Migrating to the Wazuh indexer issue: wazuh-indexer doesn't run
1,678 views
Skip to first unread message
Simone Bonetti
May 10, 2022, 5:37:56 AM5/10/22
to Wazuh mailing list
Hi Team
I installed wazuh wiht opendistro on ubuntu 20.04 LTS some months ago: it's an all-in-one installation (only a node for wazuh and ELK). All was ok. I upgraded
Yesterday I upgraded wazuh-manager to 4.3 then kibana app. All was ok.Today I tried to migrate my installation to wazuh-indexer then wazuh-dashboard.
I followed the official guide: https://documentation.wazuh.com/current/migration-guide/wazuh-indexer.html
At point 7 I did this:
----begin
mkdir /etc/wazuh-indexer/certs
cp /etc/elasticsearch/certs/elasticsearch.key /etc/wazuh-indexer/certs/indexer-key.pem
cp /etc/elasticsearch/certs/elasticsearch.pem /etc/wazuh-indexer/certs/indexer.pem
cp /etc/elasticsearch/certs/admin.pem /etc/wazuh-indexer/certs/admin.pem
cp /etc/elasticsearch/certs/admin.key /etc/wazuh-indexer/certs/admin-key.pem
cp /etc/elasticsearch/certs/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs/
chmod 500 /etc/wazuh-indexer/certs/
chmod 400 /etc/wazuh-indexer/certs/*
----end
because my certs are:
ll /etc/elasticsearch/certs
total 52
drwxr-sr-x 2 root elasticsearch 4096 apr 1 2021 ./
drwxr-s--- 4 root elasticsearch 4096 mag 9 07:05 ../
-rw-r--r-- 1 root elasticsearch 1704 apr 1 2021 admin.key
-rw-r--r-- 1 root elasticsearch 1456 apr 1 2021 admin.pem
-rw-r--r-- 1 root elasticsearch 1704 apr 1 2021 elasticsearch.key
-rw-r--r-- 1 root elasticsearch 1497 apr 1 2021 elasticsearch.pem
-rw-r--r-- 1 root elasticsearch 1704 apr 1 2021 elasticsearch_http.key
-rw-r--r-- 1 root elasticsearch 1497 apr 1 2021 elasticsearch_http.pem
-rw-r--r-- 1 root elasticsearch 1704 apr 1 2021 kibana.key
-rw-r--r-- 1 root elasticsearch 1497 apr 1 2021 kibana.pem
-rw-r--r-- 1 root elasticsearch 1122 apr 1 2021 kibana_elasticsearch_config_snippet.yml
-rw-r--r-- 1 root elasticsearch 1704 apr 1 2021 root-ca.key
-rw-r--r-- 1 root elasticsearch 1298 apr 1 2021 root-ca.pem
I followed point 9, and this is my /etc/wazuh-indexer/opensearch.yml:
----beginnetwork.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Docu,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Docu,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true
----end
and this is my old /etc/elasticsearch/elasticsearch.yml:
----begin
network.host: 127.0.0.1
node.name: node-1
cluster.initial_master_nodes: node-1
opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch_http.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch_http.key
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem
opendistro_security.nodes_dn:
- CN=node-1,OU=Docu,O=Wazuh,L=California,C=US
opendistro_security.authcz.admin_dn:
- CN=admin,OU=Docu,O=Wazuh,L=California,C=US
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
# memory locking
# https://documentation.wazuh.com/current/user-manual/elasticsearch/elastic_tuning.html#memory-locking
bootstrap.memory_lock: true
----end
I started wazuh-indexer and after some minutes wazuh-indexer crashed. I tried many times to restart it but any time this is the situation on my log:
mag 10 09:05:29 enguera systemd[1]: Starting Wazuh-indexer...
mag 10 09:05:43 enguera systemd-entrypoint[45388]: WARNING: An illegal reflective access operation has occurred
mag 10 09:05:43 enguera systemd-entrypoint[45388]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
mag 10 09:05:43 enguera systemd-entrypoint[45388]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
mag 10 09:05:43 enguera systemd-entrypoint[45388]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
mag 10 09:05:43 enguera systemd-entrypoint[45388]: WARNING: All illegal access operations will be denied in a future release
mag 10 09:05:47 enguera systemd[1]: Started Wazuh-indexer.
