wazuh-alerts logs are not saved to the server.
103 views
Skip to first unread message
Kudret ÇAĞLAYAN
Mar 29, 2024, 9:10:56 AM3/29/24
to Wazuh | Mailing List
wazuh-alerts and wazuh-archive logs have not been coming to the server for the last 3 days. All agents appear to be active. Can you help me where should I check?
Kudret ÇAĞLAYAN
Mar 30, 2024, 3:20:07 AM3/30/24
to Wazuh | Mailing List
To give a little more detail, I have nearly 130 agents in total.Everything was working until 3 days ago. No changes have been made to the system.
wazuh-indexer , wazuh-dashboard and filebeat seem to work properly.
Can someone with experience help with this?
[root@wazuh-server Mar]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
[root@wazuh-server Mar]#
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
[root@wazuh-server Mar]#
29 Mart 2024 Cuma tarihinde saat 16:10:56 UTC+3 itibarıyla Kudret ÇAĞLAYAN şunları yazdı:
Javier Bejar
Apr 1, 2024, 6:55:13 AM4/1/24
to Wazuh | Mailing List
Hi Kudret
Which version of Wazuh are you using?
Could you please find and share if there are any errors on the log files? you can check the following documentation: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html#none-of-the-above-solutions-are-fixing-my-problem
Also, kind of an obvious question, have you verified that there is space available on the disk?
Regards, Javier.
Which version of Wazuh are you using?
Could you please find and share if there are any errors on the log files? you can check the following documentation: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html#none-of-the-above-solutions-are-fixing-my-problem
Also, kind of an obvious question, have you verified that there is space available on the disk?
Regards, Javier.
Kudret ÇAĞLAYAN
Apr 3, 2024, 7:00:48 AM4/3/24
to Wazuh | Mailing List
Hi Javier,
I deleted the last 2-3 days of wazuh-alarts logs in indices from the index management menu and saw that new data had arrived. I think there is a limit regarding the index. There are approximately 130 agents in my system. I am not experiencing a hardware bottleneck, but I think I will need to restructure the indexer. Can you guide me on this?
I deleted the last 2-3 days of wazuh-alarts logs in indices from the index management menu and saw that new data had arrived. I think there is a limit regarding the index. There are approximately 130 agents in my system. I am not experiencing a hardware bottleneck, but I think I will need to restructure the indexer. Can you guide me on this?
1 Nisan 2024 Pazartesi tarihinde saat 13:55:13 UTC+3 itibarıyla Javier Bejar şunları yazdı:
Javier Bejar
Apr 8, 2024, 7:25:48 AM4/8/24
to Wazuh | Mailing List
Hi Kudret, sorry for the late response.
To address the issue of managing Wazuh alert logs and optimizing your indexing structure, you might consider expanding your indexing capacity and refining your sharding strategy. Here's a simplified approach:
Expanding Indexer Capacity:
- Add More Nodes: Increase your cluster's capacity by adding more indexer nodes. This can help distribute the load and accommodate more data.
- Follow the Wazuh installation guide to add new nodes: Wazuh Installation Guide.
- Ensure each new node is properly configured with the necessary keys and settings to join your existing cluster.
Optimizing Index Sharding:
- Adjust Sharding Settings: Fine-tune your index sharding to improve performance and manageability.
Consult the OpenSearch (or Elasticsearch if you're using it) documentation for guidance on setting up and optimizing shards: OpenSearch Blog.
To address the issue of managing Wazuh alert logs and optimizing your indexing structure, you might consider expanding your indexing capacity and refining your sharding strategy. Here's a simplified approach:
Expanding Indexer Capacity:
- Add More Nodes: Increase your cluster's capacity by adding more indexer nodes. This can help distribute the load and accommodate more data.
- Follow the Wazuh installation guide to add new nodes: Wazuh Installation Guide.
- Ensure each new node is properly configured with the necessary keys and settings to join your existing cluster.
Optimizing Index Sharding:
- Adjust Sharding Settings: Fine-tune your index sharding to improve performance and manageability.
Consult the OpenSearch (or Elasticsearch if you're using it) documentation for guidance on setting up and optimizing shards: OpenSearch Blog.
Kudret ÇAĞLAYAN
May 11, 2024, 2:54:12 AM5/11/24
to Wazuh | Mailing List
Hi Javier,
I apologize for the delay this time :)
How can I calculate knots? Is there any mathematics for this? Such as agent, log retention period and number of nodes. Approximately 120 agents work and I need to keep the logs for 2 years.
I apologize for the delay this time :)
How can I calculate knots? Is there any mathematics for this? Such as agent, log retention period and number of nodes. Approximately 120 agents work and I need to keep the logs for 2 years.
8 Nisan 2024 Pazartesi tarihinde saat 14:25:48 UTC+3 itibarıyla Javier Bejar şunları yazdı:
Reply all
Reply to author
Forward
0 new messages