The ElasticSearch cluster isn’t in a good state
Last Modified: 2023-04-13 18:52:51 Etc/GMT
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
The ElasticSearch cluster isn’t in a good state
Technical Articles ID:
KB94893
Last Modified: 2023-04-13 18:52:51 Etc/GMT Environment
SIEM Enterprise Log Search (ELS) 11.5.x, 11.4.x
Problem
Sometimes, the ELS shows a red flag and displays the following error message: This error message shows that there are insufficient resources to start the ELS configuration that you’ve applied. Typical reasons for the issue include:
Solution
Not enough disk space:
If the issue is inadequate disk space, you see the alerts below before the error message is displayed:
Healthmon: V=1, AID=53, S=2, MSG='The partition is at least 100% full.' Other symptoms include:
The storage has run out of space which corrupts the node and is unrecoverable. You must add more space to the storage device to avoid this issue in future. To get the system working again, delete all current data using the following command:
Insufficient RAM: If the issue is about less RAM capacity, you can see similar entries as shown below in
To resolve this issue, you need to either reduce the allocated storage space to the ELS or adjust the RAM configuration. If the RAM configuration hasn’t been tuned before, follow the below steps to tune it:
For example:
Based on the following cluster.json file: "indexerInstances": 1, "name": "siem-es-cluster-0", "nodes": [ { "heap": 1, "httpPort": 9200, "mode": "MD", "name": "node-0", "processors": 1, "transportPort": 9300 }, { "heap": 1, "httpPort": 9201, "mode": "MD", "name": "node-1", "processors": 1, "transportPort": 9301 }, { "heap": 1, "httpPort": 9202, "mode": "MD", "name": "node-2", "processors": 1, "transportPort": 9302 } ] } And 16GB total RAM. 16GB * 0.6 = 9.2GB 9.2GB / 3 nodes = 3.066 GB/node So the heap value is 3. The resulting configuration file is now: { "indexerInstances": 1, "name": "siem-es-cluster-0", "nodes": [ { "heap": 3, "httpPort": 9200, "mode": "MD", "name": "node-0", "processors": 1, "transportPort": 9300 }, { "heap": 3, "httpPort": 9201, "mode": "MD", "name": "node-1", "processors": 1, "transportPort": 9301 }, { "heap": 3, "httpPort": 9202, "mode": "MD", "name": "node-2", "processors": 1, "transportPort": 9302 } ] } After the configuration file has been updated, restart the ELS services with the following command: Languages:This article is available in the following languages: |
|