-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSearch modifies log files permissions #2139
Comments
Log4j handles the rotation of logs. The files are created using the permission inherited by the user running the process. In this case, systemd. The permissions are calculated using the umask. The unit file
A brief testing has proven that the umask directive makes log4j use the correct permissions to create the log files, solving the error without further changes. We should include this in our systemd unit file to solve the issue. |
Update reportI did some tests with the proposed change here in the file:
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target
[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer
WorkingDirectory=/usr/share/wazuh-indexer
User=wazuh-indexer
Group=wazuh-indexer
UMask=0027
... I built a package with this change and performed the tests as indicated in the issue header and I was able to validate that the permissions were not modified after rotating the logs, they remained at [root@centos7-1 ~]# ls -la /var/log/wazuh-indexer/
total 236
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 18 11:26 .
drwxr-xr-x. 11 root root 4096 Aug 18 11:29 ..
-rw-r-----. 1 wazuh-indexer wazuh-indexer 45922 Aug 18 11:32 gc.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 18 11:26 gc.log.00
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2358 Aug 18 11:31 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 1374 Aug 18 11:31 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 40036 Aug 18 11:31 wazuh-cluster.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 85085 Aug 18 11:31 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.log
[root@centos7-1 ~]# date
Fri Aug 18 11:34:16 UTC 2023
[root@centos7-1 ~]# poweroff
Connection to 127.0.0.1 closed by remote host.
cbordon@cbordon-MS-7C88:~/Documents/wazuh/local-test/vagrant-tests/centos/7$ vagrant up && vagrant ssh
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Checking if box 'centos/7' version '2004.01' is up to date...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
default: Adapter 2: hostonly
==> default: Forwarding ports...
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
default: No guest additions were detected on the base box for this VM! Guest
default: additions are required for forwarded ports, shared folders, host only
default: networking, and more. If SSH fails on this machine, please install
default: the guest additions and repackage the box to continue.
default:
default: This is not an error message; everything may continue to work properly,
default: in which case you may ignore this message.
==> default: Setting hostname...
==> default: Configuring and enabling network interfaces...
==> default: Rsyncing folder: /home/cbordon/Documents/wazuh/local-test/vagrant-tests/centos/7/ => /vagrant
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: flag to force provisioning. Provisioners marked to run always will still run.
Last login: Fri Aug 18 11:05:30 2023 from 10.0.2.2
[vagrant@centos7-1 ~]$ sudo su -
Last login: Fri Aug 18 11:22:39 UTC 2023 on pts/0
[root@centos7-1 ~]# ls -la /var/log/wazuh-indexer/
total 432
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 18 11:34 .
drwxr-xr-x. 11 root root 4096 Aug 18 11:34 ..
-rw-r-----. 1 wazuh-indexer wazuh-indexer 30174 Aug 18 11:35 gc.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 18 11:26 gc.log.00
-rw-r-----. 1 wazuh-indexer wazuh-indexer 53312 Aug 18 11:34 gc.log.01
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 18 11:34 gc.log.02
-rw-r-----. 1 wazuh-indexer wazuh-indexer 3803 Aug 18 11:34 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2249 Aug 18 11:34 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 66481 Aug 18 11:35 wazuh-cluster.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 135747 Aug 18 11:35 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.log
[root@centos7-1 ~]# date
Fri Aug 18 11:35:05 UTC 2023
[root@centos7-1 ~]# poweroff cbordon@cbordon-MS-7C88:~/Documents/wazuh/local-test/vagrant-tests/centos/7$ date
sáb 19 ago 2023 08:37:26 -03
Last login: Fri Aug 18 11:35:01 UTC 2023 on pts/0
[root@centos7-1 ~]# ls -la /var/log/wazuh-indexer/
total 276
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 19 2023 .
drwxr-xr-x. 11 root root 4096 Aug 19 2023 ..
