Wazuh Indexer fails to start after a system reboot

[Rebits]

Describe the bug

It has been detected in E2E UX tests - Vulnerability Detection that wazuh-indexer fails to start in case of rebooting the system

After shutting down an AIO instance with wazuh-indexer running, and starting it the next day, wazuh-indexer failed to start. Reviewing the logs we can see that this is produced due to /var/log/wazuh-indexer directory no longer existing, failing the wazuh-indexer process due to it can not access the /var/log/wazuh-indexer/gc.log file

Apr  9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory
Apr  9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' failed.
Apr  9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details.

The issue was solved by creating the /var/log/wazuh-indexer/gc.log file and the /var/log/wazuh-indexer directory manually

Steps to reproduce

It was not possible to reproduce the deletion of the /var/log/wazuh-indexer directory through system rebooting, although the same error can be replicated deleting manually the complete directory in a working environment

To Reproduce

1. Deploy an AIO
2. Remove /var/log/wazuh-indexer directory

[!NOTE] Currently researching how to replicate the automatic deletion of the /var/log/wazuh-indexer directory

Evidences

Indexer Logs

``` Apr 8 15:28:02 ip-172-31-87-231 opensearch-dashboards[60492]: {"type":"response","@timestamp":"2024-04-08T15:28:02Z","tags":[],"pid":60492,"method":"post","statusCode":200,"req":{"url":"/api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities","method":"post","headers":{"host":"172.31.87.231:4443","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://172.31.87.231:4443/app/vulnerability-detection","content-type":"application/json","osd-version":"2.10.0","osd-xsrf":"osd-fetch","content-length":"49","origin":"https://172.31.87.231:4443","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"10.10.0.12","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://172.31.87.231:4443/app/vulnerability-detection"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"POST /api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities 200 14ms - 9.0B"} Apr 9 09:44:54 ip-172-31-87-231 systemd[1]: Started wazuh-dashboard. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.553469] systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.556862] systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Initialization of output 'file=/var/log/ Apr 8 15:28:02 ip-172-31-87-231 opensearch-dashboards[60492]: {"type":"response","@timestamp":"2024-04-08T15:28:02Z","tags":[],"pid":60492,"method":"post","statusCode":200,"req":{"url":"/api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities","method":"post","headers":{"host":"172.31.87.231:4443","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://172.31.87.231:4443/app/vulnerability-detection","content-type":"application/json","osd-version":"2.10.0","osd-xsrf":"osd-fetch","content-length":"49","origin":"https://172.31.87.231:4443","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"10.10.0.12","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://172.31.87.231:4443/app/vulnerability-detection"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"POST /api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities 200 14ms - 9.0B"} Apr 9 09:44:54 ip-172-31-87-231 systemd[1]: Started wazuh-dashboard. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.553469] systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.556862] systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Initialization of output 'file=/var/log/ Apr 8 15:28:02 ip-172-31-87-231 opensearch-dashboards[60492]: {"type":"response","@timestamp":"2024-04-08T15:28:02Z","tags":[],"pid":60492,"method":"post","statusCode":200,"req":{"url":"/api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities","method":"post","headers":{"host":"172.31.87.231:4443","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","accept":"*/*","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","referer":"https://172.31.87.231:4443/app/vulnerability-detection","content-type":"application/json","osd-version":"2.10.0","osd-xsrf":"osd-fetch","content-length":"49","origin":"https://172.31.87.231:4443","connection":"keep-alive","sec-fetch-dest":"empty","sec-fetch-mode":"cors","sec-fetch-site":"same-origin"},"remoteAddress":"10.10.0.12","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0","referer":"https://172.31.87.231:4443/app/vulnerability-detection"},"res":{"statusCode":200,"responseTime":14,"contentLength":9},"message":"POST /api/opensearch-dashboards/suggestions/values/wazuh-states-vulnerabilities 200 14ms - 9.0B"} Apr 9 09:44:54 ip-172-31-87-231 systemd[1]: Started wazuh-dashboard. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.553469] systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:54 ip-172-31-87-231 kernel: [ 1.556862] systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' failed. Apr 9 09:44:57 ip-172-31-87-231 systemd-entrypoint[890]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details. Apr 9 09:44:57 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE Apr 9 09:44:57 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'. Apr 9 09:44:57 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Consumed 2.291s CPU time. Apr 9 09:45:02 ip-172-31-87-231 opensearch-dashboards[412]: {"type":"log","@timestamp":"2024-04-09T09:45:02Z","tags":["info","plugins-system"],"pid":412,"message":"Setting up [48] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,expressions,data,home,apmOss,savedObjects,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,opensearchUiShared,indexManagementDashboards,reportsDashboards,embeddable,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visBuilder,visTypeMarkdown,visAugmenter,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,dataExplorer,legacyExport,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"} Apr 9 09:49:59 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:49:59 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:10 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:10 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:10 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:10 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:17 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:50:22 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:51:14 ip-172-31-87-231 systemd-entrypoint[9363]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory Apr 9 09:51:14 ip-172-31-87-231 systemd-entrypoint[9363]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' failed. Apr 9 09:51:14 ip-172-31-87-231 systemd-entrypoint[9363]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details. Apr 9 09:51:14 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE Apr 9 09:51:14 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'. Apr 9 09:51:14 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Consumed 2.111s CPU time. Apr 9 09:51:17 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:51:17 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:51:18 ip-172-31-87-231 systemd[1]: Configuration file /lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:51:18 ip-172-31-87-231 systemd[1]: Configuration file /etc/systemd/system/wazuh-dashboard.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Apr 9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory Apr 9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' failed. Apr 9 09:53:44 ip-172-31-87-231 systemd-entrypoint[10119]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details. Apr 9 09:53:44 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE Apr 9 09:53:44 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'. Apr 9 09:53:44 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Consumed 1.902s CPU time. Apr 9 09:54:40 ip-172-31-87-231 systemd-entrypoint[10277]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': Permission denied Apr 9 09:54:40 ip-172-31-87-231 systemd-entrypoint[10277]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' failed. Apr 9 09:54:40 ip-172-31-87-231 systemd-entrypoint[10277]: Could not rename log file '/var/log/wazuh-indexer/gc.log' to '/var/log/wazuh-indexer/gc.log.00' (Permission denied). Apr 9 09:54:40 ip-172-31-87-231 systemd-entrypoint[10277]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m', see error log for details. Apr 9 09:54:40 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE Apr 9 09:54:40 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'. Apr 9 09:54:40 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Consumed 1.980s CPU time. Apr 9 09:55:14 ip-172-31-87-231 systemd-entrypoint[10308]: Could not rename log file '/var/log/wazuh-indexer/gc.log' to '/var/log/wazuh-indexer/gc.log.00' (Permission denied). Apr 9 09:55:15 ip-172-31-87-231 systemd-entrypoint[10308]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.log Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@1fc32e4f[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@1fc32e4f[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_task_detailslog.json Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_task_detailslog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@66c92293[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_task_detailslog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={%notEmpty{"type": "%OpenSearchMessageField{type}"}, "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, "taskId": "%OpenSearchMessageField{taskId}"}%notEmpty{, "action": "%OpenSearchMessageField{action}"}%notEmpty{, "description": "%OpenSearchMessageField{description}"}%notEmpty{, "start_time_millis