Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission errors in the Wazuh Indexer service (systemd) #2685

Closed
mauromalara opened this issue Dec 12, 2023 · 5 comments
Closed

Permission errors in the Wazuh Indexer service (systemd) #2685

mauromalara opened this issue Dec 12, 2023 · 5 comments
Assignees
Labels
level/task Subtask issue qa_known Issues that are already known by the QA team type/bug Bug issue wazuh-indexer

Comments

@mauromalara
Copy link

mauromalara commented Dec 12, 2023

Description

Some errors appear at the same hour on different days, the file exists and no related logs are found in the Indexer logs for now:

Dec 10 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
.
.
Dec 10 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
.
.
Dec 11 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
.
.
Dec 11 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
.
.
Dec 12 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
.
.
Dec 12 00:00:01 ip-10-0-2-61.us-west-1.compute.internal systemd-entrypoint[11618]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")

This seems to solve the issue: https://forum.opensearch.org/t/systemd-entrypoint-defaultdispatcher-worker-error-could-not-define-attribute-view-on-path-var-log-opensearch-opensearch-server-json/15514/5

But further research is required.

@rauldpm
Copy link
Member

rauldpm commented Dec 13, 2023

Related https://github.com/search?q=repo%3Awazuh%2Fwazuh-packages+%22accessUserInformation%22&type=issues
First appearance: #1971 (without the StatusConsoleListener)

@wazuhci wazuhci moved this to Triage in Release 4.8.0 Dec 15, 2023
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.8.0 Dec 18, 2023
@rafabailon rafabailon self-assigned this Dec 18, 2023
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.8.0 Dec 18, 2023
@rafabailon
Copy link
Member

I have reviewed the information in this issue. The StatusConsoleListener appears to be a class for logs. This class belongs to the org.apache.logging.log4j.status package. There is an open and blocked issue to deal with this type of errors. I have checked Opensearch and the most recent information related to this error seems to be this (which has already been mentioned in the issue description).

@rafabailon
Copy link
Member

rafabailon commented Dec 19, 2023

Steps to Reproduce

I have tried to reproduce the error, first doing an AIO installation of version 4.8.0 (since the issue is for this version). I have also tried installing OpenSearch manually (in its latest available version).

Reproduce the Error using an AIO Installation
  • Install AIO
[root@centos7 vagrant]# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
19/12/2023 09:39:56 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0
19/12/2023 09:39:56 INFO: Verbose logging redirected to /var/log/wazuh-install.log
19/12/2023 09:40:00 INFO: Verifying that your system meets the recommended minimum hardware requirements.
19/12/2023 09:40:00 INFO: Wazuh web interface port will be 443.
19/12/2023 09:40:00 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1515, 1514, 443.
19/12/2023 09:40:02 INFO: Wazuh development repository added.
19/12/2023 09:40:02 INFO: --- Configuration files ---
19/12/2023 09:40:02 INFO: Generating configuration files.
19/12/2023 09:40:02 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
19/12/2023 09:40:03 INFO: --- Wazuh indexer ---
19/12/2023 09:40:03 INFO: Starting Wazuh indexer installation.
19/12/2023 09:41:27 INFO: Wazuh indexer installation finished.
19/12/2023 09:41:27 INFO: Wazuh indexer post-install configuration finished.
19/12/2023 09:41:27 INFO: Starting service wazuh-indexer.
19/12/2023 09:41:35 INFO: wazuh-indexer service started.
19/12/2023 09:41:35 INFO: Initializing Wazuh indexer cluster security settings.
19/12/2023 09:41:48 INFO: The Wazuh indexer cluster ISM initialized.
19/12/2023 09:41:48 INFO: Wazuh indexer cluster initialized.
19/12/2023 09:41:48 INFO: --- Wazuh server ---
19/12/2023 09:41:48 INFO: Starting the Wazuh manager installation.
19/12/2023 09:42:23 INFO: Wazuh manager installation finished.
19/12/2023 09:42:23 INFO: Starting service wazuh-manager.
19/12/2023 09:42:36 INFO: wazuh-manager service started.
19/12/2023 09:42:36 INFO: Starting Filebeat installation.
19/12/2023 09:42:43 INFO: Filebeat installation finished.
19/12/2023 09:42:45 INFO: Filebeat post-install configuration finished.
19/12/2023 09:42:45 INFO: Starting service filebeat.
19/12/2023 09:42:45 INFO: filebeat service started.
19/12/2023 09:42:45 INFO: --- Wazuh dashboard ---
19/12/2023 09:42:45 INFO: Starting Wazuh dashboard installation.
19/12/2023 09:43:38 INFO: Wazuh dashboard installation finished.
19/12/2023 09:43:38 INFO: Wazuh dashboard post-install configuration finished.
19/12/2023 09:43:38 INFO: Starting service wazuh-dashboard.
19/12/2023 09:43:38 INFO: wazuh-dashboard service started.
19/12/2023 09:43:40 INFO: Updating the internal users.
19/12/2023 09:43:42 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
19/12/2023 09:43:57 INFO: Initializing Wazuh dashboard web application.
19/12/2023 09:43:58 INFO: Wazuh dashboard web application initialized.
19/12/2023 09:43:58 INFO: --- Summary ---
19/12/2023 09:43:58 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: DtFX2+RbJkTtJ*GQJ25W3Mj5eMIuXdB7
19/12/2023 09:43:58 INFO: Installation finished.
  • Check Permissions
[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
total 408
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 19 09:41 .
   100 drwxr-xr-x. 9 root          root            4096 dic 19 09:42 ..
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 112524 dic 19 10:03 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 09:41 gc.log.00
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer   4730 dic 19 09:43 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   2804 dic 19 09:43 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.log
486937 -rw-r-----. 1 wazuh-indexer wazuh-indexer  62647 dic 19 10:03 wazuh-cluster.log
486940 -rw-r-----. 1 wazuh-indexer wazuh-indexer 139247 dic 19 10:03 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.log