-rw-r-----. 1 wazuh-indexer wazuh-indexer 30336 Aug 18 11:38 gc.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 18 11:26 gc.log.00
-rw-r-----. 1 wazuh-indexer wazuh-indexer 53312 Aug 18 11:34 gc.log.01
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 18 11:34 gc.log.02
-rw-r-----. 1 wazuh-indexer wazuh-indexer 31769 Aug 18 11:35 gc.log.03
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 19 2023 gc.log.04
-rw-r-----. 1 wazuh-indexer wazuh-indexer 15078 Aug 19 2023 wazuh-cluster-2023-08-18-1.json.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 13656 Aug 19 2023 wazuh-cluster-2023-08-18-1.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 5248 Aug 18 11:38 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 3124 Aug 18 11:38 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_index_search_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 29515 Aug 18 11:38 wazuh-cluster.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 58354 Aug 18 11:38 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 18 11:26 wazuh-cluster_task_detailslog.log
[root@centos7-1 ~]# date
Fri Aug 18 11:38:17 UTC 2023 |
Update report:I was validating the logs after the correction. However, now the file permissions are correct, the error in the logs continues to appear at each VM restart. I am analyzing what type of permission can fail, possibly the user, and I continue investigating. [root@centos7-1 ~]# ls -la /var/log/wazuh-indexer/
total 736
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 23 2023 .
drwxr-xr-x. 11 root root 4096 Aug 23 2023 ..
-rw-r-----. 1 wazuh-indexer wazuh-indexer 97072 Aug 22 20:41 gc.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 22 17:52 gc.log.00
-rw-r-----. 1 wazuh-indexer wazuh-indexer 50667 Aug 22 17:58 gc.log.01
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 22 17:58 gc.log.02
-rw-r-----. 1 wazuh-indexer wazuh-indexer 39777 Aug 22 17:59 gc.log.03
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 23 2023 gc.log.04
-rw-r-----. 1 wazuh-indexer wazuh-indexer 120095 Aug 22 19:25 gc.log.05
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 23 2023 gc.log.06
-rw-r-----. 1 wazuh-indexer wazuh-indexer 97911 Aug 22 19:57 gc.log.07
-rw-r--r--. 1 root root 2012 Aug 22 19:56 gc.log.08
-rw-r--r--. 1 root root 2333 Aug 22 19:56 gc.log.09
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 22 19:57 gc.log.10
-rw-r-----. 1 wazuh-indexer wazuh-indexer 35022 Aug 22 19:58 gc.log.11
-rw-r-----. 1 wazuh-indexer wazuh-indexer 2012 Aug 23 2023 gc.log.12
-rw-r-----. 1 wazuh-indexer wazuh-indexer 14448 Aug 23 2023 wazuh-cluster-2023-08-22-1.json.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 13061 Aug 23 2023 wazuh-cluster-2023-08-22-1.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 7624 Aug 23 2023 wazuh-cluster-2023-08-22-2.json.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 7083 Aug 23 2023 wazuh-cluster-2023-08-22-2.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 13587 Aug 23 2023 wazuh-cluster-2023-08-22-3.json.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 8375 Aug 23 2023 wazuh-cluster-2023-08-22-3.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 11375 Aug 22 20:00 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 6713 Aug 22 20:00 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_index_search_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 32269 Aug 22 20:40 wazuh-cluster.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 65654 Aug 22 20:40 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 22 17:52 wazuh-cluster_task_detailslog.log
[root@centos7-1 ~]# journalctl | grep -i wazuh-indexer
Aug 23 19:59:49 centos7-1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Aug 23 19:59:52 centos7-1 systemd[1]: Starting Wazuh-indexer...
Aug 23 19:59:54 centos7-1 systemd-entrypoint[795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 23 19:59:55 centos7-1 systemd-entrypoint[795]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 23 19:59:55 centos7-1 systemd-entrypoint[795]: 2023-08-23 19:59:55,867 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 23 19:59:55 centos7-1 systemd-entrypoint[795]: 2023-08-23 19:59:55,887 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 22 20:00:08 centos7-1 systemd[1]: Started Wazuh-indexer. |
Update report:Make a change by adding more extensive permissions by giving read and write permissions to others. Still giving the same error in journalctl [root@centos7-1 ~]# ls -la /var/log/wazuh-indexer/
total 272
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 24 2023 .
drwxr-xr-x. 11 root root 4096 Aug 24 2023 ..
