This article will cover how to install Wazuh server on Ubuntu 22.04, 20.04, 18.04. Wazuh server is a free, open-source security monitoring tool that uses Elastic stack (ELK) . It is used to monitor security events at an application and OS level. You can therefore be able to get information about threat detection, incident response and integrity monitoring. In this tutorial, we shall be deploy Wazuh on a single-node Ubuntu host, with ELK installed on the same host.

You can use Wazuh for the following applications:

  1. Security analysis
  2. Log analysis
  3. Vulnerability detection
  4. Container security
  5. Cloud security

The minimum hardware requirements are as below:

  • 4 GB of RAM
  • 2 CPU cores

Recommended specs are:

  • 16 GB of RAM
  • 8 CPU cores

Step 1: Install Wazuh Server

Install the packages below needed for the running of Wazuh Manager.

sudo apt update
sudo apt install vim curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2

Option 1: Automated install of Wazuh Server using script

The fastest way to install Wazuh on a single host is by using a script that automatically detects OS type and performs a health check to verify that the available system resources meet the minimal requirements.

Download the script to your Ubuntu system where Wazuh server is installed

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh

Once the script is downloaded run it:

sudo bash ./wazuh-install.sh -a

Installation process should take few minutes to complete:

15/04/2024 11:19:46 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
15/04/2024 11:19:46 INFO: Verbose logging redirected to /var/log/wazuh-install.log
15/04/2024 11:19:53 INFO: Wazuh web interface port will be 443.
15/04/2024 11:19:58 INFO: --- Dependencies ----
15/04/2024 11:19:58 INFO: Installing apt-transport-https.
15/04/2024 11:20:05 INFO: Wazuh repository added.
15/04/2024 11:20:05 INFO: --- Configuration files ---
15/04/2024 11:20:05 INFO: Generating configuration files.
15/04/2024 11:20:07 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
15/04/2024 11:20:07 INFO: --- Wazuh indexer ---
15/04/2024 11:20:07 INFO: Starting Wazuh indexer installation.
15/04/2024 11:21:11 INFO: Wazuh indexer installation finished.
15/04/2024 11:21:11 INFO: Wazuh indexer post-install configuration finished.
15/04/2024 11:21:11 INFO: Starting service wazuh-indexer.
15/04/2024 11:21:29 INFO: wazuh-indexer service started.
15/04/2024 11:21:29 INFO: Initializing Wazuh indexer cluster security settings.
15/04/2024 11:21:39 INFO: Wazuh indexer cluster initialized.
15/04/2024 11:21:39 INFO: --- Wazuh server ---
15/04/2024 11:21:39 INFO: Starting the Wazuh manager installation.
15/04/2024 11:22:40 INFO: Wazuh manager installation finished.
15/04/2024 11:22:40 INFO: Starting service wazuh-manager.
15/04/2024 11:22:56 INFO: wazuh-manager service started.
15/04/2024 11:22:56 INFO: Starting Filebeat installation.
15/04/2024 11:23:04 INFO: Filebeat installation finished.
15/04/2024 11:23:05 INFO: Filebeat post-install configuration finished.
15/04/2024 11:23:05 INFO: Starting service filebeat.
15/04/2024 11:23:06 INFO: filebeat service started.
15/04/2024 11:23:06 INFO: --- Wazuh dashboard ---
15/04/2024 11:23:06 INFO: Starting Wazuh dashboard installation.
15/04/2024 11:24:03 INFO: Wazuh dashboard installation finished.
15/04/2024 11:24:03 INFO: Wazuh dashboard post-install configuration finished.
15/04/2024 11:24:03 INFO: Starting service wazuh-dashboard.
15/04/2024 11:24:04 INFO: wazuh-dashboard service started.
15/04/2024 11:24:33 INFO: Initializing Wazuh dashboard web application.
15/04/2024 11:24:34 INFO: Wazuh dashboard web application initialized.
15/04/2024 11:24:34 INFO: --- Summary ---
15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*
15/04/2024 11:24:34 INFO: Installation finished.

Take note of access credentials:

15/04/2024 11:24:34 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: i9d96ly0D9*AObwGdJ7eq07OANoxq?0*

Access the portal at https://<serverip> on your web browser and login

install wazuh 01

Input username and password

install wazuh 02

You should now get access to Wazuh Web dashboard.

install wazuh 03

Option 2: Install Wazuh Server using manual steps (not recommended)

The steps below will guide us on how to setup Wazuh server on Ubuntu. This is long and too manual for ordinary users.

  1. Add GPG key
curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/wazuh.gpg

2. Add Wazuh repository

echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

3. Update system

sudo apt update

4. Install Wazuh Manager

sudo apt install wazuh-manager

5. Start and enable service

sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-manager

Check status for Wazuh manager and confirm if it is up and running

systemctl status wazuh-manager

Check service status:

systemctl status wazuh-manager

Install ELK Stack

Install Elasticsearch from Open Distro, a highly scalable full-text search engine. This package offers advanced security, alerting, deep performance analysis, index management and many more features.

sudo apt install elasticsearch-oss opendistroforelasticsearch

Download a custom configuration file for /etc/elasticsearch/elasticsearch.yml as shown below:

sudo curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml

Configure Kibana roles and users with the templates below:

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml

sudo curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml

The commands above adds the following users for Kibana:

  1. Wazuh_user – Will be used for users who need read-only access to the Wazuh Kibana plugin.
  2. Wazuh_admin – For users who need administrative privileges

Two additional roles are also created to give the users appropriate permissions.

  • wazuh_ui_user – provides wazuh_user permissions to read the Wazuh’s indices.
  • wazuh_ui_admin – allows wazuh_admins to perform read/write, management and indexing on wazuh indices.

Install Certificates

We can setup certificates to be used for TLS communication between Elasticsearch and Wazuh.

1. Remove demo certs

sudo rm -f /etc/elasticsearch/{esnode-key.pem,esnode.pem,kirk-key.pem,kirk.pem,root-ca.pem}

2. Download the wazuh-cert-tool.sh:

sudo su -
curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml

3. Run the wazuh-cert-tool.sh to create the certificates:

# bash ~/wazuh-cert-tool.sh
02/28/2024 22:43:19 INFO: Configuration file found. Creating certificates...
02/28/2024 22:43:20 INFO: Creating the Elasticsearch certificates...
02/28/2024 22:43:20 INFO: Creating Wazuh server certificates...
02/28/2024 22:43:20 INFO: Creating Kibana certificate...
02/28/2024 22:43:20 INFO: Certificates creation finished. They can be found in ~/certs.

4. Move the Elasticsearch certificates to their corresponding location:

mkdir /etc/elasticsearch/certs/
mv ~/certs/elasticsearch* /etc/elasticsearch/certs/
mv ~/certs/admin* /etc/elasticsearch/certs/
cp ~/certs/root-ca* /etc/elasticsearch/certs/

5.  Mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability

Add the following configuration to mitigate Apache Log4j2 Remote Code Execution (RCE) vulnerability – CVE-2021-44228 – ESA-2021-31.

mkdir -p /etc/elasticsearch/jvm.options.d
echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options
chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options

6. Enable and start the Elasticsearch service:

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Check Elasticsearch service status:

systemctl status elasticsearch

Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

Command execution output:

Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
   SUCC: Configuration for 'audit' created or updated
Done with success

Run the command below to confirm that the installation was successful:

curl -XGET https://localhost:9200 -u admin:admin -k

The response should be as follows:

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "42mc1BAjQaOpVo4p3Xz5lA",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Install Filebeat on Ubuntu

Filebeat is used to ship alerts and events from Wazuh server to Elasticsearch.

sudo apt install filebeat

Download the the filebeat configuration file below that will be used to forward wazuh alerts to Elasticsearch

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml

Download the alerts template with the command below for Elasticsearch:

curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Download the Wazuh FIlebeat module:

curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module

Copy the Elasticsearch certificates to /etc/filebeat/certs

mkdir /etc/filebeat/certs
cp ~/certs/root-ca.pem /etc/filebeat/certs/
mv ~/certs/filebeat* /etc/filebeat/certs/

Start and enable Filebeat service

systemctl daemon-reload
systemctl enable --now filebeat

Confirm Filebeat configuration by the command below:

# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Install Kibana on Ubuntu

Kibana is the web interface that helps us visualize and analyze the events stored in Elasticsearch.

