Hello,
Wazuh uses Filebeat to ship its information to the Wazuh Indexer which is then queried by the Wazuh dashboards service to provide the UI.
Since you are seeing events in the alerts.json file then you may verify if filebeat is able to contact the Wazuh Indexer and if the service is running, for this please let us know the output of the following commands:
filebeat test output
systemctl status filebeat
If the output test is correct and the service is running then the issue may be that Elasticsearch is set to read_only_allow_delete . This occurs when disk space usage reaches a watermark level. Can you verify the current usage of disk space? df -h is good command to do so.
If disk space usage is above 90% then disk must be increased or older indices must be deleted.
After there is enough disk space to resume writing into indices you may run the following API call:
PUT wazuh*/_settings
{
"index.blocks.read_only_allow_delete": false
}
Please let us know if the issue persists to provide further guidance.
Best Regards,
Juan C. Tello