[root@centos7 vagrant]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 640
/var/log/wazuh-indexer/wazuh-cluster_server.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
  • Shutdown VM
[root@centos7 vagrant]# shutdown now
  • Initialize VM, Access It, and Check that File Permissions have not Changed
[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
total 572
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 19 10:10 .
   100 drwxr-xr-x. 9 root          root            4096 dic 19 10:10 ..
705262 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  40450 dic 19 10:11 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 09:41 gc.log.00
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 116769 dic 19 10:07 gc.log.01
705261 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:10 gc.log.02
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer   8095 dic 19 10:10 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   4864 dic 19 10:10 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.log
486937 -rw-r-----. 1 wazuh-indexer wazuh-indexer  95498 dic 19 10:10 wazuh-cluster.log
486940 -rw-r-----. 1 wazuh-indexer wazuh-indexer 209666 dic 19 10:10 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.log

[root@centos7 vagrant]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/gc.log.01: 644
/var/log/wazuh-indexer/gc.log.02: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 640
/var/log/wazuh-indexer/wazuh-cluster_server.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
  • Shutdown VM, Change Host Date and Start VM
[root@centos7 vagrant]# shutdown now
  • Check Permissions
[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
total 520
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 21 10:17 .
   100 drwxr-xr-x. 9 root          root            4096 dic 19 10:17 ..
705228 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  46873 dic 21 10:18 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 09:41 gc.log.00
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 116769 dic 19 10:07 gc.log.01
705261 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:10 gc.log.02
705262 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  49709 dic 19 10:12 gc.log.03
705227 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 21 10:17 gc.log.04
705242 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  17806 dic 21 10:17 wazuh-cluster-2023-12-19-1.json.gz
705238 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  15947 dic 21 10:17 wazuh-cluster-2023-12-19-1.log.gz
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer  11910 dic 21 10:17 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   7167 dic 21 10:17 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_index_search_slowlog.log
705231 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  32871 dic 21 10:17 wazuh-cluster.log
705230 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  69692 dic 21 10:17 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 09:41 wazuh-cluster_task_detailslog.log

[root@centos7 vagrant]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/gc.log.01: 644
/var/log/wazuh-indexer/gc.log.02: 644
/var/log/wazuh-indexer/gc.log.03: 644
/var/log/wazuh-indexer/gc.log.04: 644
/var/log/wazuh-indexer/wazuh-cluster-2023-12-19-1.json.gz: 644
/var/log/wazuh-indexer/wazuh-cluster-2023-12-19-1.log.gz: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 644
/var/log/wazuh-indexer/wazuh-cluster_server.json: 644
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
Test in OpenSearch 2.11.1
  • Install and Enable Service
[root@centos7 vagrant]# wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.11.1/opensearch-2.11.1-linux-x64.rpm
--2023-12-19 08:45:07--  https://artifacts.opensearch.org/releases/bundle/opensearch/2.11.1/opensearch-2.11.1-linux-x64.rpm
Resolviendo artifacts.opensearch.org (artifacts.opensearch.org)... 18.67.240.45, 18.67.240.6, 18.67.240.49, ...
Conectando con artifacts.opensearch.org (artifacts.opensearch.org)[18.67.240.45]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 784169644 (748M) [application/octet-stream]
Grabando a: “opensearch-2.11.1-linux-x64.rpm”

