Not getting wazuh alerts logs in the dashboard
Prathamesh Chavan
I checked the filebeat connectivity it is able to connect , but by wazuh manager and worker gives me the error as ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh-indexer-0.wazuh-indexer:9200)): Get "https://wazuh-indexer-0.wazuh-indexer:9200": context deadline exceeded
attatching all the screenshots related to the connectivity and the errors.
Regards,
Prathamesh Chavan
Luis Daniel Avendaño Larios
I understand that you’re having trouble with Wazuh alerts not appearing in the dashboard, despite having connectivity with Filebeat. You’re also experiencing an error with your Wazuh manager and worker, and no new indices are being generated. However, you’re still receiving logs for wazuh-statistics and wazuh-monitoring. Here are some steps you can take to troubleshoot this issue:
Check the Cluster Health: You can monitor the health of the cluster which includes information about the number of shards (There is a limit of 1000 shards for each indexer node). Replace <Wazuh_indexer_IP> with your Wazuh indexer IP address or hostname, and <username>:<password> with your Elasticsearch username and password: curl -X GET "https://<Wazuh_indexer_IP>:9200/_cluster/health?pretty" -u <username>:<password> -k
Check the Node’s Heap Size: The configured size of each node’s heap can be checked using the cat nodes API: GET _cat/nodes?v=true&h=heap.max
- Check for Alerts in Wazuh Indexer: The first step is to check if there are alerts in Wazuh indexer. If you do not see any Wazuh related index, it means you have no alerts stored in Wazuh indexer.
Check the Connection Status: You can check the connection status between an agent and the Wazuh manager. This includes using the agent control utility, querying the Wazuh API, and reading the agent state file1.
Check the Index Patterns: Wazuh uses the following index patterns to store data: wazuh-alerts-*, wazuh-archives-*, wazuh-monitoring-*, and wazuh-statistics-*. If these indices are not being created, you may need to check your index pattern configuration.
Check the Log Data Collection: Wazuh collects, analyzes, and stores logs from endpoints, network devices, and applications. Make sure that your Wazuh agent is correctly configured to collect and forward system and application logs to the Wazuh server.
Remember to replace <WAZUH_INDEXER_IP>, <wazuh_indexer_user>, and <wazuh_indexer_password> with your actual Wazuh indexer IP, username, and password respectively when running commands.
NOTE: If you reach the shard limit no more events will be indexed, the proper way to address this issue is by creating a retention policy which is detailed in the guide linked below:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
I hope this helps, let me know if you need anything else.
Prathamesh Chavan
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/j9MwR5Y_7Ss/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/31d3d5d8-dff1-4fb9-aa73-6ce8ed76ce9dn%40googlegroups.com.
