Closed davidcr01 closed 7 months ago
@davidcr01, I cannot reproduce the issue on a vagrant VM using the generic/rhel9
box.
Grepping for errors in wazuh-cluster.log
only shows installer probes before the security plugins is initialized:
[root@rhel9 ~]# grep ERROR /var/log/wazuh-indexer/wazuh-cluster.log
[2024-02-26T19:36:20,423][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-02-26T19:36:22,798][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,800][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,800][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,806][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,807][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2024-02-26T19:36:22,932][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-02-26T19:51:04,772][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2024-02-26T19:51:09,512][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-02-26T19:51:09,555][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-02-26T19:51:09,560][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-02-26T19:51:09,569][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
If you look closely at your wazuh-cluster.log
output, you will see that there is a certificate error of some kind going on:
[2024-02-26T15:07:33,575][ERROR][o.o.s.s.h.n.SecuritySSLNettyHttpServerTransport] [node-1] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
I'll leave the VM running, but I doubt this will change anything.
I was finally able to reproduce the issue with a clean vagrant VM running the automated installer. The service run for a while and then it exited with an oom-kill
error (out of memory).
Feb 27 14:02:11 ubuntu-jammy systemd[1]: wazuh-indexer.service: Consumed 1min 29.469s CPU time.
Hint: Some lines were ellipsized, use -l to show in full.
root@ubuntu-jammy:~# systemctl status wazuh-indexer --no-pager -l
× wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
Active: failed (Result: oom-kill) since Tue 2024-02-27 14:02:11 UTC; 6min ago
Docs: https://documentation.wazuh.com
Process: 4321 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=killed, signal=KILL)
Main PID: 4321 (code=killed, signal=KILL)
CPU: 1min 29.469s
Feb 27 13:41:42 ubuntu-jammy systemd-entrypoint[4321]: WARNING: System::setSecurityManager will be removed in a future release
Feb 27 13:41:43 ubuntu-jammy systemd-entrypoint[4321]: WARNING: A terminally deprecated method in java.lang.System has been called
Feb 27 13:41:43 ubuntu-jammy systemd-entrypoint[4321]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
Feb 27 13:41:43 ubuntu-jammy systemd-entrypoint[4321]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Feb 27 13:41:43 ubuntu-jammy systemd-entrypoint[4321]: WARNING: System::setSecurityManager will be removed in a future release
Feb 27 13:41:50 ubuntu-jammy systemd[1]: Started Wazuh-indexer.
Feb 27 14:02:11 ubuntu-jammy systemd[1]: wazuh-indexer.service: A process of this unit has been killed by the OOM killer.
Feb 27 14:02:11 ubuntu-jammy systemd[1]: wazuh-indexer.service: Main process exited, code=killed, status=9/KILL
Feb 27 14:02:11 ubuntu-jammy systemd[1]: wazuh-indexer.service: Failed with result 'oom-kill'.
Feb 27 14:02:11 ubuntu-jammy systemd[1]: wazuh-indexer.service: Consumed 1min 29.469s CPU time.
On closer inspection, it seems wazuh-modulesd
is exhausting available memory:
root@ubuntu-jammy:~# ps -eo 'cmd,%cpu,%mem' --sort '%mem' | tail -5
/var/ossec/framework/python 0.0 0.7
/var/ossec/framework/python 0.0 0.7
/var/ossec/framework/python 0.1 1.1
/usr/share/wazuh-dashboard/ 1.0 2.3
/var/ossec/bin/wazuh-module 67.8 35.0
I stopped the wazuh-manager
service and restarted the wazuh-indexer
one, and so far, the indexer managed to stay up.
Closing it as no action is needed on behalf of the Indexer team.
Describe the bug A clear and concise description of what the bug is.
During https://github.com/wazuh/wazuh/issues/22122, a new bug has been found. The installation is performed using the Wazuh installation assistant, using the 4.8.0 beta2 packages.
The installation is performed correctly, but after some time, the Wazuh indexer service fails, staying on a
red
status:The logs:
To Reproduce Steps to reproduce the behavior:
curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && bash wazuh-install.sh -a
and perform and AIO installation./var/log/wazuh-indexer/wazuh-cluster.log
Expected behavior No errors generated.
Plugins None.
Host/Environment (please complete the following information):
Extra information This was not reproduced in the previous stage: https://github.com/wazuh/wazuh/issues/21799