Wazuh Server do not collect logs
Ali Bajaj
Dear Wazuh Support Team,
I hope you are doing well.
I am writing to report an issue with my Wazuh server. For approximately the past week, the system has stopped collecting logs.
I have verified that all core services are up and running without any apparent issues, including:
- Wazuh Manager
- Indexer
- Dashboard
- Filebeat
Despite this, no new logs are being ingested or displayed in the dashboard.
Additionally, I ran the following command on the server:
sudo tail -f /var/ossec/logs/archives/archives.logAfter running this command, I was able to see logs being generated in real time via the CLI.
This suggests that logs are still being produced on the system, but they are not being forwarded or indexed correctly.
Could you please assist me in identifying the cause of this issue and advise on possible troubleshooting steps?
In attach the dashboard without any logs!
If you require any additional information (such as logs, configurations, or system details), I would be happy to provide it.
Thank you for your support.
Md. Nazmur Sakib
Hi Ali,
As you have logs in the /var/ossec/logs/archives/archives.log file. That means your Wazuh manager is working fine and receiving logs. That is a good sign.
So now the issue can be most likely with filebeat or Wazuh indexer.
Filebeat is responsible for sending the logs from the Filebeat to the Wazuh indexer. You can check if Filebeat is properly connected with the Wazuh indexer with this command.
filebeat test output
Share the output of the cluster health. On the web interface, go to
Indexer management > Dev Tools
And run this command.
GET _cluster/health
From the cluster health, we can find the status of the cluster health and if the indexer cluster has reached the maximum shards per node.
Check if you have enough disk space on your indexer node.
df -h
Also, share the logs from the indexer and filebeat log files.
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Once I have these information, I will have a better understanding of your problem and I will be able to help you in the right direction to solve your problem.
Ali Bajaj
From what I have seen from the tests it looks that all settings are working correctly.
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
filebeat test output ====>
$ sudo filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
Indexer management > Dev Tools
GET _cluster/health ===>
{
"cluster_name": "wazuh-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 934,
"active_shards": 934,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 12,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 98.73150105708245
}
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
df -h ======>
]$ sudo df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 4.8G 888K 4.8G 1% /dev/shm
tmpfs 1.9G 8.6M 1.9G 1% /run
/dev/sda1 1.0T 77G 948G 8% /
tmpfs 4.8G 1.2M 4.8G 1% /tmp
/dev/sda128 10M 1.3M 8.7M 13% /boot/efi
tmpfs 967M 8.0K 967M 1% /run/user/1000
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" ====>
[2026-04-07T08:34:57,042][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:34:57,042][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:34:57,043][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:39:57,043][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:39:57,043][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:39:57,043][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:44:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775543632053 and 1775544232053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T08:44:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:44:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:44:57,041][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:49:57,056][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:49:57,056][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:49:57,056][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:54:52,061][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544232052 and 1775544832052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T08:54:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:54:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:54:57,039][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:59:57,113][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:59:57,113][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:59:57,113][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:04:52,059][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T09:04:57,038][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:04:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:04:57,039][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:09:57,048][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:09:57,048][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:09:57,048][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:14:52,092][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775545432052 and 1775546032052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T09:14:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:14:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:14:57,040][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/fc303c9e-5c88-4340-8543-1695dffa3dc9n%40googlegroups.com.
Md. Nazmur Sakib
I can see you have a total of (934 + 12) = 946 shards. So no problem with the shards limit per node. The maximum shards per indexer node is, by default, 1000.
Also, you have enough disk space left. So no issue with the Storage as well.
I do not see any relevant error in the logs of the indexer. I can only see logs related to the notification channel configuration(mail). This should not be the cause of not getting logs in the dashboard.