": "%OpenSearchMessageField{start_time_millis}"}%notEmpty{, "resource_stats": "%OpenSearchMessageField{resource_stats}"}%notEmpty{, "metadata": "%OpenSearchMessageField{metadata}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_task_detailslog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@66c92293[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_task_detailslog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={%notEmpty{"type": "%OpenSearchMessageField{type}"}, "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, "taskId": "%OpenSearchMessageField{taskId}"}%notEmpty{, "action": "%OpenSearchMessageField{action}"}%notEmpty{, "description": "%OpenSearchMessageField{description}"}%notEmpty{, "start_time_millis": "%OpenSearchMessageField{start_time_millis}"}%notEmpty{, "resource_stats": "%OpenSearchMessageField{resource_stats}"}%notEmpty{, "metadata": "%OpenSearchMessageField{metadata}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster.log Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@22f31dec[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster-%d{yyyy-MM-dd}-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=134217728)]), strategy=DefaultRolloverStrategy(min=-2147483648, max=2147483647, useMax=false), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@22f31dec[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster-%d{yyyy-MM-dd}-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=134217728)]), strategy=DefaultRolloverStrategy(min=-2147483648, max=2147483647, useMax=false), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_index_search_slowlog.json Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_search_slowlog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@76a2ddf3[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_search_slowlog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "index_search_slowlog", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name"%notEmpty{, "message": "%OpenSearchMessageField{message}"}%notEmpty{, "took": "%OpenSearchMessageField{took}"}%notEmpty{, "took_millis": "%OpenSearchMessageField{took_millis}"}%notEmpty{, "total_hits": "%OpenSearchMessageField{total_hits}"}%notEmpty{, "types": "%OpenSearchMessageField{types}"}%notEmpty{, "stats": "%OpenSearchMessageField{stats}"}%notEmpty{, "search_type": "%OpenSearchMessageField{search_type}"}%notEmpty{, "total_shards": "%OpenSearchMessageField{total_shards}"}%notEmpty{, "source": "%OpenSearchMessageField{source}"}%notEmpty{, "id": "%OpenSearchMessageField{id}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_search_slowlog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@76a2ddf3[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_search_slowlog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "index_search_slowlog", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name"%notEmpty{, "message": "%OpenSearchMessageField{message}"}%notEmpty{, "took": "%OpenSearchMessageField{took}"}%notEmpty{, "took_millis": "%OpenSearchMessageField{took_millis}"}%notEmpty{, "total_hits": "%OpenSearchMessageField{total_hits}"}%notEmpty{, "types": "%OpenSearchMessageField{types}"}%notEmpty{, "stats": "%OpenSearchMessageField{stats}"}%notEmpty{, "search_type": "%OpenSearchMessageField{search_type}"}%notEmpty{, "total_shards": "%OpenSearchMessageField{total_shards}"}%notEmpty{, "source": "%OpenSearchMessageField{source}"}%notEmpty{, "id": "%OpenSearchMessageField{id}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.json Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@29526c05[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "index_indexing_slowlog", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name"%notEmpty{, "message": "%OpenSearchMessageField{message}"}%notEmpty{, "took": "%OpenSearchMessageField{took}"}%notEmpty{, "took_millis": "%OpenSearchMessageField{took_millis}"}%notEmpty{, "doc_type": "%OpenSearchMessageField{doc_type}"}%notEmpty{, "id": "%OpenSearchMessageField{id}"}%notEmpty{, "routing": "%OpenSearchMessageField{routing}"}%notEmpty{, "source": "%OpenSearchMessageField{source}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@29526c05[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "index_indexing_slowlog", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name"%notEmpty{, "message": "%OpenSearchMessageField{message}"}%notEmpty{, "took": "%OpenSearchMessageField{took}"}%notEmpty{, "took_millis": "%OpenSearchMessageField{took_millis}"}%notEmpty{, "doc_type": "%OpenSearchMessageField{doc_type}"}%notEmpty{, "id": "%OpenSearchMessageField{id}"}%notEmpty{, "routing": "%OpenSearchMessageField{routing}"}%notEmpty{, "source": "%OpenSearchMessageField{source}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_server.json Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_server.