arkime start log about malcolm HOT 5 CLOSED

I've just tested this on two kubernetes instances and one ISO-installed version of Malcolm:

arkime | usermod: no changes
arkime | root
arkime | uid=0(root) gid=0(root) groups=0(root)
arkime | 2024-08-29 13:41:16,083 INFO Set uid to user 0 succeeded
arkime | 2024-08-29 13:41:16,089 INFO RPC interface 'supervisor' initialized
arkime | 2024-08-29 13:41:16,089 CRIT Server 'unix_http_server' running without any HTTP authentication checking
arkime | 2024-08-29 13:41:16,090 INFO supervisord started with pid 1065
arkime | 2024-08-29 13:41:17,093 INFO spawned: 'initialize' with pid 1101
arkime | 2024-08-29 13:41:17,095 INFO spawned: 'pcap-arkime' with pid 1102
arkime | 2024-08-29 13:41:17,097 INFO spawned: 'viewer' with pid 1103
arkime | 2024-08-29 13:41:17,099 INFO spawned: 'wise' with pid 1104
arkime | 2024-08-29 13:41:18,101 INFO success: initialize entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:18,101 INFO success: viewer entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:18,101 INFO success: wise entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:32,117 INFO success: pcap-arkime entered RUNNING state, process has stayed up for > than 15 seconds (startsecs)
arkime | 2024-08-29 13:42:26 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23323/23323] -> "ipv4-address-space.csv_new" [1]
arkime | 2024-08-29 13:42:27 URL:https://www.wireshark.org/download/automated/data/manuf [2812753/2812753] -> "oui.txt_new" [1]
arkime | Giving opensearch-local time to start...
arkime | opensearch-local is up and healthy at http://opensearch:9200
arkime | opensearch-local is running!
arkime | Giving WISE time to start...
arkime | Launch wise...
arkime | curl: (7) Failed to connect to 127.0.0.1 port 8081 after 0 ms: Couldn't connect to server
arkime | Waiting for WISE to start
arkime | curl: (7) Failed to connect to 127.0.0.1 port 8081 after 0 ms: Couldn't connect to server
arkime | Waiting for WISE to start
arkime | [[13:42:34.566]] [LOG]   /opt/arkime/wiseService/wiseService.js listening on host 0.0.0.0 port 8081 in development mode
arkime | WISE is running!
arkime |
arkime | Initializing opensearch-local database...
arkime | This is a fresh Arkime install
arkime | Erasing
arkime | Creating
arkime | Finished
arkime | Creating default user...
arkime | WARNING - Using authMode=header since not set, add to config file to silence this warning.
arkime | Added
arkime | Initializing fields...
arkime | Initializing views...
arkime | Creating view "Arkime Sessions"
arkime | Creating view "Public IP Addresses"
arkime | Creating view "Suricata Alerts"
arkime | Creating view "Suricata Logs"
arkime | Creating view "Uninventoried Internal Assets"
arkime | Creating view "Uninventoried Observed Services"
arkime | Creating view "Zeek conn.log"
arkime | Creating view "Zeek Exclude conn.log"
arkime | Creating view "Zeek Logs"
arkime | Setting defaults...
arkime |
arkime | opensearch-local database initialized!
arkime |
arkime | {"_shards":{"total":17,"successful":17,"failed":0}}2024-08-29 13:43:32,762 INFO exited: initialize (exit status 0; expected)
arkime | Launch viewer...
arkime | WARNING - Using authMode=header since not set, add to config file to silence this warning.
arkime | SECURITY WARNING - when userNameHeader is set, viewHost should be localhost or use iptables
arkime | /opt/arkime/viewer/viewer.js listening on host 0.0.0.0 port 8005 in development mode
arkime | This node will process Periodic Queries (CRON) & Hunts, delayed by 85 seconds

And have shelled into the container to verify that the API port 8005 is actually responding:

root@arkime-deployment-8548c658bf-htzkq:/opt/arkime# curl -sSLk -XGET -H 'Content-type: application/json' -H "http_auth_http_user: user" -H "Authorization:" -H "Accept: application/json; indent=4" https://localhost:8005/api/eshealth | jq
{
  "cluster_name": "docker-cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 18,
  "active_shards": 18,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100,
  "version": "2.16.0",
  "molochDbVersion": 80
}

This is all unchanged from the way it's been in the previous version.

from malcolm.