mag 10 09:08:11 enguera systemd-entrypoint[45388]: java.lang.OutOfMemoryError: Java heap space
mag 10 09:08:11 enguera systemd-entrypoint[45388]: Dumping heap to data ...
mag 10 09:08:11 enguera systemd-entrypoint[45388]: Unable to create data: File exists
mag 10 09:08:17 enguera systemd-entrypoint[45388]: fatal error in thread [ScheduledMetricCollectorsExecutor], exiting
mag 10 09:08:17 enguera systemd-entrypoint[45388]: java.lang.OutOfMemoryError: Java heap space
mag 10 09:08:17 enguera systemd-entrypoint[45388]: at java.base/java.util.HashMap$EntrySet.iterator(HashMap.java:1100)
mag 10 09:08:17 enguera systemd-entrypoint[45388]: at org.opensearch.performanceanalyzer.collectors.ScheduledMetricCollectorsExecutor.run(ScheduledMetricCollectorsExecutor.java:120)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: fatal error in thread [opensearch[node-1][clusterApplierService#updateTask][T#1]], exiting
mag 10 09:08:18 enguera systemd-entrypoint[45388]: java.lang.OutOfMemoryError: Java heap space
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionListener.onResponse(PerformanceAnalyzerActionListener.java:57)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.ActionListener$6.onResponse(ActionListener.java:297)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.bulk.TransportBulkAction$BulkOperation$1.finishHim(TransportBulkAction.java:673)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.bulk.TransportBulkAction$BulkOperation$1.onFailure(TransportBulkAction.java:668)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.ActionListener$6.onFailure(ActionListener.java:307)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.TransportAction$1.onFailure(TransportAction.java:112)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.finishAsFailed(TransportReplicationAction.java:1068)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.retry(TransportReplicationAction.java:1040)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.retryBecauseUnavailable(TransportReplicationAction.java:1104)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.doRun(TransportReplicationAction.java:895)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase$2.onTimeout(TransportReplicationAction.java:1059)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver$ContextPreservingListener.onTimeout(ClusterStateObserver.java:369)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:174)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:142)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver.waitForNextChange(ClusterStateObserver.java:134)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.retry(TransportReplicationAction.java:1045)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.retryBecauseUnavailable(TransportReplicationAction.java:1104)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase.doRun(TransportReplicationAction.java:895)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.action.support.replication.TransportReplicationAction$ReroutePhase$2.onNewClusterState(TransportReplicationAction.java:1048)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver$ContextPreservingListener.onNewClusterState(ClusterStateObserver.java:355)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.ClusterStateObserver$ObserverClusterStateListener.clusterChanged(ClusterStateObserver.java:223)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService.callClusterStateListener(ClusterApplierService.java:610)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService.callClusterStateListeners(ClusterApplierService.java:598)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService.applyChanges(ClusterApplierService.java:562)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService.runTask(ClusterApplierService.java:469)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService.access$000(ClusterApplierService.java:81)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.cluster.service.ClusterApplierService$UpdateTask.run(ClusterApplierService.java:180)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:733)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:275)
mag 10 09:08:18 enguera systemd-entrypoint[45388]: at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:238)
mag 10 09:08:21 enguera systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=127/n/a
mag 10 09:08:21 enguera systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
Any suggestions?
Thanks in advance
Simone
moosemaimer
May 10, 2022, 11:39:26 AM5/10/22
to Wazuh mailing list
Check your heap size in /etc/wazuh-indexer/jvm.options, mine got defaulted to 1g after updating.
Alberto Rodriguez
May 10, 2022, 1:20:48 PM5/10/22
to Wazuh mailing list
Thanks, Stephen for your answer.