100%[===========================================================================================================================================================>] 784.169.644 16,7MB/s   en 47s    

2023-12-19 08:45:54 (16,1 MB/s) - “opensearch-2.11.1-linux-x64.rpm” guardado [784169644/784169644]

[root@centos7 vagrant]# yum localinstall -y opensearch-2.11.1-linux-x64.rpm 
Loaded plugins: fastestmirror
Examining opensearch-2.11.1-linux-x64.rpm: opensearch-2.11.1-1.x86_64
Marking opensearch-2.11.1-linux-x64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package opensearch.x86_64 0:2.11.1-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================================================================================
 Package                                     Arch                                    Version                                     Repository                                                     Size
=====================================================================================================================================================================================================
Installing:
 opensearch                                  x86_64                                  2.11.1-1                                    /opensearch-2.11.1-linux-x64                                  1.0 G

Transaction Summary
=====================================================================================================================================================================================================
Install  1 Package

Total size: 1.0 G
Installed size: 1.0 G
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : opensearch-2.11.1-1.x86_64                                                                                                                                                        1/1 
### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch.service
### You can start opensearch service by executing
 sudo systemctl start opensearch.service
### Create opensearch demo certificates in /etc/opensearch/
 See demo certs creation log in /var/log/opensearch/install_demo_configuration.log
### Upcoming breaking change in packaging
 In a future release of OpenSearch, we plan to change the permissions associated with access to installed files
 If you are configuring tools that require read access to the OpenSearch configuration files, we recommend you add the user that runs these tools to the 'opensearch' group
 For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043
  Verifying  : opensearch-2.11.1-1.x86_64                                                                                                                                                        1/1 

Installed:
  opensearch.x86_64 0:2.11.1-1                                                                                                                                                                       

Complete!

[root@centos7 vagrant]# systemctl enable opensearch
Created symlink from /etc/systemd/system/multi-user.target.wants/opensearch.service to /usr/lib/systemd/system/opensearch.service.

[root@centos7 vagrant]# systemctl status opensearch
● opensearch.service - OpenSearch
   Loaded: loaded (/usr/lib/systemd/system/opensearch.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: https://opensearch.org/
  • Service Start and Files Permissions
[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 4
-rw-r--r--. 1 opensearch opensearch 1693 dic 19 08:56 install_demo_configuration.log

[root@centos7 vagrant]# systemctl start opensearch

[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 296
-rw-r--r--. 1 opensearch opensearch 40870 dic 19 08:59 gc.log
-rw-r--r--. 1 opensearch opensearch  2030 dic 19 08:59 gc.log.00
-rw-r--r--. 1 opensearch opensearch  1693 dic 19 08:56 install_demo_configuration.log
-rw-r-----. 1 opensearch opensearch  1243 dic 19 08:59 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch   805 dic 19 08:59 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_index_search_slowlog.log
-rw-r-----. 1 opensearch opensearch 47948 dic 19 08:59 opensearch.log
-rw-r-----. 1 opensearch opensearch 92766 dic 19 08:59 opensearch_server.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 08:59 opensearch_task_detailslog.log

[root@centos7 vagrant]# shutdown now
  • Service Enabled Before System Reboot with Date Change
[root@centos7 vagrant]#  ls -l /var/log/opensearch/
total 560
-rw-r--r--. 1 opensearch opensearch 100614 dic 19 09:09 gc.log
-rw-r--r--. 1 opensearch opensearch   2030 dic 19 08:59 gc.log.00
-rw-r--r--. 1 opensearch opensearch  55449 dic 19 09:00 gc.log.01
-rw-r--r--. 1 opensearch opensearch   2006 dic 19 09:01 gc.log.02
-rw-r--r--. 1 opensearch opensearch   1693 dic 19 08:56 install_demo_configuration.log
-rw-r-----. 1 opensearch opensearch   2011 dic 19 09:01 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch   1339 dic 19 09:01 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_index_search_slowlog.log
-rw-r-----. 1 opensearch opensearch  99411 dic 19 09:06 opensearch.log
-rw-r-----. 1 opensearch opensearch 192835 dic 19 09:06 opensearch_server.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 08:59 opensearch_task_detailslog.log

