Re: empty wazuh-alerts-*
hasitha.u...@wazuh.com
/etc/filebeat/wazuh-template.json
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <user>:<password> -k
Replace 4.9.2 with your current version. You can check the version by running this command: /var/ossec/bin/wazuh-control info
Replace <user>:<password> with the admin user and password.
Please take a look at this link: https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern
Hope this will help.
Let me know the update on this.
Hi Team,I had an issue with wazuh-dashboard where it was failing with the following error● wazuh-dashboard.service - wazuh-dashboard Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2026-03-05 12:38:47 UTC; 1min 16s ago Main PID: 141315 (node) Tasks: 11 (limit: 18685) Memory: 190.2M CPU: 13.374s CGroup: /system.slice/wazuh-dashboard.service └─141315 /usr/share/wazuh-dashboard/node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/src/cli/dist Mar 05 12:39:40 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:40Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:42 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:42Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:45 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:45Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:47 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:47Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:50 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:50Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:52 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:52Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:55 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:55Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:39:57 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:39:57Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:40:00 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:40:00Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"} Mar 05 12:40:02 WazuhMSS opensearch-dashboards[141315]: {"type":"log","@timestamp":"2026-03-05T12:40:02Z","tags":["error","opensearch","data"],"pid":141315,"message":"[ResponseError]: Response Error"}
I fixed the dashboard by doing the following:
run the wazuh inititalization script using: sudo /usr/share/wazuh-indexer/bin/indexer-security-init.sh
see image, mg1By doing this, I lost all the existing user credentials but wazuh dashboard was not accessibleHowever, after accessing the dashboard now. I got an error saying no template found for the selected index. See image mg2The services are running fine except for the dashboard with an error. See image mg3 and mg4Upon accessing the dashboard on the discover tab, the wazuh-alerts-* index is empty but the wazuh-monitoring-* and wazuh-statistics-* are receiving alerts. see image mg5 and mg6
When I ran: sudo tail -n 100 /var/ossec/logs/alerts/alerts.json I can confirm that alerts are being created in realtime How can I resolve this.
hasitha.u...@wazuh.com
Hi Gerald,
Check if the wazuh-alerts-* indices are present. In the Wazuh dashboard, go to Index/Indexer Management > Dev Tools and run the following request:
Further check filebeat is up and running: systemctl status filebeat
If it's not up and running, please restart the filebeat service and check the status again if it's still failing.
If it's up and running, then share this command output to check the connection between the indexer and filebeat.
filebeat test output
Also, share the filebeat logs to check further.
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Additionally, please share this command output to check if the filbeat is reading this file.
lsof /var/ossec/logs/alerts/alerts.json
Let me know the update on this to check further.
Thank you for the feedback
I manually added a new wazuh-template using the instructions you provided and it was successful
Now I am facing the following error: check image mg7
[Alerts index pattern] Index pattern fields for title [wazuh-alerts-*], id [wazuh-alerts-*] could not be refreshed due to: No matching indices found: No indices match pattern "wazuh-alerts-*". This could be an indicator of some problem in the generation, not running server service or configuration to ingest of alerts data.
The wazuh alerts are still empty, but wazuh monitoring, wazuh-statistics and wazuh-states-vulnerabilities have alerts. check images mg5, mg6 and mg8
Gerald muchuku
I have checked all that you have recommended
Filebeat is up and running with no error
Here are the results:
Check if the wazuh-alerts-* indices are present
Further check filebeat is up and running: systemctl status filebeat
If it's up and running, then share this command output to check the connection between the indexer and filebeat.
see image mg11
Also, share the filebeat logs to check further.
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Additionally, please share this command output to check if the filbeat is reading this file.
lsof /var/ossec/logs/alerts/alerts.json
Regards,
hasitha.u...@wazuh.com
The issue is not alert generation on the Wazuh manager. Your screenshots show:
-
filebeat service is running
-
/var/ossec/logs/alerts/alerts.json is being written.
-
But filebeat test output fails before it can publish to 127.0.0.1:9200
So the real problem is ingestion from Filebeat into the indexer, which is why wazuh-alerts-* does not exist yet. Wazuh stores alerts in the wazuh-alerts-* index pattern, so if that pattern has no backing indices, the dashboard cannot refresh it.
