Wazuh icon missing on left in Kibana after new install version 3.8 (current)
325 views
Skip to first unread message
Ron_E
Mar 4, 2019, 5:46:35 PM3/4/19
to Wazuh mailing list
Hello,
Just completed a new wazuh installation using the distributed architecture, debian 9 servers.
Installation steps went fine but the Wazuh app is missing from Kibana, I have rechecked the steps and all seems to be in order, this question has been asked before but mainly due to a broken upgrade.
Would appreciate any comments or suggestions.
Best,
Ron
miguel....@wazuh.com
Mar 5, 2019, 12:18:02 AM3/5/19
to Wazuh mailing list
Hello Ron_E,
Probably, something wrong happened during the installation.
Let's check the logs to see if there are any errors:
If there are no errors, you can reinstall the Wazuh app without any consequence:
To do so, you have to follow the following steps:
1. Update file permissions:
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
2. Remove the Wazuh app:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh # rm -rf /usr/share/kibana/optimize/bundle
3. Install the Wazuh app:
# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.8.2_6.6.1.zip
If all goes well, you should see something like this:
plugin installation complete
I hope this helps you.
Regards,
Miguel Casares
Ron_E
Mar 5, 2019, 2:38:36 AM3/5/19
to Wazuh mailing list
Thanks very much Miguel,
That seems to have resolved it although I'm sure I did the install step previously.
In any event, I also wondered about the index being status "yellow" - I recall this was the case on the last wazuh server I deployed - specifically the wazuh-alerts index being yellow, I also have a wazuh-monitoring which is green.
At the time I red up quite a bit on this without fully resolving it. Thanks again for your help and any comments.
Best,
Ron
On Monday, March 4, 2019 at 2:46:35 PM UTC-8, Ron_E wrote:
jesus.g...@wazuh.com
Mar 5, 2019, 3:37:42 AM3/5/19
to Wazuh mailing list
Hi Ron,
Yellow status is commonly caused by a missing replica. Let me explain it:
- Elasticsearch indices are configured to use N primary shards and X number of replicas.
- The default is 5 primary shards + 1 replica
For example: if we have configured 1 replica, each index must be replicated in one more node from your Elasticsearch cluster.
Example of an index that uses 5 primary shards and 1 replica:
Node 1: S1 S2 S3 R4 R5
Node 2: R1 R2 R3 S4 S5
Where Sn are primary shards, and Rn are replicas.
If you have a single node Elasticsearch cluster, you may want to reduce the number of replicas to 0, so your alert indices will be green.
Download the template:
curl https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json -o template.json
Replace this:
"settings": {
"index.refresh_interval": "5s"
},
with:
"settings": {
"index.refresh_interval": "5s",
"index.number_of_replicas": "0"
},
Now, update your template:
curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @template.json
Tomorrow index and onwards will use 0 replicas, so they will be green.
For already existing ones, you can reduce their number of replicas as follow:
curl -X PUT "localhost:9200/_settings" -H 'Content-Type: application/json' -d'
{
"index.number_of_replicas" : 0
}
'
The above command will reduce the number of replicas to 0 for all indices.
I hope it helps.
Best regards,
Jesús
Ron_E
Mar 18, 2019, 3:27:12 AM3/18/19
to Wazuh mailing list
This is great, Jesus, thanks very much for explaining that, that' makes total sense.
I have had a few issues with Wazuh in the past where my elastic data had to be discarded due to issues upgrading, etc. Would you recommend an elastic replica to help avoid such? Apologies if this is an obvious question, I'm new to running the ELK stack.
Also if you have an easy link or to send my way that would be a good guide to creating a replica that would be great.
Best,
Ron
On Monday, March 4, 2019 at 2:46:35 PM UTC-8, Ron_E wrote:
On Monday, March 4, 2019 at 2:46:35 PM UTC-8, Ron_E wrote:
miguel....@wazuh.com
Apr 3, 2019, 2:08:01 PM4/3/19
to Wazuh mailing list
Hello Ron,
What kind of issues did you have in the past? If it was something related to an upgrade, probably was not a problem related to the configuration of shards and replicas but how the shards were redistributed after the upgrade.
First of all, sorry for the late reply.
What kind of issues did you have in the past? If it was something related to an upgrade, probably was not a problem related to the configuration of shards and replicas but how the shards were redistributed after the upgrade.
Usually, the shards are not able to reassign again after an upgrade of the nodes of Elasticsearch if something went wrong. If this happens to you again, do not hesitate to contact us. Definitely, we can help with that.
In addition, in the following link of our documentation, you may find a useful explanation about how Shards and replicas work and the best way to configure them, depending on your needs and number of nodes. To summarize, the number of shards should be the same as the number of nodes of Elasticsearch, and with one replica, if a node goes down, you will still have a complete index.
Let us know if you have further questions.
Regards,
Miguel Casares
Reply all
Reply to author
Forward
0 new messages