[root@centos7 vagrant]# /usr/share/opensearch/bin/opensearch -V
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.11.1.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Version: 2.11.1, Build: rpm/6b1986e964d440be9137eba1413015c31c5a7752/2023-11-29T21:43:16.724491085Z, JVM: 17.0.8
  • Shutdown VM, Change Host Date and Start VM
[root@centos7 vagrant]# shutdown now
  • Check Permissions
[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 376
-rw-r--r--. 1 opensearch opensearch 49346 dic 21 12:07 gc.log
-rw-r--r--. 1 opensearch opensearch  2006 dic 19 12:05 gc.log.00
-rw-r--r--. 1 opensearch opensearch 43792 dic 19 12:05 gc.log.01
-rw-r--r--. 1 opensearch opensearch  2006 dic 21 12:07 gc.log.02
-rw-r--r--. 1 opensearch opensearch  1693 dic 19 12:05 install_demo_configuration.log
-rw-r--r--. 1 opensearch opensearch  8475 dic 21 12:07 opensearch-2023-12-19-1.json.gz
-rw-r--r--. 1 opensearch opensearch  7816 dic 21 12:07 opensearch-2023-12-19-1.log.gz
-rw-r-----. 1 opensearch opensearch  2011 dic 21 12:07 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch  1339 dic 21 12:07 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_index_search_slowlog.log
-rw-r--r--. 1 opensearch opensearch 45941 dic 21 12:07 opensearch.log
-rw-r--r--. 1 opensearch opensearch 86947 dic 21 12:07 opensearch_server.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:05 opensearch_task_detailslog.log
  • Check Logs
[root@centos7 vagrant]# journalctl | grep "ERROR"
dic 21 12:07:05 centos7.localdomain systemd-entrypoint[654]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/opensearch/opensearch_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
dic 21 12:07:05 centos7.localdomain systemd-entrypoint[654]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/opensearch/opensearch.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")

Test the Proposed Fix

In the OpenSearch Forum there is a proposed solution for this error. Using the AIO installation, I have made the suggested changes. The error has not been resolved.

Wazuh-Indexer Info
  • Info About Indexer
[root@centos7 vagrant]# cat /usr/lib/systemd/system/wazuh-indexer.service
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target

[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer

WorkingDirectory=/usr/share/wazuh-indexer

User=wazuh-indexer
Group=wazuh-indexer

ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# wazuh-indexer logging system is initialized. Elasticsearch
# stores its logs in /var/log/wazuh-indexer and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180

[Install]
WantedBy=multi-user.target
  • Info About opensearch_security.policy File
[root@centos7 wazuh-indexer]# cat /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};
Test Fix using AIO Installation
  • Install AIO

  • Check Permissions

[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
[root@centos7 wazuh-indexer]# ls -lia /var/log/wazuh-indexer/
total 408
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 19 10:26 .
   100 drwxr-xr-x. 9 root          root            4096 dic 19 10:46 ..
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 113183 dic 19 10:53 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:26 gc.log.00
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer   4730 dic 19 10:28 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   2804 dic 19 10:28 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.log
486937 -rw-r-----. 1 wazuh-indexer wazuh-indexer  64098 dic 19 10:52 wazuh-cluster.log
486940 -rw-r-----. 1 wazuh-indexer wazuh-indexer 142676 dic 19 10:52 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.log

[root@centos7 wazuh-indexer]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 640
/var/log/wazuh-indexer/wazuh-cluster_server.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
  • Shutdown VM

  • Initialize VM, Access It, and Check that File Permissions have not Changed

[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
total 580
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 19 10:55 .
   100 drwxr-xr-x. 9 root          root            4096 dic 19 10:55 ..
179802 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  47294 dic 19 10:56 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:26 gc.log.00
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 115678 dic 19 10:54 gc.log.01
179801 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:55 gc.log.02
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer   8095 dic 19 10:56 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   4864 dic 19 10:56 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.log
486937 -rw-r-----. 1 wazuh-indexer wazuh-indexer  96139 dic 19 10:56 wazuh-cluster.log
486940 -rw-r-----. 1 wazuh-indexer wazuh-indexer 211091 dic 19 10:56 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.log

[root@centos7 vagrant]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/gc.log.01: 644
/var/log/wazuh-indexer/gc.log.02: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 640
/var/log/wazuh-indexer/wazuh-cluster_server.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
  • Add Fix
[root@centos7 vagrant]# cat /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};

grant {
    java.lang.RuntimePermission "accessUserInformation";
}; 
  • Shutdown VM, Change Host Date and Start VM

