wazuh-alerts is generating "No results found"

740 views
Skip to first unread message

Marc Baker

unread,
May 10, 2017, 1:38:00 PM5/10/17
to Wazuh mailing list
Up until yesterday our system worked without issue. Now the following results when attempting to access alerts via the Discover tab:


We have 139 active agents and alerts are populating in alerts.json. No changes have been made to the system so any suggestions would be greatly appreciated.

Jose Luis Ruiz

unread,
May 10, 2017, 3:31:55 PM5/10/17
to Marc Baker, Wazuh mailing list
Hi Marc

Can you give us a little more information about your environment?

Have you a standalone environment? (wazuh-manager + Logstash + Elastic + Kibana) in one server?

Or you have Wazuh-manager + filebeat and in the other server ELK?



Regards
-----------------------
Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/abd56d73-1d0c-4388-a5e9-4279c789d53f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Marc Baker

unread,
May 10, 2017, 3:59:01 PM5/10/17
to Wazuh mailing list, marcjb...@gmail.com
It is a single server installation. There are currently 159 active agents and I can see alerts being generated in alerts.json.


On Wednesday, May 10, 2017 at 3:31:55 PM UTC-4, Jose Luis Ruiz wrote:
Hi Marc

Can you give us a little more information about your environment?

Have you a standalone environment? (wazuh-manager + Logstash + Elastic + Kibana) in one server?

Or you have Wazuh-manager + filebeat and in the other server ELK?



Regards
-----------------------
Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

On May 10, 2017 at 1:38:01 PM, Marc Baker (marcjb...@gmail.com) wrote:

Up until yesterday our system worked without issue. Now the following results when attempting to access alerts via the Discover tab:


We have 139 active agents and alerts are populating in alerts.json. No changes have been made to the system so any suggestions would be greatly appreciated.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Jose Luis Ruiz

unread,
May 10, 2017, 4:10:54 PM5/10/17
to Marc Baker, Wazuh mailing list

You have three pieces in your environment to test (because you are saying the /var/ossec/logs/alerts/alerts.json is populating)

1 - Kibana : As you show in your screenshot is working 

2 - Elasticsearch: try this two commands 

curl -XGET localhost:9200

You should have something like 

{
  "name": "node1",
  "cluster_name": "ossec",
  "version": {
    "number": "2.1.1",
    "build_hash": "40e2c53a6b6c2972b3d13846e450e66f4375bd71",
    "build_timestamp": "2015-12-15T13:05:55Z",
    "build_snapshot": false,
    "lucene_version": "5.3.1"
  },
  "tagline": "You Know, for Search"
}

and the next command 

curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

And you should have something like:

{
  "cluster_name": "ossec",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 2,
  "number_of_data_nodes": 2,
  "active_primary_shards": 281,
  "active_shards": 562,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

3- Logstash

Verify the service with ps axu | grep logstash, also search for errors in the log file in /var/logs/logstash/logstash-plain.log

Try as well to restart the service, the best way is stop the service, run again a ps axu | grep logstash  to verify the service is stopped (some time is hard to restart), and then run again.

i hope it helps!

Regards
-----------------------
Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

Sumesh MS

unread,
May 11, 2017, 6:34:46 AM5/11/17
to Jose Luis Ruiz, Wazuh mailing list, Marc Baker
Any updates on this? I recommend if all the suggestions are cross checked, you must check the alert.json permissions too.

Regards 
Sumesh 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAORR07ZXxa5UeC6f6Mub8NdSAChqMc0WztmZEgsS_Sk1Knv3Rg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages