Wazuh Dashboard Visualize error

50 views
Skip to first unread message

Shady Mohamed

unread,
Mar 11, 2026, 6:45:48 AM (5 days ago) Mar 11
to Wazuh | Mailing List

Hello,

Any visualization in the Wazuh Dashboard fails with:

null_pointer_exception
reducePhase.aggregations is null

Log:

[search_phase_execution_exception]
POST /internal/search/opensearch 400

Environment:

  • Wazuh 4.14.3

  • Wazuh Dashboard 4.14.3

  • Ubuntu 24.04

Tried:

  • Recreating index patterns

  • Clearing dashboard cache

  • Restarting dashboard

  • Downgrading version

Still the same error.

Screenshot_2.jpg

rodrigo....@wazuh.com

unread,
Mar 11, 2026, 7:09:28 AM (5 days ago) Mar 11
to Wazuh | Mailing List
Hello!

In order for me to diagnose this further could you please send me your manager log at /var/ossec/logs/ossec.log and also the indexer log at /var/log/wazuh-indexer/wazuh-cluster.log?

Could you also please share with me the output of this query on the indexer:
curl -k -u admin:admin https://<YOUR_INDEXER_IP_ADDRESS>:9200/wazuh-alerts-*/_mapping?pretty

Finally do you know of any changes in the setup that may have triggered the issue? For example did it start after a version upgrade?

Thanks!

Shady Mohamed

unread,
Mar 12, 2026, 7:19:48 AM (4 days ago) Mar 12
to Wazuh | Mailing List

Hello,

Thank you for your response.

Please find attached the requested files:

  • Manager log (ossec.log)

  • Indexer log (wazuh-cluster.log)

  • Output of the mapping query for wazuh-alerts-*

  • Cluster health

The files are included in the attached archive.

Please let me know if you need any additional information.

Thank you.

wazuh-support-logs.tar.gz

rodrigo....@wazuh.com

unread,
Mar 12, 2026, 9:33:09 AM (4 days ago) Mar 12
to Wazuh | Mailing List
Hello! 

I believe there may have been a mistake while creating the compressed folder, because it contains no files inside.

Could you please also include dashboard log file just in case there may be some useful information in there as well.

You can see the dashboard logs with:
sudo journalctl -u wazuh-dashboard

Thanks!

Shady Mohamed

unread,
Mar 12, 2026, 10:15:53 AM (4 days ago) Mar 12
to Wazuh | Mailing List

Hello,

Thank you for your response.

I have recreated the archive and attached the requested files:

  • Manager log (/var/ossec/logs/ossec.log)

  • Indexer log (/var/log/wazuh-indexer/wazuh-cluster.log)

  • Dashboard log (journalctl -u wazuh-dashboard)

  • Mapping output for wazuh-alerts-*

  • Cluster health

 Also, please note that I recently changed the Wazuh server IP address, and the issue started occurring after this change.  

Please let me know if you need any additional information.

Thank you.

wazuh-support-logs.tar.gz

rodrigo....@wazuh.com

unread,
Mar 13, 2026, 12:24:24 PM (3 days ago) Mar 13
to Wazuh | Mailing List
The logs seem to point at a ERR_SSL_TLSV1_ALERT_UNKNOWN_CA error.

Since you mentioned to me that you changed the IP of the Wazuh Server and it seems the logs suggest certificate issue, Could you please try regenerating the Dashboard's certificates?

Here is the documentation: https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#deploying-certificates
Reply all
Reply to author
Forward
0 new messages