  • Check Permissions

[root@centos7 vagrant]# ls -lia /var/log/wazuh-indexer/
total 376
486932 drwxr-x---. 2 wazuh-indexer wazuh-indexer   4096 dic 21 11:17 .
   100 drwxr-xr-x. 9 root          root            4096 dic 21 11:17 ..
179805 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  40994 dic 21 11:18 gc.log
486933 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:26 gc.log.00
486934 -rw-r--r--. 1 wazuh-indexer wazuh-indexer 115678 dic 19 10:54 gc.log.01
179801 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 19 10:55 gc.log.02
179802 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  58485 dic 19 10:58 gc.log.03
179804 -rw-r--r--. 1 wazuh-indexer wazuh-indexer   2015 dic 21 11:17 gc.log.04
179807 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  20136 dic 21 11:17 wazuh-cluster-2023-12-19-1.json.gz
   310 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  16533 dic 21 11:17 wazuh-cluster-2023-12-19-1.log.gz
486941 -rw-r-----. 1 wazuh-indexer wazuh-indexer  11910 dic 21 11:17 wazuh-cluster_deprecation.json
486935 -rw-r-----. 1 wazuh-indexer wazuh-indexer   7167 dic 21 11:17 wazuh-cluster_deprecation.log
486939 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.json
486942 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_indexing_slowlog.log
486938 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.json
486943 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_index_search_slowlog.log
486940 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  23262 dic 21 11:17 wazuh-cluster.log
179806 -rw-r--r--. 1 wazuh-indexer wazuh-indexer  52032 dic 21 11:17 wazuh-cluster_server.json
486936 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.json
  5344 -rw-r-----. 1 wazuh-indexer wazuh-indexer      0 dic 19 10:26 wazuh-cluster_task_detailslog.log

[root@centos7 vagrant]# stat --format="%n: %a" /var/log/wazuh-indexer/*
/var/log/wazuh-indexer/gc.log: 644
/var/log/wazuh-indexer/gc.log.00: 644
/var/log/wazuh-indexer/gc.log.01: 644
/var/log/wazuh-indexer/gc.log.02: 644
/var/log/wazuh-indexer/gc.log.03: 644
/var/log/wazuh-indexer/gc.log.04: 644
/var/log/wazuh-indexer/wazuh-cluster-2023-12-19-1.json.gz: 644
/var/log/wazuh-indexer/wazuh-cluster-2023-12-19-1.log.gz: 644
/var/log/wazuh-indexer/wazuh-cluster_deprecation.json: 640
/var/log/wazuh-indexer/wazuh-cluster_deprecation.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_indexing_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_index_search_slowlog.log: 640
/var/log/wazuh-indexer/wazuh-cluster.log: 644
/var/log/wazuh-indexer/wazuh-cluster_server.json: 644
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.json: 640
/var/log/wazuh-indexer/wazuh-cluster_task_detailslog.log: 640
  • Check Logs
[root@centos7 vagrant]# /usr/share/wazuh-indexer/bin/opensearch -V
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
java.security.policy: error parsing file:/etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy:
        line 5: expected permission entry
Version: 2.10.0, Build: rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z, JVM: 17.0.8

[root@centos7 vagrant]# journalctl | grep "ERROR"
dic 21 11:34:47 centos7.localdomain systemd-entrypoint[1092]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
dic 21 11:34:47 centos7.localdomain systemd-entrypoint[1092]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
Test Fix in OpenSearch 2.11.1
  • Install OpenSearch

  • Check Permissions

[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 308
-rw-r--r--. 1 opensearch opensearch 45461 dic 19 12:18 gc.log
-rw-r--r--. 1 opensearch opensearch  2006 dic 19 12:18 gc.log.00
-rw-r--r--. 1 opensearch opensearch  1693 dic 19 12:18 install_demo_configuration.log
-rw-r-----. 1 opensearch opensearch  1243 dic 19 12:18 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch   805 dic 19 12:18 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_search_slowlog.log
-rw-r-----. 1 opensearch opensearch 49258 dic 19 12:18 opensearch.log
-rw-r-----. 1 opensearch opensearch 96224 dic 19 12:18 opensearch_server.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_task_detailslog.log
  • Shutdown VM

  • Initialize VM, Access It, and Check that File Permissions have not Changed

[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 440
-rw-r--r--. 1 opensearch opensearch  45751 dic 19 12:20 gc.log
-rw-r--r--. 1 opensearch opensearch   2006 dic 19 12:18 gc.log.00
-rw-r--r--. 1 opensearch opensearch  53183 dic 19 12:19 gc.log.01
-rw-r--r--. 1 opensearch opensearch   2006 dic 19 12:19 gc.log.02
-rw-r--r--. 1 opensearch opensearch   1693 dic 19 12:18 install_demo_configuration.log
-rw-r-----. 1 opensearch opensearch   2011 dic 19 12:19 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch   1339 dic 19 12:19 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_index_search_slowlog.log
-rw-r-----. 1 opensearch opensearch  97377 dic 19 12:20 opensearch.log
-rw-r-----. 1 opensearch opensearch 188630 dic 19 12:20 opensearch_server.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch      0 dic 19 12:18 opensearch_task_detailslog.log
  • Add Fix
[root@centos7 vagrant]# cat /etc/opensearch/opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};

grant {
    java.lang.RuntimePermission "accessUserInformation";
}; 
  • Shutdown VM, Change Host Date and Start VM

  • Check Permissions

[root@centos7 vagrant]# ls -l /var/log/opensearch/
total 452
-rw-r--r--. 1 opensearch opensearch 38175 dic 21 12:23 gc.log
-rw-r--r--. 1 opensearch opensearch  2006 dic 19 12:18 gc.log.00
-rw-r--r--. 1 opensearch opensearch 53183 dic 19 12:19 gc.log.01
-rw-r--r--. 1 opensearch opensearch  2006 dic 19 12:19 gc.log.02
-rw-r--r--. 1 opensearch opensearch 65901 dic 19 12:22 gc.log.03
-rw-r--r--. 1 opensearch opensearch  2006 dic 21 12:22 gc.log.04
-rw-r--r--. 1 opensearch opensearch  1693 dic 19 12:18 install_demo_configuration.log
-rw-r--r--. 1 opensearch opensearch 16756 dic 21 12:22 opensearch-2023-12-19-1.json.gz
-rw-r--r--. 1 opensearch opensearch 15396 dic 21 12:22 opensearch-2023-12-19-1.log.gz
-rw-r-----. 1 opensearch opensearch  2779 dic 21 12:22 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch  1873 dic 21 12:22 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_index_search_slowlog.log
-rw-r--r--. 1 opensearch opensearch 40525 dic 21 12:22 opensearch.log
-rw-r--r--. 1 opensearch opensearch 76377 dic 21 12:22 opensearch_server.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch     0 dic 19 12:18 opensearch_task_detailslog.log
  • Check Logs
[root@centos7 vagrant]# journalctl | grep "ERROR"
dic 21 12:22:41 centos7.localdomain systemd-entrypoint[650]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/opensearch/opensearch_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
dic 21 12:22:41 centos7.localdomain systemd-entrypoint[650]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/opensearch/opensearch.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")

Conclusions

The conclusion is that it seems to be an error due to OpenSearch. It appears both when installing Wazuh and when testing OpenSearch in its latest available version. The error is easily reproducible as can be seen in the instructions above. There is currently an open issue (by Wazuh) on OpenSearch that has not yet been answered.

I have spoken with the Indexer Team. It is a known OpenSearch issue. There seems to be nothing we can do about it. With the tests I have done you can see that the fix proposed in the forum does not work either.

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.8.0 Dec 19, 2023
@wazuhci wazuhci moved this from Pending review to In review in Release 4.8.0 Dec 20, 2023
@pro-akim
Copy link
Member

Review Notes

GJ, very clear explanation.
LGTM

@wazuhci wazuhci moved this from In review to Pending final review in Release 4.8.0 Dec 20, 2023
@davidjiglesias davidjiglesias added the qa_known Issues that are already known by the QA team label Dec 20, 2023
@wazuhci wazuhci moved this from Pending final review to Done in Release 4.8.0 Dec 20, 2023
@andrew-aiken
Copy link

Ran into the same issue.
I had to add the following lines to the file /usr/share/wazuh-indexer/performance-analyzer-rca/config/opensearch_security.policy

grant {
  permission java.lang.RuntimePermission "accessUserInformation";
};

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/task Subtask issue qa_known Issues that are already known by the QA team type/bug Bug issue wazuh-indexer
Projects
No open projects
Status: Done
Development

No branches or pull requests

6 participants