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 32735 Aug 23 13:10 gc.log
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 2012 Aug 23 13:02 gc.log.00
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 48585 Aug 23 13:08 gc.log.01
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 2012 Aug 23 13:08 gc.log.02
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 35886 Aug 23 13:09 gc.log.03
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 2012 Aug 24 2023 gc.log.04
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 14386 Aug 24 2023 wazuh-cluster-2023-08-23-1.json.gz
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 13056 Aug 24 2023 wazuh-cluster-2023-08-23-1.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 5696 Aug 23 13:10 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 3365 Aug 23 13:10 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_index_search_slowlog.log
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 29367 Aug 23 13:10 wazuh-cluster.log
-rw-rw-rw-. 1 wazuh-indexer wazuh-indexer 57798 Aug 23 13:10 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 23 13:02 wazuh-cluster_task_detailslog.log
[root@centos7-1 ~]# journalctl | grep -i wazuh-indexer
Aug 24 13:10:02 centos7-1 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Aug 24 13:10:03 centos7-1 systemd[1]: Starting Wazuh-indexer...
Aug 24 13:10:05 centos7-1 systemd-entrypoint[736]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 24 13:10:06 centos7-1 systemd-entrypoint[736]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 24 13:10:06 centos7-1 systemd-entrypoint[736]: 2023-08-24 13:10:06,400 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 24 13:10:06 centos7-1 systemd-entrypoint[736]: 2023-08-24 13:10:06,407 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 23 13:10:18 centos7-1 systemd[1]: Started Wazuh-indexer.
|
TroubleshootingI installed Wazuh 4.5 using the installed in a RHEL 7 VM. Post-install logsHere's the output of
Post install file permissionsLog files permissions:
Rebooted the VM and file permissions are the same. No errors in the logs. Disable sync with host time and date
Change date (+1 day)
|
We were able to replicate in Ubuntu 2204 and CentOS 7, but not on Red Hat 7. |
Update reportI've been trying to replicate the same tests Alex did on a RHEL 7 vagrant box and I didn't get the same results. That is, install a Wazuh 4.5.0 package, and edit the wazuh-indexer.service file by adding the umask, restarting the service, updating the date by advancing it to the next day, and restart the host, and the log with the error appears in the journalctl: [root@redhat-7 ~]# ls -la /var/log/wazuh-indexer/
total 500
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 24 14:36 .
drwxr-xr-x. 11 root root 4096 Aug 24 14:31 ..
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 46587 Aug 24 14:38 gc.log
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:27 gc.log.00
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 65587 Aug 24 14:36 gc.log.01
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:36 gc.log.02
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 30533 Aug 24 14:36 gc.log.03
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:36 gc.log.04
-rw-r-----. 1 wazuh-indexer wazuh-indexer 5248 Aug 24 14:36 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 3124 Aug 24 14:36 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_search_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 95532 Aug 24 14:37 wazuh-cluster.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 190395 Aug 24 14:37 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_task_detailslog.log
[root@redhat-7 ~]# poweroff
Connection to 127.0.0.1 closed by remote host.
[vagrant@redhat-7 ~]$ sudo su -
Last login: Thu Aug 24 14:24:54 UTC 2023 on pts/0
[root@redhat-7 ~]# ls -la /var/log/wazuh-indexer/
total 360
drwxr-x---. 2 wazuh-indexer wazuh-indexer 4096 Aug 25 14:39 .
drwxr-xr-x. 11 root root 4096 Aug 25 14:39 ..
