Re: empty wazuh-alerts-*

[hasitha.u...@wazuh.com]

Hi Gerald,

It is because the alerts template was not installed correctly.
/etc/filebeat/wazuh-template.json

You can also manually add the index by running the following command:
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <user>:<password> -k

Replace 4.9.2 with your current version. You can check the version by running this command: /var/ossec/bin/wazuh-control info
Replace <user>:<password> with the admin user and password.

Please take a look at this link: https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern

Hope this will help.

Let me know the update on this.

On Friday, March 6, 2026 at 2:26:09 PM UTC+5:30 Gerald muchuku wrote:

Hi Team,

I had an issue with wazuh-dashboard where it was failing with the following error

● wazuh-dashboard.service - wazuh-dashboard      Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)      Active: active (running) since Thu 2026-03-05 12:38:47 UTC; 1min 16s ago    Main PID: 141315 (node)       Tasks: 11 (limit: 18685)      Memory: 190.2M         CPU: 13.374s      CGroup: /system.slice/wazuh-dashboard.service              └─141315 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Mar 05 12:39:40 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:40Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:42 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:42Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:45 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:45Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:47 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:47Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:50 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:50Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:52 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:52Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:55 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:55Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:57 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:57Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:40:00 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:40:00Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:40:02 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:40:02Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"}

I fixed the dashboard by doing the following:
 run the wazuh inititalization script using: sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh
see image, mg1

By doing this, I lost all the existing user credentials but wazuh dashboard was not accessible

However, after accessing the dashboard now. I got an error saying no template found for the selected index. See image mg2

 

The services are running fine except for the dashboard with an error. See image mg3 and mg4

Upon accessing the dashboard on the discover tab, the wazuh-alerts-* index is empty but the wazuh-monitoring-* and wazuh-statistics-* are receiving alerts. see image mg5 and mg6

When I ran: sudo tail -n 100 /var/ossec/logs/alerts/alerts.json I can confirm that alerts are being created in realtime How can I resolve this.

[hasitha.u...@wazuh.com]

Hi Gerald,

Check if the wazuh-alerts-* indices are present. In the Wazuh dashboard, go to Index/Indexer Management > Dev Tools and run the following request:

GET /_cat/indices/wazuh-alerts-*

Further check filebeat is up and running:  systemctl status filebeat
If it's not up and running, please restart the filebeat service and check the status again if it's still failing.

If it's up and running, then share this command output to check the connection between the indexer and filebeat.
filebeat test output

Also, share the filebeat logs to check further.
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

Additionally, please share this command output to check if the filbeat is reading this file.
lsof /var/ossec/logs/alerts/alerts.json 

Let me know the update on this to check further.

On Monday, March 9, 2026 at 2:41:20 PM UTC+5:30 Gerald muchuku wrote:

Thank you for the feedback
I manually added a new wazuh-template using the instructions you provided and it was successful

Now I am facing the following error: check image mg7
[Alerts index pattern] Index pattern fields for title [wazuh-alerts-*], id [wazuh-alerts-*] could not be refreshed due to: No matching indices found: No indices match pattern "wazuh-alerts-*". This could be an indicator of some problem in the generation, not running server service or configuration to ingest of alerts data.


The wazuh alerts are still empty, but wazuh monitoring, wazuh-statistics and wazuh-states-vulnerabilities have alerts. check images mg5, mg6 and mg8

[Gerald muchuku]

Hi Hasitha,
I have checked all that you have recommended
Filebeat is up and running with no error

Here are the results:

Check if the wazuh-alerts-* indices are present

see image mg9

Further check filebeat is up and running:  systemctl status filebeat

see image mg10

If it's up and running, then share this command output to check the connection between the indexer and filebeat.

filebeat test output
see image mg11

Also, share the filebeat logs to check further.

cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

see image mg12

Additionally, please share this command output to check if the filbeat is reading this file.
lsof /var/ossec/logs/alerts/alerts.json 

see image mg13

Regards,

[hasitha.u...@wazuh.com]

Hi Gerald,

The issue is not alert generation on the Wazuh manager. Your screenshots show:

• filebeat service is running

• /var/ossec/logs/alerts/alerts.json is being written.

• But filebeat test output fails before it can publish to 127.0.0.1:9200

So the real problem is ingestion from Filebeat into the indexer, which is why wazuh-alerts-* does not exist yet. Wazuh stores alerts in the wazuh-alerts-* index pattern, so if that pattern has no backing indices, the dashboard cannot refresh it.
Ref: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html

The key clue is this error from your screenshot:

could not connect to a compatible version of Elasticsearch
Invalid index name [_license], must not start with '_'

That usually points to a Filebeat / backend compatibility problem. In a healthy Wazuh setup, filebeat test output should end with talk to server... OK and report version 7.10.2. Wazuh’s docs also state that Wazuh central components must stay version-aligned, and that Wazuh indexer 4.14.3 is specifically compatible with Filebeat-OSS 7.10.2. 

