Service fails to start, I don't know why

When security is disabled, they are talking via tcp (10. is the remote host sending rsyslog to elk and the 3. is the elk server).....

21:50:01.334042 tun0  Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [S], seq 520455032, win 64800, options [mss 1350,sackOK,TS val 1111856841 ecr 0,nop,wscale 7], length 0
21:50:01.388741 tun0  In  IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [S.], seq 3257028177, ack 520455033, win 62643, options [mss 1350,sackOK,TS val 3883257497 ecr 1111856841,nop,wscale 7], length 0
21:50:01.388765 tun0  Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [.], ack 1, win 507, options [nop,nop,TS val 1111856896 ecr 3883257497], length 0
21:50:01.388909 tun0  Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [P.], seq 1:111, ack 1, win 507, options [nop,nop,TS val 1111856896 ecr 3883257497], length 110
21:50:01.449930 tun0  In  IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [.], ack 111, win 489, options [nop,nop,TS val 3883257557 ecr 1111856896], length 0
21:50:01.449944 tun0  Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [P.], seq 111:1112, ack 1, win 507, options [nop,nop,TS val 1111856957 ecr 3883257557], length 1001
21:50:01.466175 tun0  In  IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [R.], seq 1, ack 111, win 489, options [nop,nop,TS val 3883257575 ecr 1111856896], length 0

But, I can't find the remote test host within kibana. I suspect I need to enable security. I will need to do it eventually anyway. But, when I enable security as per.....

xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true

systemctl status elasticsearch

× elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2022-12-08 22:27:24 UTC; 17min ago
       Docs: https://www.elastic.co
    Process: 8565 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
   Main PID: 8565 (code=exited, status=1/FAILURE)
        CPU: 5.684s
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:      ^
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:         at org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(ParserImpl.java:679)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:         at org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:185)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:         at org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:195)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:         at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:355)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]:         ... 14 more
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Failed with result 'exit-code'.
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: Failed to start Elasticsearch.
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Consumed 5.684s CPU time.

tail -f the logs shows nothing. nothing. like it crashes before it can write a log.

I did a "chown -R elasticsearch:elasticsearch /usr/share/elasticsearch" but made no difference

What else can I try?

ubuntu 2204 fallowing this tutorial

You need to look in to the system logs, probably /var/log/syslog.

But from the snippet of the error you shared, probably is related to the elasticsearch.yml config file, maybe something is wrong.

Can you share the entire file?

it is mostly stock. Below is the file with the comments # removed so that only the following are uncommented lines...

sudo grep -v "#" /etc/elasticsearch/elasticsearch.yml 
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
 xpack.security.enabled: true
 xpack.security.authc.api_key.enabled: true

There are whitespaces before xpack.security.... You need to remove them. YAML files are indentation sensitive.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.