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@7fb95505[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster-%d{yyyy-MM-dd}-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=134217728)]), strategy=DefaultRolloverStrategy(min=-2147483648, max=2147483647, useMax=false), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "server", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_server.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@7fb95505[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster-%d{yyyy-MM-dd}-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[TimeBasedTriggeringPolicy(nextRolloverMillis=0, interval=1, modulate=true), SizeBasedTriggeringPolicy(size=134217728)]), strategy=DefaultRolloverStrategy(min=-2147483648, max=2147483647, useMax=false), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "server", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.json Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@5ce8d869[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "deprecation", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, "x-opaque-id": "%OpenSearchMessageField{x-opaque-id}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation.json] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@5ce8d869[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_deprecation-%i.json.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=OpenSearchJsonLayout{patternLayout={"type": "deprecation", "timestamp": "%d{yyyy-MM-dd'T'HH:mm:ss,SSSZZ}", "level": "%p", "component": "%c{1.}", "cluster.name": "${sys:opensearch.logs.cluster_name}", "node.name": "%node_name", "message": "%notEmpty{%enc{%marker}{JSON} }%enc{%.-10000m}{JSON}"%notEmpty{, "x-opaque-id": "%OpenSearchMessageField{x-opaque-id}"}%notEmpty{, %node_and_cluster_id }%exceptionAsJson } Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Unable to create file /var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.log Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: ERROR StatusConsoleListener Could not create plugin of type class org.apache.logging.log4j.core.appender.RollingFileAppender for element RollingFile: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@2b76ff4e[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] Apr 9 09:55:16 ip-172-31-87-231 systemd-entrypoint[10308]: java.lang.IllegalStateException: ManagerFactory [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$RollingFileManagerFactory@4716be8b] unable to create manager for [/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog.log] with data [org.apache.logging.log4j.core.appender.rolling.RollingFileManager$FactoryData@2b76ff4e[pattern=/var/log/wazuh-indexer/wazuh-indexer-cluster_index_indexing_slowlog-%i.log.gz, append=true, bufferedIO=true, bufferSize=8192, policy=CompositeTriggeringPolicy(policies=[SizeBasedTriggeringPolicy(size=1073741824)]), strategy=DefaultRolloverStrategy(min=1, max=4, useMax=true), advertiseURI=null, layout=[%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n, filePermissions=rw-r-----, fileOwner=null]] ```

[AlexRuiz7]

Can we check the permissions for the folder /var/log/wazuh-indexer?

For example, this is the folder of my AIO.

[root@rhel7 vagrant]# ls -la /var/log/wazuh-indexer
total 872
drwxr-x---.  2 wazuh-indexer wazuh-indexer   4096 Apr 10 09:34 .
drwxr-xr-x. 11 root          root            4096 Apr 10 09:34 ..
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  44618 Apr 10 09:37 gc.log
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr  8 09:24 gc.log.00
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  91443 Apr  8 09:40 gc.log.01
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr  8 12:23 gc.log.02
-rw-r--r--.  1 wazuh-indexer wazuh-indexer 117841 Apr  8 13:05 gc.log.03
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr  8 14:23 gc.log.04
-rw-r--r--.  1 wazuh-indexer wazuh-indexer 123727 Apr  8 15:14 gc.log.05
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr  9 11:28 gc.log.06
-rw-r--r--.  1 wazuh-indexer wazuh-indexer 113211 Apr  9 12:05 gc.log.07
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr  9 12:06 gc.log.08
-rw-r--r--.  1 wazuh-indexer wazuh-indexer 153049 Apr  9 14:30 gc.log.09
-rw-r--r--.  1 wazuh-indexer wazuh-indexer   2015 Apr 10 09:34 gc.log.10
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  23396 Apr  9 11:28 wazuh-cluster-2024-04-08-1.json.gz
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  16753 Apr  9 11:28 wazuh-cluster-2024-04-08-1.log.gz
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  14628 Apr 10 09:34 wazuh-cluster-2024-04-09-1.json.gz
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  12954 Apr 10 09:34 wazuh-cluster-2024-04-09-1.log.gz
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  30651 Apr 10 09:37 wazuh-cluster.log
-rw-r-----.  1 wazuh-indexer wazuh-indexer  14085 Apr 10 09:35 wazuh-cluster_deprecation.json