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 39875 Aug 25 14:40 gc.log
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:27 gc.log.00
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 65587 Aug 24 14:36 gc.log.01
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:36 gc.log.02
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 30533 Aug 24 14:36 gc.log.03
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 24 14:36 gc.log.04
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 47313 Aug 24 14:38 gc.log.05
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 2007 Aug 25 14:39 gc.log.06
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 20313 Aug 25 14:39 wazuh-cluster-2023-08-24-1.json.gz
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 14612 Aug 25 14:39 wazuh-cluster-2023-08-24-1.log.gz
-rw-r-----. 1 wazuh-indexer wazuh-indexer 7141 Aug 25 14:39 wazuh-cluster_deprecation.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 4240 Aug 25 14:39 wazuh-cluster_deprecation.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_search_slowlog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_index_search_slowlog.log
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 32592 Aug 25 14:39 wazuh-cluster.log
-rw-r--r--. 1 wazuh-indexer wazuh-indexer 65409 Aug 25 14:39 wazuh-cluster_server.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_task_detailslog.json
-rw-r-----. 1 wazuh-indexer wazuh-indexer 0 Aug 24 14:27 wazuh-cluster_task_detailslog.log
[root@redhat-7 ~]# journalctl | grep -i wazuh-indexer
Aug 25 14:39:11 redhat-7 systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Aug 25 14:39:11 redhat-7 systemd[1]: [/usr/lib/systemd/system/wazuh-indexer.service:21] Unknown lvalue 'Umask' in section 'Service'
Aug 25 14:39:15 redhat-7 systemd[1]: Starting Wazuh-indexer...
Aug 25 14:39:17 redhat-7 systemd-entrypoint[1121]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 25 14:39:18 redhat-7 systemd-entrypoint[1121]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Aug 25 14:39:18 redhat-7 systemd-entrypoint[1121]: 2023-08-25 14:39:18,862 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 25 14:39:18 redhat-7 systemd-entrypoint[1121]: 2023-08-25 14:39:18,881 main ERROR Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
Aug 25 14:39:29 redhat-7 systemd[1]: Started Wazuh-indexer.
[root@redhat-7 ~]# cat /usr/lib/systemd/system/wazuh-indexer.service
[Unit]
Description=Wazuh-indexer
Documentation=https://documentation.wazuh.com
Wants=network-online.target
After=network-online.target
[Service]
Type=notify
RuntimeDirectory=wazuh-indexer
PrivateTmp=yes
Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
Environment=PID_DIR=/run/wazuh-indexer
Environment=OPENSEARCH_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/wazuh-indexer
WorkingDirectory=/usr/share/wazuh-indexer
User=wazuh-indexer
Group=wazuh-indexer
Umask=0027
...
|
Update reportI've been doing some additional testing and research but can't find any possible changes to the code. I continue to investigate |
I've found out that this problem is also present in OpenSearch 2.6.0
I did the following:
I know this was stated in the first post in this issue. Just clarifying this matter. In my opinion, we should open an issue in OpenSearch's repo. |
Update reportI also did a test with OpenSearch 2.9.0 and the result is the same: [root@redhat-7 ~]# ls -la /var/log/opensearch/
total 524
drwxr-sr-x. 2 opensearch opensearch 4096 Aug 28 13:37 .
drwxr-xr-x. 11 root root 4096 Aug 28 13:44 ..
-rw-r--r--. 1 opensearch opensearch 143656 Aug 28 13:49 gc.log
-rw-r--r--. 1 opensearch opensearch 2006 Aug 28 13:37 gc.log.00
-rw-r--r--. 1 opensearch opensearch 1693 Aug 28 13:37 install_demo_configuration.log
-rw-r-----. 1 opensearch opensearch 834 Aug 28 13:37 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch 513 Aug 28 13:37 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_search_slowlog.log
-rw-r-----. 1 opensearch opensearch 50722 Aug 28 13:47 opensearch.log
-rw-r-----. 1 opensearch opensearch 104571 Aug 28 13:47 opensearch_server.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_task_detailslog.log
[root@redhat-7 ~]# journalctl | grep -i opensearch.log
[root@redhat-7 ~]# poweroff
[vagrant@redhat-7 ~]$ sudo su -
Last login: Mon Aug 28 13:34:03 UTC 2023 on pts/0
[root@redhat-7 ~]# journalctl | grep -i opensearch.log
Aug 29 13:50:36 redhat-7 systemd-entrypoint[688]: 2023-08-29 13:50:36,540 main ERROR Could not define attribute view on path "/var/log/opensearch/opensearch.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation") java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessUserInformation")
[root@redhat-7 ~]# ls -la /var/log/opensearch/
total 412
drwxr-sr-x. 2 opensearch opensearch 4096 Aug 29 13:50 .
drwxr-xr-x. 11 root root 4096 Aug 29 13:50 ..