I can see there are some logs like this
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775543632053 and 1775544232053 for uAaOWJoBMBQt2Gz7RYhO
Start 1775543632053 April 8, 2026, 09:13:52
End 1775544232053 April 8, 2026, 09:23:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775543632053 April 8, 2026, 09:13:52
End 1775544232053 April 8, 2026, 09:23:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775544832052 April 8, 2026, 09:33:52
End 1775545432052 April 8, 2026, 09:43:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775545432052 and 1775546032052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775545432052 April 8, 2026, 09:43:52
End 1775546032052 April 8, 2026, 09:53:52
This indicates that the indexer did not receive and log in between that time.
I know you have already mentioned that you can see the logs in the archive.json file.
Just to confirm, can you check if you have logs in the alerts.json file?
tail /var/ossec/logs/alerts/alerts.json
If you have alerts, check if you have the recent indices.
go to
And run this command.
If you do not see indices for yesterday or today,
Try to restart the indexer and filebeat service and share the
sudo journalctl -u wazuh-indexer --no-pager
Also, share the full indexer log.
sudo cat /var/log/wazuh-indexer/wazuh-cluster.log
Check the filebeat logs
sudo cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"
Also, check if filebeat is listening to alerts.json file.
Try to produce a Wazuh alert and run this command.
sudo lsof /var/ossec/logs/alerts/alerts.json
I will look forward to your update.
Ali Bajaj
Hello Nazmur,
I hope you are doing well.
Thank you for your email.
Regarding the logs related to the notification channel configuration (mail) is a cron that I have created no problem .
Below, I am sharing the results of the commands for your review:
tail /var/ossec/logs/alerts/alerts.json
→ No result with this command.On Dev Tools, after running:
GET /_cat/indices/wazuh-alerts-4.x-2026.04.*
→ Output:green open wazuh-alerts-4.x-2026.04.01 8fIYWp_USNy8npgSQMtfww 3 0 232270 0 75.3mb 75.3mb green open wazuh-alerts-4.x-2026.04.02 seMRHqqcQwma3NfBEUj4dw 3 0 54350 0 25.5mb 25.5mbAfter running:
sudo journalctl -u wazuh-indexer --no-pager
→ The result is attached in the file named 1.txt.
After running:
sudo cat /var/log/wazuh-indexer/wazuh-cluster.log
→ The result is attached in the file named 2.txt.After running:
sudo cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"
→ No result from this command.
After running:
sudo lsof /var/ossec/logs/alerts/alerts.json
→ Output:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME wazuh-ana 3789 wazuh 13w REG 8,1 0 369104854 /var/ossec/logs/alerts/alerts.json
Please let me know if you need any additional information or further checks from my side.
Thank you for your support.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c498f965-d70e-4a9e-aceb-23118a596c06n%40googlegroups.com.
Md. Nazmur Sakib
tail /var/ossec/logs/alerts/alerts.json
That means the Wazuh manager is not able to generate alerts.
Restart the Wazuh manager
sudo systemctl restart wazuh-manager
Now check the status of the Wazuh manager.
sudo systemctl status wazuh-manager
Also, check the ossec.log of the Wazuh manager.
sudo cat /var/ossec/logs/ossec.log | grep -iE "error|warn"
Ali Bajaj
Thank you in advance.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/4b4a63c0-246b-456a-8ca6-b96cd8e18a7fn%40googlegroups.com.
Ali Bajaj
Md. Nazmur Sakib
From your OSSEC log, I can see some issues with the vulnerability configuration, but that should not stop the alerts from triggering.
I can see from your archive indices that you have alerts with different levels.
Go to the ossec.conf of your Wazuh manager.
Check the <log_alert_level>
<alerts>
<log_alert_level>3</log_alert_level>
—----
Make sure the level is set to a lower like 3. log_alert_level sets the minimum severity level for alerts that will be stored to alerts.log and/or alerts.json.
And restart the Wazuh Manager.
sudo systemctl restart wazuh-manager
If the issue still persists, also share the ossec.conf with me so that I can also review it from my end.
Ali Bajaj
To view this discussion visit https://groups.google.com/d/msgid/wazuh/448e2c07-1693-4e03-88f9-4bbcc1b836een%40googlegroups.com.