Issue with Wazuh Dashboard

167 views
Skip to first unread message

Obay Abadi

unread,
Jan 30, 2023, 2:46:41 AM1/30/23
to Wazuh mailing list
Hey guys,

I have an issue now for 2 days as alerts doesn't show up on the console it's says "There are no results for selected time range. Try another one."

Can you guide me to fix the issue
iam attaching my cluster health results


Regards,

cluster health.png

Federico Gustavo Galland

unread,
Jan 30, 2023, 5:24:22 AM1/30/23
to Wazuh mailing list
Hi There!

Firstly and on an unrelated note, your shard count is very high, so we will probably need to perform some cleaning after we solve the ingestion issue.

Now, since the usual data flow goes:

Data sources -> Wazuh Manager -> Filebeat -> Wazuh Indexer

It is a good idea to check whether your services are up and running:

systemctl status {wazuh-manager,filebeat,wazuh-indexer}

It is also important to check out available disk space, since the Wazuh-Indexer won't run properly on low disk scenarios:

df -ha /

Another relevant bit to check out is the last modification date of the alerts file within the Wazuh Server:

ls -l /var/ossec/logs/alerts/alerts.json

This should be fairly recent if the wazuh-manager service was running properly.

Please, attach the output of the aformentioned commands to a reply to this thread so we can help you get to the bottom of this.


Regards,
Federico

Obay Abadi

unread,
Jan 30, 2023, 6:57:55 AM1/30/23
to Wazuh mailing list
Hi  federico,

Kindly find the requested command results attached

for the status Wazuh-manager and filebeat are running normally , but wazuh-index isn't on my services.
For disk space i didn't even reach 50%.
for alerts.json, the alerts are coming in normally to alerts.json and alerts.log

I did some research in the Wazuh mailing list for simmillar issues, and i think the problem is from the number of shard  and how to tune it. 

Looking forward for your reply 

Obay
alerts.png
status wazuh-manager.png
status filebeat.png
filebeat test output.png
status wazuh-indexer.png

Federico Gustavo Galland

unread,
Jan 30, 2023, 7:28:36 AM1/30/23
to Obay Abadi, Wazuh mailing list
Obay,

If you are not using the Wazuh Indexer, maybe you are still working with opendistro for elasticsearch or maybe with ELK?

Let's try with the following command:

systemctl status elasticsearch

As you point out, this could be a shard issue, but it's always a good idea to check that everything is working before fiddling with elastic.

Regards,
Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/sn0rQUjt5o4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80dfac67-a4ad-4091-896d-19272f22a213n%40googlegroups.com.


--

Obay Abadi

unread,
Jan 30, 2023, 6:36:24 PM1/30/23
to Federico Gustavo Galland, Wazuh mailing list
Thank you Federico for ur dedication,

Attached is the status of elasticsearch on my Wazuh manager.

Obey
status elk.png

Federico Gustavo Galland

unread,
Jan 31, 2023, 5:34:29 AM1/31/23
to Obay Abadi, Wazuh mailing list
Hi Obay,

Even if the number of shards is high, I'm surprised filebeat is not being able to index new data, since the cluster status is still yellow.

You can try setting the number of replicas of your wazuh indices to 0:

PUT /wazuh-alerts-*/_settings {

    "index" : {
        "number_of_replicas" : 0
    }

}

PUT /wazuh-monitoring*/_settings {

    "index" : {
        "number_of_replicas" : 0
    }

}

PUT /wazuh-statistics*/_settings {

    "index" : {
        "number_of_replicas" : 0
    }

}

PUT /security-auditlog-*/_settings {

    "index" : {
        "number_of_replicas" : 0
    }

}


You can also set up an index policy to delete older unneeded indices:


{ "id": "Delete indices older than 90 days", "seqNo": 116, "primaryTerm": 1, "policy": { "policy_id": "Delete indices older than 90 days", "description": "Delete indices older than 90 days", "last_updated_time": 1668616741941, "schema_version": 12, "error_notification": null, "default_state": "hot", "states": [ { "name": "hot", "actions": [], "transitions": [ { "state_name": "delete", "conditions": { "min_index_age": "90d" } } ] }, { "name": "delete", "actions": [ { "delete": {} } ], "transitions": [] } ], "ism_template": [ { "index_patterns": [ "wazuh-alerts*" ], "priority": 100, "last_updated_time": 1668616741941 } ] } }


After you apply these you need to allow some time (probably a few hours) for the shard count to lower.

Let me know how it turns out.

Regards,
Federico

Obay Abadi

unread,
Jan 31, 2023, 6:48:45 AM1/31/23
to Federico Gustavo Galland, Wazuh mailing list
Hi Federico,

Both are not working 
i tried setting the number of replicas of your wazuh indices using the Dev Tools but it gave me syntax error.
and the same when I tried to create an index policy.


Federico Gustavo Galland

unread,
Jan 31, 2023, 6:58:58 AM1/31/23
to Obay Abadi, Wazuh mailing list
Can you share the errors it's giving you?

Obay Abadi

unread,
Jan 31, 2023, 7:09:38 AM1/31/23
to Federico Gustavo Galland, Wazuh mailing list
Here you go attached snaps
Wazuh set replica.png
index policy.png

Federico Gustavo Galland

unread,
Feb 1, 2023, 5:33:01 AM2/1/23
to Obay Abadi, Wazuh mailing list
Hi Obay,

Actually you need to put the json payload object below the API endpoint:

PUT /wazuh-alerts-*/_settings

{

    "index" : {
        "number_of_replicas" : 0
    }

}


Regarding the Index Policy, I copied one I have running in my env. You do seem to need to remove a few fields from the exported json for some reason. You can Try again with the json below:

{
   "policy": {
        "default_state": "hot",
        "description": "test",

        "states": [
            {
                "name": "hot",
                "actions": [],
                "transitions": [
                    {
                        "state_name": "delete",
                        "conditions": {
                            "min_index_age": "90d"
                        }
                    }
                ]
            },
            {
                "name": "delete",
                "actions": [
                    {
                        "delete": {}
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": [
            {
                "index_patterns": [
                    "wazuh-alerts*"
                ],
                "priority": 200,
                "last_updated_time": 1668616741941
            }
        ]
    }
}

Let me know if if works.

Regards,
Federico

Obay Abadi

unread,
Feb 2, 2023, 2:00:40 AM2/2/23
to Federico Gustavo Galland, Wazuh mailing list
Hi Federico,

I got "acknowledged" : true from the applying setting on the number of replicas (see attached).
But I still can't create an index policy with the json u provided.

and still the Wazuh dashboard doesn't show anything.


Obay
replica set 0.png

Federico Gustavo Galland

unread,
Feb 2, 2023, 4:24:02 AM2/2/23
to Obay Abadi, Wazuh mailing list
Obay,

Can you share the error you get when trying to create the policy?

Regards,
Federico
Reply all
Reply to author
Forward
0 new messages