increase-the-vm-max-map-count (init) message is related to the memory on the container that seems to be a little short. The advised memory value is 4GB or RAM minimum on the indexer-resources.yaml file and setting the JVM heap size to 2GB (these parameters need to be set to half of the physical memory). You can modify the latter in the wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml file changing the `-Xms` and `-Xmx` parameters from:
- name: OPENSEARCH_JAVA_OPTS
value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
- name: OPENSEARCH_JAVA_OPTS
value: '-Xms2g -Xmx2g -Dlog4j2.formatMsgNoLookups=true'
Hope this helps!
Reply all
Reply to author
Forward
0 new messages