Check alerts index pattern
959 views
Skip to first unread message
Enekupe Lelevaga
Oct 3, 2022, 6:53:36 PM10/3/22
to Wazuh mailing list
Hi Team,
This error comes on when logging into Wazuh. Please need assistance
Jesus Linares
Oct 4, 2022, 1:46:49 AM10/4/22
to Wazuh mailing list
Hello,
It looks like the interface is getting a timeout while executing this check: https://github.com/wazuh/wazuh-kibana-app/blob/master/public/components/health-check/services/check-index-pattern/check-template.service.ts#L27.
Please, review the indexer templates:
Get the templates:
- curl -k -u <user>:<pass> https://localhost:9200/_cat/templates?pretty
- curl -k -u <user>:<pass> https://localhost:9200/_template/<name>
Also, from the Wazuh dashboard, go to the index pattern setting. How many fields do you have for the wazuh-alerts index pattern?
Is this a fresh installation or Wazuh was working properly before this error?
I hope it helps.
Enekupe Lelevaga
Oct 4, 2022, 10:13:50 PM10/4/22
to Jesus Linares, Wazuh mailing list
Hi Jesus,
not a fresh installation.
Both commands given didn't work, for the <user>:<pass>? What should I put in here? Root username and password or dashboard login details?
Thanks
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8d220281-8205-4975-8e61-0f9ac5e210a4n%40googlegroups.com.
Jesus Linares
Oct 5, 2022, 1:45:48 AM10/5/22
to Wazuh mailing list
Hello,
If it is not a fresh installation, we assume that was working properly before the error, so it is not a "deployment issue".
Since it is a timeout, probably there a performance/configuration issue in your indexer (wazuh-indexer, elasticsearch or opensearch). For that reason, I would like to do the following checks:
1. Checking the indexer
- Get list of templates: curl -k -u <user>:<pass> https://localhost:9200/_cat/templates?pretty
- Get template: curl -k -u <user>:<pass> https://localhost:9200/_template/<name>
- Review the indexer logs. For example, you could use this command: "cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -vi info"
You can use the credentials that you use for the dashboard login.
Also, you can do the queries from the dashboard. Go to Menu > Management > Dev tools. I attached a screenshot.
2. Checking the index pattern
In the dashboard, go to Menu > Management > Stack management > Index pattern > wazuh-alerts-*. Attached is another screenshot.
How many fields do you have? Is there any warning?
What version of Wazuh are you running?
I hope it helps.
Reply all
Reply to author
Forward
0 new messages