-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kibana server is not ready yet | Community help request for troubleshooting #5218
Comments
Could you share the next data about your environment?
From the shared logs, it could have some problem with the connection of Elasticsearch-Kibana. You could review the next things:
systemctl status elasticsearch
systemctl start kibana For another hand, these lines of the Kibana logs (old logs November 21):
seems to be related to the Wazuh plugin for Kibana. Some tasks of the Wazuh plugin need the internal user of Kibana, which is configurated in its configuration ( |
@Desvelao Addidtional Info about my environment: Elastic Search version: First I've checked the credentials ins It seems that the elasticsearch services did run into a timeout and got terminated:
After that I've tried to restart the wazuh core services: All services got up and running again and I was able to login to my wazuh dashboard! I've still the problem that my wazuh agents are online, but I don't see any alert data in the dashboard. The status of my agents looks like this:
|
Hi @Cybercop-Training, I am glad you could solve the problem. But maybe you should review the reason why Elasticsearch fails to start due to a timeout when you restart the server machine. For another hand, related to you are not able to see any alert data and this seems to be another topic different from the initial one, it is recommended to open a new thread in any community channel (Slack, Google mailing list, Discord, etc). Consider searching before opening a new thread, you could find a related thread that could help to debug or solve the problem. If you don't see any alert data in the Wazuh plugin, this could be caused by:
The previous command, should display the last line of the
where:
|
Hi @Desvelao
Filebeat service is running, but the warning Cannot index event publisher.Event{Content:b> sounds suspiscous!
What does this error line mean? |
Thank you so much for sharing the outputs. It is the cause because you can't see any alerts. The data can't be indexed.
This means the shards limit count was reached (
The automation of the indices deletion through ILM/ISM policies is recommended because reduces manual maintenance.
You should know each index in Elasticsearch has assigned a number of shards, by example, the If you don't need the data of old indices, you could set a ILM/ISM policy to automate the deletion of these indices when they have a minimum period of life. More info: https://www.elastic.co/blog/how-many-shards-should-i-have-in-my-elasticsearch-cluster |
@Desvelao First of all I did check if a
Now this policy is linked to all my alert* indicies! After that I did increment the max shards per node and set a value of 2000
That command did help and I could see immediately that new alers are comming in. The question that comes to me now is: Is there a command that I can check on the wazu server how many I also discovered this post which described the same issue I had: wazuh/wazuh-puppet#222 Would it also be useful in my case to realocate unassigned shards?
Last but not least, how can I update my wazuh stack to the newest release without breaking it with an incompatible elastic search version? It's because I took notice that I've to be very careful just to go over Thanks in advance! |
The ISM policy should be applied to the new one indices if its name matches with the index patterns you defined in the ISM policy. I see you added:
so this means, for the indices whose name matches the index pattern Note that increasing the maximum shards count by a node is not recommended, because it could provoke inoperability and performance issues in your Elasticsearch/Wazuh indexer cluster. If you use case could be managed with the ISM policies, then maybe you could not need to increase the maximum shards count by node.
Yes, they do.
According to your policy, the difference between hot and cold state, is the indices become read-only in the cold state. This allows searching in the indices, but the write operations are disabled (data can't be indexed).
I don't know if there is a way to get the remaining shards, but you could get the total with a request (from the Kibana Dev tools plugin or transform it to do with cURL)
You could check the Elasticserach API documentation to get more information.
I guess so, but this depends on the indices configuration and count of Elasticsearch nodes. I will research if there is a problem that should be solved.
You should disable the possibility of upgrading the Wazuh components through an automatic way as Before upgrading, you should check the compatibility matrix of the Wazuh plugin-Kibana https://github.com/wazuh/wazuh-kibana-app/wiki/Compatibility. The table displays the compatibility of specific Wazuh plugin versions with Kibana versions. To upgrade the Wazuh components, you should follow one of the guides from the Wazuh documentation.
Please, before upgrading, read the guides with attention and verify that the provided documentation applies to your case. Consider opening new tickets in some of the Wazuh community channels if the questions are not directly related to the initial one. They could be useful for other users. |
@Desvelao |
Hello Community
I don't want report a bug, but I got stuck with a kibana error in my wazuh server installation.
One year ago I did setup a wazuh installation and I've used the official installation assistant script from the wazuh documentation.
Everything worked fine and I did successfully rollout some wazuh agents in my network and I was amazed about the data and visualization I got from them.
Some months ago I took notice that the agents were still online and showed connectivity in the dashbard, but I didn't get data from them anymore. Because of that I've decided to reboot the ubuntu server and since then it's not possible to access the wazuh dashboard anymore. I got stuck with this kibana server is not ready yet message and I hope there is still a chance to get my wazuh installation up and running again.
If I run the command
systemctl status kibana
I got this:It seems that there is a connection problem to elasticsearch, but I've no clue where it cames from.
If I run
journalctl -u kibana
I got multiple line like this:Do I have a plugin problem?
If I check the elasticsearch log with the following command
cat /var/log/elasticsearch/wazuh-cluster.log | grep -i -E "error|warn"
I can see multiple error patterns like this:And in the bottom I can see some hints for insecure file permissions:
If you need further informations or logs I hope that I can provide you this. I'm thankful for every help and assistance I can get in this case
The text was updated successfully, but these errors were encountered: