Log4j errors when starting ES

Elastic Stack Elasticsearch
1

Hello, I am installing the new ES and i keep recieving these errors on start.
main ERROR Null object returned for RollingFile in Appenders.

Oct 31 19:01:40 elasticsearch[18779]: 2016-10-31 19:01:40,165 main ERROR Null object returned for RollingFile in Appenders.
Oct 31 19:01:40 elasticsearch[18779]: 2016-10-31 19:01:40,165 main ERROR Null object returned for RollingFile in Appenders.
Oct 31 19:01:40 elasticsearch[18779]: 2016-10-31 19:01:40,166 main ERROR Unable to locate appender "index_indexing_slowlog_rolling" for logger config "index.indexing.slowlog.index"
Oct 31 19:01:40 elasticsearch[18779]: 2016-10-31 19:01:40,166 main ERROR Unable to locate appender "audit_rolling" for logger config "org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail"
Oct 31 19:01:40 elasticsearch[18779]: 2016-10-31 19:01:40,166 main ERROR Unable to locate appender "index_search_slowlog_rolling" for logger config "index.search.slowlog"

1 Like
2

How did you install ES and how did you start it? If you used the rpm or deb make sure you use systemd or the init script or you might end up with weird, weird, paths breaking things.

3

i used the RPM. Service elasticsearch start was what i ran

4

Weird! Can you make a gist of find /usr/share/elasticsearch and find /etc/elasticsearch ?

5

I have the exact same error (after wiping my virtual board clean and starting over with ver 5)

If I comment out this line from my elasticsearch.yml file
: action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*

Then my elasticsearch daemon starts just fine. I have a feeling the X-pack instructions are missing something. Page I'm talking about here: https://www.elastic.co/guide/en/x-pack/5.0/installing-xpack.html Step 3.

6

How would you like me to send the findings of each? They are pretty big to paste here.

7

I tried this and still the same issue.

8

Weird.. that solved mine. Although I have something else going on now that I'll start a new thread on.

9

OK I lied.. this error returns but only after I try hitting the web interface once. Then it kills the ES process.

10

Since my error mimics teh OP's I think it'd be best to keep the info close by. Here's a tail of journalctl -f when i start elasticsearch. It's wordy so be warned.

http://pastebin.com/G1siCD1Z

11

your issue looks like a permission issue for the file path /var/log/eleasticsearch/gntc_elk.log

2 Likes
12

I did just find that typo. blasted fat fingers I fixed that, stopped then restarted ES to no avail. Different error now though so maybe OP typo'd the yml.

13

Maybe you can share the output as a gist or pastebin? Also, can you provide your elasticsearch.yml (stripping any sensitive info) and any modifications made to the logging file?

14

http://pastebin.com/naaKFhzW

http://pastebin.com/E6L1sVBe

15

http://pastebin.com/CPfXB74X

16

Do you have x-pack installed? The original output included x-pack items but that is nowhere to be found in the information you've provided.

Also, it appears that there is both /etc/elasticsearch and /usr/share/elasticsearch/config. Which file are you editing? Did you install different ways or copy files around?

17

Actually I did install X-Pack as per the instructions. And yeah I just copied teh confg files I have to make sure they're both in teh same location.

18

i made some progress but now my issue is this .

node validation exception
bootstrap checks failed
max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]

19

I made the change to sysconfig file and restarted but still same issue

20

What OS are you using? What did you put in the sysctl.conf file? Did you try sysctl -w vm.max_map_count=262144 and then starting elasticsearch?