I've exhausted nearly all forms of documentation and forum searches, and I've yet been able to get elasticsearch to outside of local settings.
For some background: I need elasticsearch to be able to communicate with Grafana, which will need to carry over the logs for the Wazuh App for Kibana. I'm using a distributed setup with Wazuh, so the wazuh manager is its own server apart from the rest.
Regardless of the yml/java bootstrap settings I put place, and regardless of my assigning the ELK instance's public IP to 'network.host' and 'cluster.initial_master_nodes', it can't bind to this address. Using the private IP is out of the question, especially if it's to be able to do talk with the grafana server on a different subnet. See the errors below:
[2020-06-25T20:00:32,609][INFO ][o.e.p.PluginsService ] [wazuh-log-vizualizer] loaded module [x-pack-watcher]
[2020-06-25T20:00:32,609][INFO ][o.e.p.PluginsService ] [wazuh-log-vizualizer] no plugins loaded
[2020-06-25T20:00:32,675][INFO ][o.e.e.NodeEnvironment ] [wazuh-log-vizualizer] using [1] data paths, mounts [[/ (/dev/nvme0n1p1)]], net usable_space [1.5gb], net total_space [7.6gb], types [ext4]
[2020-06-25T20:00:32,676][INFO ][o.e.e.NodeEnvironment ] [wazuh-log-vizualizer] heap size [4gb], compressed ordinary object pointers [true]
[2020-06-25T20:00:32,882][INFO ][o.e.n.Node ] [wazuh-log-vizualizer] node name [wazuh-log-vizualizer], node ID [MlirIa3rSQWsPxo5rReRSw], cluster name [elasticsearch]
[2020-06-25T20:00:36,455][ERROR][o.e.b.Bootstrap ] [wazuh-log-vizualizer] Exception
java.lang.IllegalArgumentException: unknown setting [cluster.initial master nodes] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
AND
[2020-06-26T15:13:00,968][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [wazuh-log-vizualizer] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: BindTransportException[Failed to bind to 3.x.x.x:[9300-9400]]; nested: BindException[Cannot assign requested address];
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.8.0.jar:7.8.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.8.0.jar:7.8.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.8.0.jar:7.8.0]
Caused by: org.elasticsearch.transport.BindTransportException: Failed to bind to 3.x.x.x:[9300-9400]
If anyone can give any insight, i'd be hugely grateful.
Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.
Or use markdown style like:
```
CODE
```
This is the icon to use if you are not using markdown format:
There's a live preview panel for exactly this reasons.
Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Here I think this message says it all:
[2020-06-25T20:00:36,455][ERROR][o.e.b.Bootstrap ] [wazuh-log-vizualizer] Exception
java.lang.IllegalArgumentException: unknown setting [cluster.initial master nodes] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
cluster.initial master nodes is not a know setting. Did you set cluster.initial_master_nodes or cluster.initial master nodes?
Could you share your full and correctly formatted elasticsearch.yml file?
As for cluster.initial master nodes, neither formattings work for me.
EDIT: The above, meaning, that cluster.initial_master_nodes with underscores appear to work, where the spaces do not. Regardless, the IP can't be bound.
Yes it is, and that's why this was such a big mystery/headache for me; I didn't read any documentation about public IPs being unusable in this way.
Since my asking this question however, I gave up on using the public IP, and went with the private IP instead. It's now booting like it should be without using the loopback address. This is do-able, because both my elasticstack server and my (Wazuh) application server are in the same VPC.
My current issue now is in getting Wazuh logs on my Wazuh manager over to the elasticstack server, using filebeat, for browsing over the Wazuh Kibana app. I've sought assistance from Wazuh support on this part, as I don't believe the issue lies with filebeat or elasticsearch at this point. I can sift through just about every other feature/metric except for the logs themselves.
I was able to get the issue above (my ultimate goal), sorted out. Thanks for responding to my questions - I appreciate it.
If there are any insights you may have on why a public IP address for elasticsearch wouldn't bind in this way (an EIP issued by AWS), I'd be happy to hear it.
The stack server itself is reachable only through a bastion proxy. Kibana utilizes this IP for access to its web ui.
Ifconfig doesn't list the public IP in its details, however, the address is bound to the network card device. This is an aws instance in a VPC on a public subnet, so I don't think there should be any reason why it isn't possible to use it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