Simone, Stephen is correct, increase the Xms and Xmx values to ones you consider appropriate. We usually recommend putting the half of available memory. If your host has 8GB, then 4GB. Then, restart the service using systemctl restart wazuh-indexer.
Please let us know if it works.
Simone Bonetti
May 11, 2022, 5:10:04 AM5/11/22
to Wazuh mailing list
Hi guys,
thank you for your replies. Now wazuh-indexer run.
I used the same values that I found in /etc/elasticsearch/jvm.options
I tried point 16 but it's not run for me. In logs I found an incompatibility issue:
# journalctl -fe -u kibana.service
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"telemetryManagementSection\" has been disabled since the following direct or transitive dependencies are missing or disabled: [telemetry]"}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"newsfeed\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"telemetry\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"visTypeXy\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["warning","config","deprecation"],"pid":67027,"message":"\"server.defaultRoute\" is deprecated and has been replaced by \"uiSettings.overrides.defaultRoute\""}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-system"],"pid":67027,"message":"Setting up [48] plugins: [usageCollection,telemetryCollectionManager,kibanaUsageCollection,securityOss,mapsLegacy,kibanaLegacy,opendistroAlertingKibana,share,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,dashboard,visualizations,visTypeVega,visTypeTimelion,timelion,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,visualize,opendistroGanttChartKibana,opendistroNotebooksKibana,opendistroSecurityKibana,opendistroIndexManagementKibana,opendistroAnomalyDetectionKibana,opendistroTraceAnalyticsKibana,opendistroReportsKibana,opendistroQueryWorkbenchKibana,esUiShared,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,wazuh,bfetch]"}
mag 11 06:21:20 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:20Z","tags":["info","savedobjects-service"],"pid":67027,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
mag 11 06:21:20 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:20Z","tags":["error","savedobjects-service"],"pid":67027,"message":"This version of Kibana (v7.10.2) is incompatible with the following Elasticsearch nodes in your cluster: v1.2.4 @ 127.0.0.1:9200 (127.0.0.1)"}
As I said I have opendistro:
Logs:
# journalctl -fe -u wazuh-dashboard.service
mag 11 07:45:49 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:49Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:52 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:52Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:54 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:54Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:57 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:57Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:59 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:59Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:02 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:02Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:04 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:04Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:07 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:07Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:09 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:09Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:12 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:12Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:14 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:14Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:17 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:17Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:19 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:19Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Maybe I made some mistakes in points 6 and 7
As usual, any suggestions?
thank you for your replies. Now wazuh-indexer run.
I used the same values that I found in /etc/elasticsearch/jvm.options
I tried point 16 but it's not run for me. In logs I found an incompatibility issue:
# journalctl -fe -u kibana.service
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"telemetryManagementSection\" has been disabled since the following direct or transitive dependencies are missing or disabled: [telemetry]"}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"newsfeed\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"telemetry\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-service"],"pid":67027,"message":"Plugin \"visTypeXy\" is disabled."}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["warning","config","deprecation"],"pid":67027,"message":"\"server.defaultRoute\" is deprecated and has been replaced by \"uiSettings.overrides.defaultRoute\""}
mag 11 06:21:19 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:19Z","tags":["info","plugins-system"],"pid":67027,"message":"Setting up [48] plugins: [usageCollection,telemetryCollectionManager,kibanaUsageCollection,securityOss,mapsLegacy,kibanaLegacy,opendistroAlertingKibana,share,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,dashboard,visualizations,visTypeVega,visTypeTimelion,timelion,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,visualize,opendistroGanttChartKibana,opendistroNotebooksKibana,opendistroSecurityKibana,opendistroIndexManagementKibana,opendistroAnomalyDetectionKibana,opendistroTraceAnalyticsKibana,opendistroReportsKibana,opendistroQueryWorkbenchKibana,esUiShared,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,wazuh,bfetch]"}
mag 11 06:21:20 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:20Z","tags":["info","savedobjects-service"],"pid":67027,"message":"Waiting until all Elasticsearch nodes are compatible with Kibana before starting saved objects migrations..."}
mag 11 06:21:20 enguera kibana[67027]: {"type":"log","@timestamp":"2022-05-11T06:21:20Z","tags":["error","savedobjects-service"],"pid":67027,"message":"This version of Kibana (v7.10.2) is incompatible with the following Elasticsearch nodes in your cluster: v1.2.4 @ 127.0.0.1:9200 (127.0.0.1)"}
As I said I have opendistro:
opendistroforelasticsearch-kibana 1.13.2
So I removed opendistroforelasticsearch and I switched to the following guide "Migrating to the Wazuh dashboard" (https://documentation.wazuh.com/current/migration-guide/wazuh-dashboard.html).