-rw-r-----.  1 wazuh-indexer wazuh-indexer   8496 Apr 10 09:35 wazuh-cluster_deprecation.log
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_index_search_slowlog.json
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_index_search_slowlog.log
-rw-r--r--.  1 wazuh-indexer wazuh-indexer  64715 Apr 10 09:37 wazuh-cluster_server.json
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_task_detailslog.json
-rw-r-----.  1 wazuh-indexer wazuh-indexer      0 Apr  8 09:24 wazuh-cluster_task_detailslog.log

Also, can we have the content of /etc/wazuh-indexer/opensearch.yml ?

[Rebits]

Can we check the permissions for the folder /var/log/wazuh-indexer?

The directory /var/log/wazuh-indexer no longer exists after rebooting

---

/etc/wazuh-indexer/opensearch.yml:

node.master: true
node.data: true
node.ingest: true

cluster.name: wazuh-indexer-cluster
cluster.routing.allocation.disk.threshold_enabled: false

node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/node-1.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/node-1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.ssl.http.enabled_ciphers:
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
plugins.security.ssl.http.enabled_protocols:
  - "TLSv1.2"
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true
node.name: node-1
network.host: 172.31.87.231
cluster.initial_master_nodes: node-1
plugins.security.nodes_dn:
        - CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US

The environment was deployed using the installation assistant.

[AlexRuiz7]

Does /var/lib/wazuh-indexer exist?

[Rebits]

Yes, its content is:

root@ip-172-31-87-231:/home/ubuntu# ls -la /var/lib/wazuh-indexer
total 32
drwxr-x---  3 wazuh-indexer wazuh-indexer 4096 Apr  8 09:50 .
drwxr-xr-x 42 root          root          4096 Apr  8 09:57 ..
-rw-r--r--  1 wazuh-indexer wazuh-indexer    5 Apr 10 00:01 batch_metrics_enabled.conf
-rw-r--r--  1 wazuh-indexer wazuh-indexer    5 Apr 10 00:01 logging_enabled.conf
drwxr-xr-x  3 wazuh-indexer wazuh-indexer 4096 Apr  8 09:50 nodes
-rw-r--r--  1 wazuh-indexer wazuh-indexer    4 Apr 10 00:01 performance_analyzer_enabled.conf
-rw-r--r--  1 wazuh-indexer wazuh-indexer    4 Apr 10 00:01 rca_enabled.conf
-rw-r--r--  1 wazuh-indexer wazuh-indexer    5 Apr 10 00:01 thread_contention_monitoring_enabled.conf

[AlexRuiz7]

Try adding this to /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy

grant {
  java.lang.RuntimePermission "accessUserInformation" 
};

[Rebits]

Indexer is still failing after including the block

root@ip-172-31-87-231:/home/ubuntu# cat /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};
grant {
  java.lang.RuntimePermission "accessUserInformation" 
};
root@ip-172-31-87-231:/home/ubuntu# systemctl restart wazuh-indexer
Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xeu wazuh-indexer.service" for details.
root@ip-172-31-87-231:/home/ubuntu# 
root@ip-172-31-87-231:/home/ubuntu# systemctl status wazuh-indexer.service
× wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-04-10 10:30:42 UTC; 42s ago
       Docs: https://documentation.wazuh.com
    Process: 1406 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, status=1/FAILURE)
   Main PID: 1406 (code=exited, status=1/FAILURE)
        CPU: 1.937s

Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]: Error: A fatal exception has occurred. Program will exit.
Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]:         at org.opensearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:125)
Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]:         at org.opensearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:87)
Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]:         at org.opensearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:70)
Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]:         at org.opensearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:150)
Apr 10 10:30:42 ip-172-31-87-231 systemd-entrypoint[1528]:         at org.opensearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:108)
Apr 10 10:30:42 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE
Apr 10 10:30:42 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
Apr 10 10:30:42 ip-172-31-87-231 systemd[1]: Failed to start Wazuh-indexer.
Apr 10 10:30:42 ip-172-31-87-231 systemd[1]: wazuh-indexer.service: Consumed 1.937s CPU time.

[AlexRuiz7]

In a meeting with @Rebits, we have updated the security policy to

grant {
  permission java.lang.RuntimePermission "accessUserInformation";
};

No success.

We manually created the /var/log/wazuh-indexer folder, restarted and everything worked as expected.

It's unknown why the whole folder disappears. We'll try to reproduce this in different machines and operating systems.

[AlexRuiz7]

I could not replicate the problem using an AIO Vagrant deployment.

Vagranttile

