The starting process of wazuh indexer failed for unknown reasons
I followed this guide https://socfortress.medium.com/part-1-wazuh-indexer-siem-backend-9b5ab37a477c To start installing wazuh indexer on on of my server, everything was fine until in the last step I did the systemctl start wazuh-indexer, I got this error :
root@ampelos:/etc/wazuh-indexer# systemctl start wazuh-indexer
Job for wazuh-indexer.service failed because the control process exited with error code.
See "systemctl status wazuh-indexer.service" and "journalctl -xe" for details.
root@ampelos:/etc/wazuh-indexer# systemctl status wazuh-indexer
* wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2023-10-24 08:37:49 UTC; 17s ago
Docs: https://documentation.wazuh.com
Process: 161277 ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet (code=exited, >
Main PID: 161277 (code=exited, status=1/FAILURE)
CPU: 2.670s
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: ^
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: at org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(Par>
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: at org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:185)
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: at org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:195)
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser>
Oct 24 08:37:49 ampelos systemd-entrypoint[161277]: ... 13 more
Oct 24 08:37:49 ampelos systemd[1]: wazuh-indexer.service: Main process exited, code=exited, status=1/FAILURE
Oct 24 08:37:49 ampelos systemd[1]: wazuh-indexer.service: Failed with result 'exit-code'.
Oct 24 08:37:49 ampelos systemd[1]: Failed to start Wazuh-indexer.
Oct 24 08:37:49 ampelos systemd[1]: wazuh-indexer.service: Consumed 2.670s CPU time.
I don't have any idea why it failed, if you need more logs you can ask me and I will put it in edit.
The error you show is usually due to a problem in the Wazuh indexer configuration at
/etc/wazuh-indexer/opensearch.yml, see that it is a YAML parser error:Additionally, the output is partial, since the
>characters are shown, so I would recommend editing the comment with the full-service status output.You can also see possible problems by checking the file
/var/log/wazuh-indexer/wazuh-cluster.log(the name may vary depending on what is defined in the Wazuh indexer configuration)It would be necessary to know the content of the configuration file to be able to guide you better, remember to eliminate sensitive information such as public IPs if you share the file
On the other hand, I recommend that you follow our official documentation to carry out the deployments since the guide you are following is external and does not represent the most updated version, which is currently
4.5.4