All in one deployment: No template found for the selected index-pattern "wazuh-alerts-*
1,711 views
Skip to first unread message
Alex Cardona
May 8, 2024, 4:05:19 AM5/8/24
to Wazuh | Mailing List
Hi,
I have been trying to figure out where I am going wrong. I am doing the all-in-one deployment and when I first log in for the health check the first alert I get is the
"[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]"
I have done this same deployment on VMs locally with no issue but when trying to install it recently I ran into this issue. I checked the "filebeat test output" and I get this message:
"talk to server... ERROR connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat."
In my previous times doing this deployment I have not had issues but it is important to mention the host I am doing this deployment where I am getting the error, used to have elasticsearch installed on it, so I am not sure if this could be the issue as well?
How would I resolve this error? At the moment no logs come in for wazuh-alerts-* and I keep getting that failed missing index-pattern.
I have been trying to figure out where I am going wrong. I am doing the all-in-one deployment and when I first log in for the health check the first alert I get is the
"[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]"
I have done this same deployment on VMs locally with no issue but when trying to install it recently I ran into this issue. I checked the "filebeat test output" and I get this message:
"talk to server... ERROR connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat."
In my previous times doing this deployment I have not had issues but it is important to mention the host I am doing this deployment where I am getting the error, used to have elasticsearch installed on it, so I am not sure if this could be the issue as well?
How would I resolve this error? At the moment no logs come in for wazuh-alerts-* and I keep getting that failed missing index-pattern.
Stuti Gupta
May 15, 2024, 10:51:57 PM5/15/24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
May 16, 2024, 2:22:10 AM5/16/24
to Wazuh | Mailing List
Hi Alex Cardona
It appears that the issue might be related to remnants of the previous Elasticsearch installation causing conflicts or misconfigurations. Before proceeding with the new Wazuh All-in-one installation, ensure that all remnants of the previous Elasticsearch installation, including configuration files and data directories, are completely removed.
You can follow the steps outlined in the Wazuh documentation for uninstalling the Elastic Stack to thoroughly clean up any leftover files and configurations:
Uninstall Elastic Stack
Additionally, it seems there might be a version mismatch between Filebeat and Elasticsearch, with Filebeat trying to connect to the previous Elasticsearch installation instead of the Wazuh indexer. If your Filebeat is X-Pack, version non-OSS and your Elasticsearch is OSS, this could cause compatibility issues.
I recommend you to follow the wazuh-indexer installation guide provided in the wazuh documentation, and the Wazuh server installation guide from the documentation as well, keeping both installations in the same version for avoiding incompatibility issues
After ensuring that all remnants of the previous Elasticsearch installation are removed and resolving any version mismatches between Filebeat and wazuh-indexer, restart your Wazuh services and verify if the issues with the alerts index pattern and filebeat connectivity are resolved.
In case if you still get this error "[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]"
You can also manually add the index by running the following command:
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.7.4/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <user>:<password> -k
If that still causes an error then Please check the Filebeat and wazuh indexer service status using the command: systemctl status wazuh-indexer? Please share the cat /var/log/wazuh-indexer/wazuh-cluster.log and cat /var/log/filebeat/filebeat output
Please take a look at this link: https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern
Hope this will help,
It appears that the issue might be related to remnants of the previous Elasticsearch installation causing conflicts or misconfigurations. Before proceeding with the new Wazuh All-in-one installation, ensure that all remnants of the previous Elasticsearch installation, including configuration files and data directories, are completely removed.
You can follow the steps outlined in the Wazuh documentation for uninstalling the Elastic Stack to thoroughly clean up any leftover files and configurations:
Uninstall Elastic Stack
Additionally, it seems there might be a version mismatch between Filebeat and Elasticsearch, with Filebeat trying to connect to the previous Elasticsearch installation instead of the Wazuh indexer. If your Filebeat is X-Pack, version non-OSS and your Elasticsearch is OSS, this could cause compatibility issues.
I recommend you to follow the wazuh-indexer installation guide provided in the wazuh documentation, and the Wazuh server installation guide from the documentation as well, keeping both installations in the same version for avoiding incompatibility issues
After ensuring that all remnants of the previous Elasticsearch installation are removed and resolving any version mismatches between Filebeat and wazuh-indexer, restart your Wazuh services and verify if the issues with the alerts index pattern and filebeat connectivity are resolved.
In case if you still get this error "[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]"
You can also manually add the index by running the following command:
curl https://raw.githubusercontent.com/wazuh/wazuh/v4.7.4/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <user>:<password> -k
If that still causes an error then Please check the Filebeat and wazuh indexer service status using the command: systemctl status wazuh-indexer? Please share the cat /var/log/wazuh-indexer/wazuh-cluster.log and cat /var/log/filebeat/filebeat output
Please take a look at this link: https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern
Hope this will help,
Reply all
Reply to author
Forward
0 new messages