```ruby Vagrant.configure("2") do |config| config.vm.box = "generic/ubuntu2204" config.vm.network "private_network", ip: "192.168.56.10" config.vm.provider "libvirt" do |vb| vb.memory = "4096" vb.cpus = "4" end config.vm.provision "shell", inline: <<-SHELL # Disable firewall systemctl stop firewalld systemctl disable firewalld # Install Wazuh using the assistant curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a SHELL end ```

Restarted the machine several times.

● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-04-10 12:39:58 UTC; 8s ago
       Docs: https://documentation.wazuh.com
   Main PID: 872 (java)
      Tasks: 83 (limit: 4557)
     Memory: 2.3G
        CPU: 28.767s
     CGroup: /system.slice/wazuh-indexer.service
             └─872 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m>

Apr 10 12:39:46 ubuntu2204.localdomain systemd[1]: Starting Wazuh-indexer...
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: A terminally deprecated method in java.lang.System has been called
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/l>
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager will be removed in a future release
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: A terminally deprecated method in java.lang.System has been called
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib>
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager will be removed in a future release
Apr 10 12:39:58 ubuntu2204.localdomain systemd[1]: Started Wazuh-indexer.

[AlexRuiz7]

The deployment is still fully functional. The wazuh-indexer service is running.

root@ubuntu2204:/home/vagrant# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-04-11 10:36:38 UTC; 14min ago
       Docs: https://documentation.wazuh.com
   Main PID: 875 (java)
      Tasks: 87 (limit: 4557)
     Memory: 1.0G
        CPU: 47.791s
     CGroup: /system.slice/wazuh-indexer.service
             └─875 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-Omit>

Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.cli.Command.main(Command.java:101)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]:         at o

The error stack trace shown there are expected due to a known error.