I've just tested this on two kubernetes instances and one ISO-installed version of Malcolm:

arkime | usermod: no changes
arkime | root
arkime | uid=0(root) gid=0(root) groups=0(root)
arkime | 2024-08-29 13:41:16,083 INFO Set uid to user 0 succeeded
arkime | 2024-08-29 13:41:16,089 INFO RPC interface 'supervisor' initialized
arkime | 2024-08-29 13:41:16,089 CRIT Server 'unix_http_server' running without any HTTP authentication checking
arkime | 2024-08-29 13:41:16,090 INFO supervisord started with pid 1065
arkime | 2024-08-29 13:41:17,093 INFO spawned: 'initialize' with pid 1101
arkime | 2024-08-29 13:41:17,095 INFO spawned: 'pcap-arkime' with pid 1102
arkime | 2024-08-29 13:41:17,097 INFO spawned: 'viewer' with pid 1103
arkime | 2024-08-29 13:41:17,099 INFO spawned: 'wise' with pid 1104
arkime | 2024-08-29 13:41:18,101 INFO success: initialize entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:18,101 INFO success: viewer entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:18,101 INFO success: wise entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
arkime | 2024-08-29 13:41:32,117 INFO success: pcap-arkime entered RUNNING state, process has stayed up for > than 15 seconds (startsecs)
arkime | 2024-08-29 13:42:26 URL:https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv [23323/23323] -> "ipv4-address-space.csv_new" [1]
arkime | 2024-08-29 13:42:27 URL:https://www.wireshark.org/download/automated/data/manuf [2812753/2812753] -> "oui.txt_new" [1]
arkime | Giving opensearch-local time to start...
arkime | opensearch-local is up and healthy at http://opensearch:9200
arkime | opensearch-local is running!
arkime | Giving WISE time to start...
arkime | Launch wise...
arkime | curl: (7) Failed to connect to 127.0.0.1 port 8081 after 0 ms: Couldn't connect to server
arkime | Waiting for WISE to start
arkime | curl: (7) Failed to connect to 127.0.0.1 port 8081 after 0 ms: Couldn't connect to server
arkime | Waiting for WISE to start
arkime | [[13:42:34.566]] [LOG]   /opt/arkime/wiseService/wiseService.js listening on host 0.0.0.0 port 8081 in development mode
arkime | WISE is running!
arkime |
arkime | Initializing opensearch-local database...
arkime | This is a fresh Arkime install
arkime | Erasing
arkime | Creating
arkime | Finished
arkime | Creating default user...
arkime | WARNING - Using authMode=header since not set, add to config file to silence this warning.
arkime | Added
arkime | Initializing fields...
arkime | Initializing views...
arkime | Creating view "Arkime Sessions"
arkime | Creating view "Public IP Addresses"
arkime | Creating view "Suricata Alerts"
arkime | Creating view "Suricata Logs"
arkime | Creating view "Uninventoried Internal Assets"
arkime | Creating view "Uninventoried Observed Services"
arkime | Creating view "Zeek conn.log"
arkime | Creating view "Zeek Exclude conn.log"
arkime | Creating view "Zeek Logs"
arkime | Setting defaults...
arkime |
arkime | opensearch-local database initialized!
arkime |
arkime | {"_shards":{"total":17,"successful":17,"failed":0}}2024-08-29 13:43:32,762 INFO exited: initialize (exit status 0; expected)
arkime | Launch viewer...
arkime | WARNING - Using authMode=header since not set, add to config file to silence this warning.
arkime | SECURITY WARNING - when userNameHeader is set, viewHost should be localhost or use iptables
arkime | /opt/arkime/viewer/viewer.js listening on host 0.0.0.0 port 8005 in development mode
arkime | This node will process Periodic Queries (CRON) & Hunts, delayed by 85 seconds

And have shelled into the container to verify that the API port 8005 is actually responding:

root@arkime-deployment-8548c658bf-htzkq:/opt/arkime# curl -sSLk -XGET -H 'Content-type: application/json' -H "http_auth_http_user: user" -H "Authorization:" -H "Accept: application/json; indent=4" https://localhost:8005/api/eshealth | jq
{
  "cluster_name": "docker-cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 1,
  "number_of_data_nodes": 1,
  "discovered_master": true,
  "discovered_cluster_manager": true,
  "active_primary_shards": 18,
  "active_shards": 18,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100,
  "version": "2.16.0",
  "molochDbVersion": 80
}

This is all unchanged from the way it's been in the previous version.

Yes, I have successfully deployed it before, but when I encountered this issue with stopping and restarting, how many attempts did I make to stop and restart before being able to recover

from malcolm.

If that's the case, I guess check your Kubernetes events and debug it on that side. Nothing changed in this last release of Malcolm with regards to how it deploys with Kubernetes.

from malcolm.

If that's the case, I guess check your Kubernetes events and debug it on that side. Nothing changed in this last release of Malcolm with regards to how it deploys with Kubernetes.

I'll try again, thank you

from malcolm.

If that's the case, I guess check your Kubernetes events and debug it on that side. Nothing changed in this last release of Malcolm with regards to how it deploys with Kubernetes.

There is another issue that I couldn't find the index 'arkime_stissions3-240830' in opensearch today after starting yesterday. This may be due to some reasons？

from malcolm.