Skip to content

Troubleshooting

Cluster stuck in Provisioning

Check which condition is not yet True:

kubectl get wazuhcluster demo -n wazuh-demo -o jsonpath='{.status.conditions}' | jq

The reconcile gates each stage on the previous one, so the first False condition tells you where it is waiting.

Indexer not becoming ready

kubectl get pods -n wazuh-demo -l app.kubernetes.io/component=indexer
kubectl logs -n wazuh-demo demo-indexer-0

Common causes:

  • vm.max_map_count too low — the indexer pod runs a privileged init container to set it to 262144. If your nodes block privileged init containers, set the sysctl on the node pool instead.
  • PVC not bound — check the StorageClass and that a default exists if you did not set storage.storageClassName.

securityadmin Job failing

kubectl logs -n wazuh-demo job/demo-indexer-securityinit

The Job retries until the indexer security index is reachable. Persistent failures usually mean the indexer never became healthy — fix the indexer first.

Manager workers not joining the cluster

Workers reach the master through the *-manager-master headless Service on 1516 using the shared cluster-key. Check:

kubectl exec -n wazuh-demo demo-manager-master-0 -- /var/ossec/bin/cluster_control -l

Dashboard cannot reach the indexer

The dashboard authenticates as kibanaserver. Confirm the credential applied:

kubectl logs -n wazuh-demo deploy/demo-dashboard | grep -i opensearch

If you rotated demo-credentials manually, the securityadmin Job must be re-run for the indexer to accept the new password (automated rotation is a roadmap item).

Degraded after editing storage size

storage.size cannot be changed on an existing StatefulSet. Revert the field; expand the PVCs manually if you need more space. See Day-2 Operations.