journald logs

``` Apr 11 10:36:28 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 11 10:36:28 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 11 10:36:28 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch Apr 11 10:36:28 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: System::setSecurityManager will be removed in a future release Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: A terminally deprecated method in java.lang.System has been called Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: WARNING: System::setSecurityManager will be removed in a future release Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1991) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1854) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1288) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.node.Node.(Node.java:428) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.node.Node.(Node.java:401) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.Command.main(Command.java:101) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation") Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.security.AccessController.checkPermission(AccessController.java:1068) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:416) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.checkWriteExtended(UnixFileAttributeViews.java:195) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setMode(UnixFileAttributeViews.java:264) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setPermissions(UnixFileAttributeViews.java:299) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.util.FileUtils.defineFilePosixAttributeView(FileUtils.java:181) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.FileManager.defineAttributeView(FileManager.java:216) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.FileManager.createOutputStream(FileManager.java:203) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.createFileAfterRollover(RollingFileManager.java:421) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.rollover(RollingFileManager.java:398) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.rolling.RollingFileManager.checkRollover(RollingFileManager.java:308) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.appender.RollingFileAppender.append(RollingFileAppender.java:300) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:161) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:134) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:125) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:89) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:683) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:641) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:624) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:560) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.core.Logger.log(Logger.java:163) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2168) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2122) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2105) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:1991) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1854) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1288) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.node.Node.(Node.java:428) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.node.Node.(Node.java:401) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.cli.Command.main(Command.java:101) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) Apr 11 10:36:29 ubuntu2204.localdomain systemd-entrypoint[875]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ```

[AlexRuiz7]

On 2024.04.12, the wazuh-indexer service is still up and running without problems.

systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-04-12 08:56:15 UTC; 1h 6min ago
       Docs: https://documentation.wazuh.com
   Main PID: 873 (java)
      Tasks: 92 (limit: 4557)
     Memory: 2.3G
        CPU: 1min 47.521s
     CGroup: /system.slice/wazuh-indexer.service
             └─873 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+Alw>

[Rebits]

Error appears again in a new environment

Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: Exception in thread "main" java.lang.RuntimeException: starting java failed with [1]
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: output:
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: [0.000s][error][logging] Error opening log file '/var/log/wazuh-indexer/gc.log': No such file or directory
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: [0.000s][error][logging] Initialization of output 'file=/var/log/wazuh-indexer/gc.log' using options 'filecount=32,filesize=64m' f>
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: error:
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: Invalid -Xlog option '-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=6>
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: Error: Could not create the Java Virtual Machine.
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]: Error: A fatal exception has occurred. Program will exit.
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]:         at org.opensearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:125)
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]:         at org.opensearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:87)
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]:         at org.opensearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:70)
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]:         at org.opensearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:150)
Apr 17 11:47:05 ip-172-31-35-9 systemd-entrypoint[204470]:         at org.opensearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:108)
Apr 17 11:47:05 ip-172-31-35-9 systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE

[Mario156090]

Hello, everybody, it's happening too with last version installed over RH9.4.

[gand0rf]

I could not replicate the problem using an AIO Vagrant deployment.

Vagranttile Restarted the machine several times.

● wazuh-indexer.service - Wazuh-indexer
     Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-04-10 12:39:58 UTC; 8s ago
       Docs: https://documentation.wazuh.com
   Main PID: 872 (java)
      Tasks: 83 (limit: 4557)
     Memory: 2.3G
        CPU: 28.767s
     CGroup: /system.slice/wazuh-indexer.service
             └─872 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m>

Apr 10 12:39:46 ubuntu2204.localdomain systemd[1]: Starting Wazuh-indexer...
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: A terminally deprecated method in java.lang.System has been called
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/l>
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Apr 10 12:39:48 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager will be removed in a future release
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: A terminally deprecated method in java.lang.System has been called
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib>
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Apr 10 12:39:49 ubuntu2204.localdomain systemd-entrypoint[872]: WARNING: System::setSecurityManager will be removed in a future release
Apr 10 12:39:58 ubuntu2204.localdomain systemd[1]: Started Wazuh-indexer.

This is what I am seeing on my install. Host OS is Ubuntu 22.04.4 LTS. After about 10 mins or so, it finally fails to startup. Running "sudo systemctl start wazuh-indexer" does get the service up and running. It only works if I wait for the service to fail first.

[byalexandrepedrosa]

Mine was missing the path for executables, so I have added:

/etc/wazuh-indexer/

Complete service:

[Unit]
Description=Wazuh-indexer Performance Analyzer
PartOf=wazuh-indexer.service
After=wazuh-indexer.service

[Service]
ExecStart=/usr/share/wazuh-indexer/bin/performance-analyzer-agent-cli
Restart=on-failure
User=wazuh-indexer
Group=wazuh-indexer
Environment="OPENSEARCH_HOME=/usr/share/wazuh-indexer:/etc/wazuh-indexer/"
WorkingDirectory=/usr/share/wazuh-indexer

[Install]
WantedBy=wazuh-indexer.service

Was working on default installation of 4.8.1. After upgrade to 4.8.2, dont work anymore.

I'm using Ubuntu 22.04.

[AlexRuiz7]

@byalexandrepedrosa there are no executables in /etc/wazuh-indexer. That folder contains configuration files only.

There is no change at all from wazuh-indexer@4.8.1 and wazuh-indexer@4.8.2, so the problem must be caused by something else.