Please let me know the version of Wazuh you are using:
apt list --installed | grep wazuh  
rpm -qa wazuh

Verify the Filebeat version on the Wazuh server and share the update:
filebeat version

If this is not 7.10.2, or if it is a newer Elastic Filebeat build, that is very likely the cause. OpenSearch documents that Beats newer than 7.12.x are not supported for direct ingestion, and compatibility with OpenSearch 1.x/2.x requires the version-override setting.
Ref: https://docs.opensearch.org/latest/tools/

For a Wazuh native deployment, use the Wazuh-supported Filebeat package/config, not a random newer Beats package. Wazuh’s installation guide has Filebeat configured from its own package flow and prebuilt config/template.

On the indexer node listening on 9200, check: grep -n "compatibility.override_main_response_version" /etc/wazuh-indexer/opensearch.yml
It should be: compatibility.override_main_response_version: true

Wazuh’s server installation guide says to use its preconfigured filebeat.yml, set the indexer hosts, create the Filebeat keystore, download the Wazuh template, and install the Wazuh Filebeat module.

Use the documented config files:

curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.14/tpl/wazuh/filebeat/filebeat.yml
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.14.3/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Then confirm in /etc/filebeat/filebeat.yml that output.elasticsearch points to the correct Wazuh indexer host, for example:

1. output.elasticsearch:
2. hosts: ["127.0.0.1:9200"]
3. protocol: https
4. username: ${username}
5. password: ${password}

And recreate the keystore if needed:

filebeat keystore create
echo admin | filebeat keystore add username --stdin --force
echo 'YOUR_PASSWORD' | filebeat keystore add password --stdin --force

Also, verify the cert paths in filebeat.yml match the files in /etc/filebeat/certs/. Wazuh’s guide requires those certificates for the indexer connection.

Restart the ingestion path
After fixing version/config:
systemctl restart wazuh-indexer
systemctl restart filebeat
systemctl restart wazuh-manager

Then test again:

filebeat test output

You can follow these steps from this documentation and make sure to select the version from the top right corner to have relevant document according to your Wazuh version.

Let me know if you need further assistance on this.

[Gerald muchuku]

Hi Hasitha,

Thank you for your continued support

The wazuh version I am using is: 4.10.1 see image mg14

The filebeat version I am using is:  version 8.19.6 see image mg15

After performing this check: heck: grep -n "compatibility.override_main_response_version" /etc/wazuh-indexer/opensearch.yml

I got the response: compatibility.override_main_response_version: true 

see image mg16

Here is my current filebeat.yml file configuration: see image mg17

And the filebeat certs are in the correct location: see image mg18

 I have a question. If the current filebeat version is incompatible with opensearch, will I need to remove the existing version and install a new filebeat version? If yes, will doing this break the existing wazuh pipeline or is there a way it can be done securely?

[hasitha.u...@wazuh.com]

Hi Gerald,

I can see that your fillebeat version is 8.19.6. filebeat version should be 7.10.2.

Therefore first check any filebeat repo added to the sources list might install the newer version of filebeat.
cat /etc/apt/sources.list
cat /etc/apt/sources.list.d/*.list

If anything is there related to filebeat please remove it and follow below steps to install supported filebeat version.

Then take the backup from the filebeat.yml file: cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bkp

Also take the backup of existing certificate for used in filebeat: cp /etc/filebeat/certs/* /home

Remove the filebeat from the server: apt-get remove --purge filebeat -y

Follow this section according to your enviorment APT/RPM/DNF : This section assist you to add the correct repo according to the documentation.

Follow this part to install the filebeat service.

Download the preconfigured Filebeat configuration file.
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml

Edit the /etc/filebeat/filebeat.yml configuration file according to taking backup /etc/filebeat/filebeat.yml.bkp file.

Make sure to change 
Indexer IP according to previous config.
For example:

1. output.elasticsearch:
2.   hosts: ["127.0.0.1:9200"]

Further check the certificates correctly added in the file (Make sure to re add the certificates you have took the backup.): 
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs

1. ssl.certificate_authorities:
2.    - /etc/filebeat/certs/root-ca.pem
3.   ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
4.   ssl.key: "/etc/filebeat/certs/filebeat-key.pem"

Create a Filebeat keystore to securely store authentication credentials.
filebeat keystore create

Add the default username and password admin:<adminPassword> to the secrets keystore.

echo admin | filebeat keystore add username --stdin --force

echo <adminpassword> | filebeat keystore add password --stdin --force

Download the alerts template for the Wazuh indexer.
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.3/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json

Install the Wazuh module for Filebeat.
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module

Ref: https://documentation.wazuh.com/4.10/installation-guide/wazuh-server/step-by-step.html#adding-the-wazuh-repository

Let me know the update on this.

[Gerald muchuku]

Hi Hasitha,

I managed to remove the existing filebeat and re-installed a the correct version and it worked.

Thank you for your assistance.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/taagiRU2-lg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/48e16242-db27-40dc-ac34-7c2f86ebd87dn%40googlegroups.com.