-rw-r--r--. 1 opensearch opensearch 39712 Aug 29 13:51 gc.log
-rw-r--r--. 1 opensearch opensearch 2006 Aug 28 13:37 gc.log.00
-rw-r--r--. 1 opensearch opensearch 146505 Aug 28 13:50 gc.log.01
-rw-r--r--. 1 opensearch opensearch 2006 Aug 29 13:50 gc.log.02
-rw-r--r--. 1 opensearch opensearch 1693 Aug 28 13:37 install_demo_configuration.log
-rw-r--r--. 1 opensearch opensearch 9178 Aug 29 13:50 opensearch-2023-08-28-1.json.gz
-rw-r--r--. 1 opensearch opensearch 8390 Aug 29 13:50 opensearch-2023-08-28-1.log.gz
-rw-r-----. 1 opensearch opensearch 1204 Aug 29 13:50 opensearch_deprecation.json
-rw-r-----. 1 opensearch opensearch 766 Aug 29 13:50 opensearch_deprecation.log
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_indexing_slowlog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_indexing_slowlog.log
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_search_slowlog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_index_search_slowlog.log
-rw-r--r--. 1 opensearch opensearch 46201 Aug 29 13:50 opensearch.log
-rw-r--r--. 1 opensearch opensearch 84227 Aug 29 13:50 opensearch_server.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_task_detailslog.json
-rw-r-----. 1 opensearch opensearch 0 Aug 28 13:37 opensearch_task_detailslog.log
[root@redhat-7 ~]# yum info opensearch
Loaded plugins: product-id, search-disabled-repos
Installed Packages
Name : opensearch
Arch : x86_64
Version : 2.9.0
Release : 1
Size : 993 M
Repo : installed
From repo : /opensearch-2.9.0-linux-x64
Summary : An open source distributed and RESTful search engine
URL : https://opensearch.org/
License : Apache-2.0
Description : OpenSearch makes it easy to ingest, search, visualize, and analyze your data
: For more information, see: https://opensearch.org/
|
This issue will be solved with the fork unless we find a solution before. |
This is an active issue from OpenSearch which we have failed to solve or troubleshoot after weeks. We don't have the capacity in the indexer team to solve inherited bugs like this one yet. I'd rather notify OpenSearch of this bug and encourage them to solve it. |
Issue created: opensearch-project/OpenSearch#9609 |
OpenSearch's team replies they are unable to reproduce the problem. We provided more information and are waiting for a response. |
I applied the fix proposed in https://forum.opensearch.org/t/systemd-entrypoint-defaultdispatcher-worker-error-could-not-define-attribute-view-on-path-var-log-opensearch-opensearch-server-json/15514/3, and the errors are not showing anymore. The The fix consists on adding the code below to
We'll keep revisiting this until we are completely sure that the error doesn't happen again. |
Update 2024.04.12Error didn't happen again.
|
Update 2024.04.15No errors.
|
Closed in favor of wazuh/wazuh-indexer#205. |
Description
Full log
wazuh-cluster.log
andwazuh-cluster_server.json
files from640
to644
, causing anaccess denied
error displayed in the Wazuh indexer journal:Steps to reproduce the error
OpenSearch 2.4.1
OpenSearch 2.4.1 install
Service start and files permissions
Files permissions after reboot (Service not enabled)
Service enabled before system reboot with date change
OpenSearch 2.6.0
OpenSearch 2.6.0 install and enable service
Service start and files permissions
Service enabled before system reboot with date change
The text was updated successfully, but these errors were encountered: