Slow indexing
23 views
Skip to first unread message
DIWAHAR RAHAWID
May 21, 2026, 6:26:22 AM (2 days ago) May 21
to Wazuh | Mailing List
Hi Team,
In one of my wazuh server i have configured two palo alto firewall using rsyslog, recently i am facing issue with delayed indexing like 2 to 6 hours i am not able to see the logs in Realtime.
Do i need to tweak OpenSearch or filebeat configurations.
Regards
Diwahar
musbau....@wazuh.com
May 21, 2026, 7:28:35 AM (2 days ago) May 21
to Wazuh | Mailing List
Hi,
Before we can pinpoint the exact cause of the 2-6 hour log delay, we need to clarify whether this is an ingestion delay or a timestamp display issue. Please run `tail -f /var/ossec/logs/alerts/alerts.json` and check if alerts are appearing in real time in that file. Also, when you view a log on the Wazuh dashboard, compare the `@timestamp` field against the actual event time shown in the `full_log` field if they differ by exactly 2–6 hours, the issue could be a timezone mismatch between your Palo Alto firewall and the Wazuh server rather than a pipeline delay. Did this issue start suddenly or has gradually worsened over time?
A few more details that can help, Kindly check server resource stats (run `df -h` to check disk usage), and the output of `journalctl -u filebeat -n 100 --no-pager` to see if Filebeat is reporting any errors or backlogs. If the timestamps do match but logs are arriving late, the issue could be related to resource pressure, log volume from the two Palo Alto firewalls, or a pipeline bottleneck.
Before we can pinpoint the exact cause of the 2-6 hour log delay, we need to clarify whether this is an ingestion delay or a timestamp display issue. Please run `tail -f /var/ossec/logs/alerts/alerts.json` and check if alerts are appearing in real time in that file. Also, when you view a log on the Wazuh dashboard, compare the `@timestamp` field against the actual event time shown in the `full_log` field if they differ by exactly 2–6 hours, the issue could be a timezone mismatch between your Palo Alto firewall and the Wazuh server rather than a pipeline delay. Did this issue start suddenly or has gradually worsened over time?
A few more details that can help, Kindly check server resource stats (run `df -h` to check disk usage), and the output of `journalctl -u filebeat -n 100 --no-pager` to see if Filebeat is reporting any errors or backlogs. If the timestamps do match but logs are arriving late, the issue could be related to resource pressure, log volume from the two Palo Alto firewalls, or a pipeline bottleneck.
Reply all
Reply to author
Forward
0 new messages