I did all and now, when I use my browser to access to wazuh-dashboard I receive this message:
Wazuh dashboard server is not ready yetLogs:
# journalctl -fe -u wazuh-dashboard.service
mag 11 07:45:49 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:49Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:52 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:52Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:54 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:54Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:57 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:57Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:45:59 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:45:59Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:02 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:02Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:04 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:04Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:07 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:07Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:09 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:09Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:12 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:12Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:14 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:14Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:17 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:17Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
mag 11 07:46:19 enguera opensearch-dashboards[901]: {"type":"log","@timestamp":"2022-05-11T07:46:19Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]: connect ECONNREFUSED 127.0.0.1:9200"}
Maybe I made some mistakes in points 6 and 7
I searched for information on how to use opensearch-dashboards-keystore, but I found nothing
Thanks
Simone
Simone Bonetti
May 11, 2022, 9:05:08 AM5/11/22
to Wazuh mailing list
This issue
mag 11 07:46:17 enguera opensearch-dashboards[901]:
{"type":"log","@timestamp":"2022-05-11T07:46:17Z","tags":["error","opensearch","data"],"pid":901,"message":"[ConnectionError]:
connect ECONNREFUSED 127.0.0.1:9200"}
is solved (password wrong). I retry point 6
# curl -X GET "https://127.0.0.1:9200/_cluster/health?pretty" -u admin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -k
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"active_primary_shards" : 956,
"active_shards" : 956,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"active_primary_shards" : 956,
"active_shards" : 956,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Same output if I use kibanauser
# journalctl -fe -u wazuh-dashboard.service
mag 11 12:47:36 enguera systemd[1]: Started wazuh-dashboard.
mag 11 12:47:42 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:42Z","tags":["info","plugins-service"],"pid":12771,"message":"Plugin \"visTypeXy\" is disabled."}
mag 11 12:47:43 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:43Z","tags":["info","plugins-system"],"pid":12771,"message":"Setting up [45] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,anomalyDetectionDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeMarkdown,visTypeTable,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,bfetch,charts,visTypeTimeseries,visTypeVislib,visTypeTagcloud,visTypeMetric,observabilityDashboards,discover,wazuh,savedObjectsManagement]"}
mag 11 12:47:43 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:43Z","tags":["info","savedobjects-service"],"pid":12771,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
mag 11 12:47:43 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:43Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
mag 11 12:47:43 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:43Z","tags":["error","savedobjects-service"],"pid":12771,"message":"Unable to retrieve version information from OpenSearch nodes."}
mag 11 12:47:46 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:46Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
mag 11 12:47:48 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:48Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
mag 11 12:47:51 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:51Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
mag 11 12:47:53 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:53Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
mag 11 12:47:56 enguera opensearch-dashboards[12771]: {"type":"log","@timestamp":"2022-05-11T12:47:56Z","tags":["error","opensearch","data"],"pid":12771,"message":"[ResponseError]: Response Error"}
Simone
Alberto Rodriguez
May 12, 2022, 6:00:10 PM5/12/22
to Wazuh mailing list
This error seems to be related to an incorrect kibanaserver user. You can update the keyring using: /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.username to kibanaserver and /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password to the password that you had before the migration. Could you please check and let me know?
Simone Bonetti
May 16, 2022, 3:02:21 AM5/16/22
to Wazuh mailing list
Solved.
I made a mistake at point 6 (optionally).
Thanks
Simone
Reply all
Reply to author
Forward
0 new messages