Ref: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html
The key clue is this error from your screenshot:
Invalid index name [_license], must not start with '_'
That usually points to a Filebeat / backend compatibility problem. In a healthy Wazuh setup, filebeat test output should end with talk to server... OK and report version 7.10.2. Wazuh’s docs also state that Wazuh central components must stay version-aligned, and that Wazuh indexer 4.14.3 is specifically compatible with Filebeat-OSS 7.10.2.
Please let me know the version of Wazuh you are using:
apt list --installed | grep wazuh
rpm -qa wazuh
Verify the Filebeat version on the Wazuh server and share the update:
filebeat version
If this is not 7.10.2, or if it is a newer Elastic Filebeat build, that is very likely the cause. OpenSearch documents that Beats newer than 7.12.x are not supported for direct ingestion, and compatibility with OpenSearch 1.x/2.x requires the version-override setting.
Ref: https://docs.opensearch.org/latest/tools/
For a Wazuh native deployment, use the Wazuh-supported Filebeat package/config, not a random newer Beats package. Wazuh’s installation guide has Filebeat configured from its own package flow and prebuilt config/template.
On the indexer node listening on 9200, check: grep -n "compatibility.override_main_response_version" /etc/wazuh-indexer/opensearch.yml
It should be: compatibility.override_main_response_version: true
Wazuh’s server installation guide says to use its preconfigured filebeat.yml, set the indexer hosts, create the Filebeat keystore, download the Wazuh template, and install the Wazuh Filebeat module.
Use the documented config files:
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.14.3/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Then confirm in /etc/filebeat/filebeat.yml that output.elasticsearch points to the correct Wazuh indexer host, for example:
- output.elasticsearch:
- protocol: https
- username: ${username}
- password: ${password}
And recreate the keystore if needed:
echo admin | filebeat keystore add username --stdin --force
echo 'YOUR_PASSWORD' | filebeat keystore add password --stdin --force
Also, verify the cert paths in filebeat.yml match the files in /etc/filebeat/certs/. Wazuh’s guide requires those certificates for the indexer connection.
Restart the ingestion path
After fixing version/config:
systemctl restart wazuh-indexer
systemctl restart filebeat
systemctl restart wazuh-manager
Then test again:
You can follow these steps from this documentation and make sure to select the version from the top right corner to have relevant document according to your Wazuh version.
Gerald muchuku
Thank you for your continued support
hasitha.u...@wazuh.com
I can see that your fillebeat version is 8.19.6. filebeat version should be 7.10.2.
Therefore first check any filebeat repo added to the sources list might install the newer version of filebeat.
cat /etc/apt/sources.list
cat /etc/apt/sources.list.d/*.list
If anything is there related to filebeat please remove it and follow below steps to install supported filebeat version.
Then take the backup from the filebeat.yml file: cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bkp
Also take the backup of existing certificate for used in filebeat: cp /etc/filebeat/certs/* /home
Remove the filebeat from the server: apt-get remove --purge filebeat -y
Follow this section according to your enviorment APT/RPM/DNF : This section assist you to add the correct repo according to the documentation.
Follow this part to install the filebeat service.
Download the preconfigured Filebeat configuration file.
curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.10/tpl/wazuh/filebeat/filebeat.yml
Edit the /etc/filebeat/filebeat.yml configuration file according to taking backup /etc/filebeat/filebeat.yml.bkp file.
Make sure to change
Indexer IP according to previous config.
For example:
- output.elasticsearch:
Further check the certificates correctly added in the file (Make sure to re add the certificates you have took the backup.):
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
- ssl.certificate_authorities:
- - /etc/filebeat/certs/root-ca.pem
- ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
- ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
Create a Filebeat keystore to securely store authentication credentials.
filebeat keystore create
Add the default username and password admin:<adminPassword> to the secrets keystore.
Download the alerts template for the Wazuh indexer.
curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.10.3/extensions/elasticsearch/7.x/wazuh-template.json
chmod go+r /etc/filebeat/wazuh-template.json
Install the Wazuh module for Filebeat.
curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.4.tar.gz | tar -xvz -C /usr/share/filebeat/module
Ref: https://documentation.wazuh.com/4.10/installation-guide/wazuh-server/step-by-step.html#adding-the-wazuh-repository
Let me know the update on this.
Gerald muchuku
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/taagiRU2-lg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/48e16242-db27-40dc-ac34-7c2f86ebd87dn%40googlegroups.com.