Monitoring Windows resources with Performance Counters - Create Dashbaord

[David Dutler]

Hi There

I followed the instruction from this blog post: 

- https://wazuh.com/blog/monitoring-windows-resources-with-performance-counters/ ("Thanks for this very helpful post @Dario Menten)

Everything went fine, and it works so far. 

Now I d'like to create a dashboard like it is described in the blog post. 

I Modifying the Wazuh Template like it is described in the post. 

But because i am a new user of wazuh, i don't know how to create the dashboard. 
Infact i even don't know how i can check, if the changes i made in the wazuh template "/etc/filebeat/wazuh-template.json" is correct and applied. 

So the questions i have:

- Can i check / where can i check, if the data is now stored in "long" data type instead of "string" data type? 

- And how do I create the dashboard to show this metrics.

Thanks in advanced, 
And have a nice weekend,

Best regards

David 

[Dario Menten]

Hello David,

I am glad it was helpful for you.

First of all, I would like to share with you some information on how to create Visualizations and Dashboards: https://opster.com/guides/opensearch/opensearch-basics/opensearch-dashboards-visualizations-notebooks-operational/

Answering your questions:

Can i check / where can i check, if the data is now stored in “long” data type instead of “string” data type?

You can check that in the Menu > Stack Management > Index Patterns, or you can see it in the Discover section by checking in the left of the field name, it will have an icon that represents the data type, if you place the mouse cursor over it, it will tell you the type (if the icon is a # then the type is numerical).

And how do I create the dashboard to show this metrics

What you need to create is a visualization, you can go to Menu > Visualizations and create the one you need between all the types available.

I hope this information could be helpful for you also.
Kind Regards.

​

[David Dutler]

Hi Dario

First, thanks for your detailed instructions and fast reply, really appreciate that.

When i go to "stack management" -> "index patterns" i only see the defaults ones from wazuh:

- wazuh-alerts-*

- wazuh-monitoring-*

- wazuh-statistics-*

When i go into the "wazuh-alerts" and search for "data.winCounter" all entries are from type "string" as you can see in the attachment.

So i think they should be the type "long" not string? 

like described in your blog post I modified the following file: /etc/filebeat/wazuh-template.json and add these lines to the data section, which you mentioned.

Then i run the following command: "filebeat setup -index-management". 

Response was:

"ILM policy and write alias loading not enabled.
Index setup finished."

also thanks for the how to about the dashboard, will check that also. 

Best regards

David 

[David Dutler]

Hi Dario 

Short update;

I was a bit impatient.
When I checked everything again this morning, the following message appeared under "Stack Management" -> "Index Patterns" -> "wazuh-alerts-*":
"2 fields are defined as several types (string, integer, etc) across the indices that match this pattern. You may still be able to use these conflict fields in parts of OpenSearch Dashboards, but they will be unavailable for functions that require OpenSearch Dashboards to know their type. Correcting this issue will require reindexing your data."

So the change worked, after the new "indices" was created from system. 

At the moment I can not use the values because they are in conflict. If I have understood correctly, I have two possibilities:
- Delete the old "indices" (Would be no problem, everything is still running on a test environment).
- Reindex all data

Is this correct, or do you have another tip?

Thanks

Best regards

David 

[David Dutler]

Hi Dario 

Me again :)
I deleted all "indices" older then one day and now it works just fine. 
Alerts coming in as before but now i am able to create dashbaords with the numerical values from the fields. 

Because of your hint with the "index patterns" I foud the informations i needed to understand a little bit more, and to solve the "issue".

Thanks again and have a nice weekend. 

Best regards

David 

[Dario Menten]

Hello David,
That is because you already have data ingested with the previous types. To bypass this you can either change the mapping of the value (sometimes that is not possible) or reindexing the data in elasticsearch:

Changing the mapping:

PUT /wazuh-alerts-*/_mapping
{
  "properties": {
    "data": {
      "properties": {
        "winCounter": {
           "properties": {
             "CookedValue": {
               "type": "long"
             },
             "RawValue": { 
               "type": "long"
             }
           }
        }
      }
    }
  }
}

If this does not work, please try reindexing the data:

Reindex the data

You need to do this with every index that has the data regarding the win counters, since the indices are daily, you need to reindex all the indices from the date you were ingesting the win counter data.

Create a new index from the original index

Run the following command

POST _reindex?wait_for_completion=false
{
  "source": {
    "index": "wazuh-alerts-x.y-YYYY.MM.DD"
  },
  "dest": {
    "index": "wazuh-alerts-x.y-YYYY.MM.DD-new"
  }
}

You will get this result:

{
  "task" : "<task_id>"
}

Check the task status:

GET _tasks/<task_id>

Wait for the result to throw this line:

"completed" : true,

Delete the original index

DELETE wazuh-alerts-x.y-YYYY.MM.DD

Check if you receive this result:

{
  "acknowledged" : true
}

Re-create the original index from the newly created index (intermediate)

Run the following command

POST _reindex?wait_for_completion=false
{
  "source": {
    "index": "wazuh-alerts-x.y-YYYY.MM.DD-new"
  },
  "dest": {
    "index": "wazuh-alerts-x.y-YYYY.MM.DD"
  }
}

Check the task status:

GET _tasks/<task_id>

Wait for the result to throw this line:

"completed" : true,

Delete the intermediate index

DELETE wazuh-alerts-x.y-YYYY.MM.DD-new

Check if you receive this result:

{
  "acknowledged" : true
}

Once you do that, all the values on the indices will have the new types, and going to the Index Patterns, you will be able to refresh it and see the new types reflected.

Please let me know if this solves your issues.

​