Overview
After restarting a Wazuh Indexer Node, you may encounter the following startup error:
org.opensearch.OpenSearchException: Unable to load plugin class [org.opensearch.securityanalytics.SecurityAnalyticsPlugin]
Caused by: java.lang.ClassNotFoundException: org.opensearch.securityanalytics.SecurityAnalyticsPlugin
This prevents the node from fully starting.
Root Cause
This issue occurs when the OpenSearch Security Analytics plugin JAR is missing from:
/usr/share/wazuh-indexer/plugins/opensearch-security-analytics/
In recent cases, Bitdefender has falsely flagged this JAR file as a threat —
Trojan.GenericKD.77203252 — and quarantined or deleted it during a full system scan.
The affected file is:
/usr/share/wazuh-indexer/plugins/opensearch-security-analytics/opensearch-security-analytics-2.19.1.0.jar
Without this file, Wazuh Indexer fails to load the Security Analytics plugin and aborts startup.
Resolution
Reinstall the missing plugin manually.
Commands
# Download the plugin ZIP from Maven Central
wget https://repo1.maven.org/maven2/org/opensearch/plugin/opensearch-security-analytics/2.19.0.0/opensearch-security-analytics-2.19.0.0.zip -O /tmp/opensearch-security-analytics-2.19.0.0.zip
# Extract only the JAR file
unzip -j /tmp/opensearch-security-analytics-2.19.0.0.zip "opensearch-security-analytics-2.19.0.0.jar" -d /tmp
# Move the JAR file into place
sudo mv /tmp/opensearch-security-analytics-2.19.0.0.jar /usr/share/wazuh-indexer/plugins/opensearch-security-analytics/opensearch-security-analytics-2.19.0.0.jar
# Restart Wazuh Indexer
sudo systemctl restart wazuh-indexer
The JAR file remains in /tmp along with the ZIP for verification.
Prevention
To prevent recurrence:
- Add an exclusion in Bitdefender for:
/usr/share/wazuh-indexer/⚠️ Only do this if you trust the folder and know the Wazuh Indexer installation source. - Disable automatic quarantine for system directories containing OpenSearch plugins.
- If running a cluster, verify all nodes retain the plugin JAR before upgrades or restarts.