Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: d8472 on February 16, 2022, 09:08:08 AM

Title: External ELK Stack - Elasticsearch process still starting locally + drops
Post by: d8472 on February 16, 2022, 09:08:08 AM
Hi all,

OPNsense 22.1-amd64
Zenarmor - 1.10.1

I have a couple of issues with Zenarmor since upgrading to 22.1
Randomly, Zenarmor seems to cause a reset of the ports. The dmesg log shows the same type of entry as if the packet engine is restarted and the Zenarmor logs show the service terminates and restarts. I have performed a clean install and again just now so I will send a bug report when it happens again.

The second issue has come about while I try to mitigate the first. In case there was a resource issue I completely removed Zenarmor and reinstalled it completely clean (i.e. not using a config backup) but attached to my external ELK stack on a separate bare metal box.
However, after the service has been running a few minutes I see the Java Elastic Search process start which consumes several GB of memory and is the reason I offloaded it in the first place. If I kill the process, it stays gone and Zenarmor and the reports seem to work from what I can see.

Can anyone assist with either of these? Thanks!  ;D
Title: Re: External ELK Stack - Elasticsearch process still starting locally + drops
Post by: sy on February 16, 2022, 11:57:55 AM
Hi,

Please send a bug report then the team is going to look into the logs and send you some debug instructions.

For elastic issue, Zenarmor doesn't use local elasticsearch if you configured it to use an external one. Is there any plugin that uses elasticsearch?

Title: Re: External ELK Stack - Elasticsearch process still starting locally + drops
Post by: d8472 on February 16, 2022, 12:00:11 PM
As soon as it happens again I will send the bug report, thanks Sy.

Regarding ElasticSearch, no not that I am aware of. And if I am monitoring processes via the Top command and remove Zenarmor then the Elastic process is terminated, even though I am using the external server, which implies to me it is responsible. When I reinstall and start Zenarmor, a minute or two after it is complete it starts again.
Title: Re: External ELK Stack - Elasticsearch process still starting locally + drops
Post by: sy on February 17, 2022, 03:21:03 PM
Hi,

Can you share the output of the "pkg info elasticsearch" command?
Title: Re: External ELK Stack - Elasticsearch process still starting locally + drops
Post by: d8472 on February 21, 2022, 09:24:18 AM
It states this - pkg: No package(s) matching elasticsearch

It has not done it again since the last time. In top it said it was java running with the elasticsearch user as per the screenshot. So either it was not actually elasticsearch just another process using that user, or after the last reboot since then something else changed and the package was fully removed?

The issue with dropped interfaces happened again btw, so I sent the bug report as requested.
Text only | Text with Images