Use the command below to install Kibana on Ubuntu

apt install opendistroforelasticsearch-kibana

Download the Configuration file for Kibana

curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml

Create data directory for Kibana

mkdir /usr/share/kibana/data
chown -R kibana:kibana /usr/share/kibana/data

Install the Wazuh Kibana plugin.

cd /usr/share/kibana
sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip

Sample execution output:

Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.5_7.10.2-1.zip
Transferring 33111704 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

Copy the Elasticsearch certificates to /etc/kibana/certs:

mkdir /etc/kibana/certs
cp ~/certs/root-ca.pem /etc/kibana/certs/
mv ~/certs/kibana* /etc/kibana/certs/
chown kibana:kibana /etc/kibana/certs/*

Bind Kibana’s socket to priviledged port 443:

setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node

Start and enable Kibana service

systemctl daemon-reload
systemctl enable --now kibana

Allow Kibana through the firewall

sudo ufw allow 443/tcp

You can now access your wazuh kibana interface via

URL: https://<wazuh_server_ip>
user: admin
password: admin
install wazuh server on ubuntu 20.04

You can login and proceed to see the available metrics from Wazuh:

setup wazuh

Step 2: Configure Wazuh Agents

Wazuh agent is deployed on the endpoint systems such as Windows, Linux, and macOS to collect events and all security related data. The agent will then forward collected data to Wazuh server for threat detection and analysis. The agent can also analyze collected logs on the system, and extract valuable information relating to security for more analysis.

You can obtain commands that are to be run on the agent machine under Wazuh –> Agents

Wazuh agent 01

Choose “Deploy new agent” option.

Wazuh agent 02

In the next section you will choose:

  • OS type and CPU architecture for it (Intel or ARM)
  • Wazuh server address as deployed in step 1 – Public or private IPv4 address depending on the setup
  • Agent name assigned to the agent. Best practice is to pick agent hostname (FQDN)
Wazuh agent 03

Next run the commands given to install and configured agent on your endpoint device.

Wazuh agent 04

Don’t forget to run the commands to start and enable the service.

Step 3: Analyze events and logs

If you click on Home icon you will get to the default dashboard. Choose the agent to review.

Wazuh agent 05

In the next screen you can switch between menu sections to analyze events and filter.

Wazuh agent 06

With the above steps, we have successfully setup Wazuh server on Ubuntu. Visit official Wazuh Documentation website to have a deeper understanding on Wazuh components, configurations and customizations that can be done to better secure your infrastructure and services.

Cheers and please check out other interesting articles on the site.

20 COMMENTS

  1. Very nice how to, but I did run into a problem. At the kibana install, after I downloaded the config, I ran
    sudo chown -R kibana:kibana /usr/share/kibana/optimize
    I get “chown: cannot access ‘/usr/share/kibana/optimize’: No such file or directory”
    But I think more importantly when I try in download the plugin with’
    cd /usr/share/kibana
    sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.0.4_7.9.1-1.zip
    I get,
    Plugin installation was unsuccessful due to error “No kibana plugins found in archive”
    Any thought on how to get this plugin installed?
    Thanks

  2. For me, “sudo systemctl enable –now elasticsearch” results in:

    Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
    Job for elasticsearch.service failed because a timeout was exceeded.
    See “systemctl status elasticsearch.service” and “journalctl -xe” for details.

  3. HI,

    I am getting following error

    wazuh@wazuh:/etc/elasticsearch/certs$ sudo systemctl enable –now elasticsearch Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
    Job for elasticsearch.service failed because a timeout was exceeded.
    See “systemctl status elasticsearch.service” and “journalctl -xe” for details.
    wazuh@wazuh:/etc/elasticsearch/certs$ systemctl status elasticsearch.service
    ● elasticsearch.service – Elasticsearch
    Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
    Active: failed (Result: timeout) since Tue 2022-02-15 04:57:03 UTC; 16s ago
    Docs: https://www.elastic.co
    Process: 77555 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, sta>
    Main PID: 77555 (code=exited, status=143)

    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareComm>
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.main(Command.java:90)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.>
    Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: start operation timed out. Terminating.
    Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
    Feb 15 04:57:03 wazuh systemd[1]: Failed to start Elasticsearch.
    lines 1-17/17 (END)
    ● elasticsearch.service – Elasticsearch
    Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
    Active: failed (Result: timeout) since Tue 2022-02-15 04:57:03 UTC; 16s ago
    Docs: https://www.elastic.co
    Process: 77555 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, stat>
    Main PID: 77555 (code=exited, status=143)

    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareComma>
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.cli.Command.main(Command.java:90)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
    Feb 15 04:55:57 wazuh systemd-entrypoint[77555]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.l>
    Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: start operation timed out. Terminating.
    Feb 15 04:57:03 wazuh systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
    Feb 15 04:57:03 wazuh systemd[1]: Failed to start Elasticsearch.

  4. Hi,

    I am getting following error

    wazuhadmin@wazuh:/home$ sudo mkdir /etc/elasticsearch/certs && cd /etc/elasticsearch/certs
    bash: cd: /etc/elasticsearch/certs: Permission denied
    wazuhadmn@wazuh:/home$

    Thank you

    • Seguramente que elasticsearch no está activo:
      sudo systemctl status elasticsearch
      Si sale inactivo o con algún error entonces:
      sudo systemctl restart elasticsearch
      Y ya podrá acceder a la interfaz web
      Un saludo

  5. I get this error: INFO: Checking API host id [default]…
    INFO: Could not connect to API id [default]: 3099 – ERROR3099 – Invalid credentials

  6. I get to:
    Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster:

    export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem

    And get:
    Open Distro Security Admin v7
    Will connect to localhost:9300 … done
    18:49:26.405 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport – Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:369) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:307) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
    at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
    at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
    at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.49.Final.jar:4.1.49.Final]
    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.49.Final.jar:4.1.49.Final]
    at java.lang.Thread.run(Thread.java:832) [?:?]
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
    … 31 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
    … 31 more
    ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
    Trace:
    NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{-efRmOx6SQmGbg5Z3hRirA}{localhost}{127.0.0.1:9300}]]
    at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
    at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:248)
    at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:57)
    at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:391)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:412)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:401)
    at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.execute(OpenDistroSecurityAdmin.java:524)
    at com.amazon.opendistroforelasticsearch.security.tools.OpenDistroSecurityAdmin.main(OpenDistroSecurityAdmin.java:157)

  7. I am also getting an error when trying to start elastic search daemon. I never liked elastic search, it is a pain to get it up and running no matter in what format.

    × elasticsearch.service – Elasticsearch
    Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; preset:
    enabled)
    Active: failed (Result: timeout) since Sat 2024-04-13 15:14:09 CEST; 16s ago
    Docs: https://www.elastic.co
    Process: 1339431 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid –quiet (code=exited, status=143)
    Main PID: 1339431 (code=exited, status=143)
    CPU: 30.801s

    Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
    Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
    Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.cli.Command.main(Command.java:90)
    Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
    Apr 13 15:13:02 systemd-entrypoint[1339431]: at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
    Apr 13 15:13:02 systemd-entrypoint[1339431]: For complete error details, refer to the log at /var/log/elasticsearch/elasticsearch.log
    Apr 13 15:14:09 systemd[1]: elasticsearch.service: start operation timed out. Terminating.
    Apr 13 15:14:09 systemd[1]: elasticsearch.service: Failed with result ‘timeout’.
    Apr 13 15:14:09 systemd[1]: Failed to start elasticsearch.service – Elasticsearch.
    Apr 13 15:14:09 systemd[1]: elasticsearch.service: Consumed 30.801s CPU time.

LEAVE A REPLY

Please enter your comment!
Please enter your name here