Error Pattern Handler

[Iman Mikhael]

Hello again,

My Wazuh was running just fine after I added a rule in local_rules.xml and after a few minutes I received this error (in the image attached). I suspect that this has something to do with the API configuration. 

Thanks.

[Jose Luis Carreras Marin]

Hello imanmikhael0908,

Let's analyze this error in depth. Can you describe me what kind of installation you have used?
It would also be good to see the rule that you say caused the problem.

It seems that you are not being able to create the index pattern needed, it could be for multiple reasons, some ideas that might help:

• Lack of user role or some permissions. Example: Post
• Some cache problem (You can try to enter with the incognito mode of the browser).
  
• The command "filebeat test output" could give some clue. To make sure filebeat is correctly installed and configured.
  

All the relevant information you can show will be of great help to find the reason for this error. I hope I can help you.
Best regards, Jose

[Iman Mikhael]

Hi Jose,

I used the OVA installation and installed in inside my VMware. The rule that I configured right before the error occurred is: https://wazuh.com/blog/detecting-log4shell-with-wazuh/ . However, it could be the cache problem because I used the same browser to access another wazuh which I already deleted.

Regards, Iman

[Iman Mikhael]

Hi Jose,

Screenshot 1 shows the output of 'filebeat test output' when the error has occured. Then, I restarted the wazuh-server and I was able to accesss the dashboard (as usual) and screenshot 2 is the output of 'filebeat test output' when it is ok.

[Iman Mikhael]

Hi again,

After a while of working fine, it broke down again and this time I received an internal server error.

[Iman Mikhael]

Hi once again, one more trend that I noticed is this error will also occur right after I turned on both of my agents machine which is Kali Linux and Ubuntu which runs on the same VMware as the Wazuh. Hope your team can look into this issue as soon as possible.

Thanks, Regards.

[Jose Luis Carreras Marin]

Hello imanmikhael0908,

So, to be sure, the error occurs as follows:

• You restart wazuh-server.
• Everything works as expected.
  
• You turn on the machines where you have the wazuh-agent.
  
• Then wazuh-dashboard stops working.

At this point, is wazuh-manager turned off? Could you also check the wazuh-manager log file?
It is found by default in /var/ossec/logs/ossec.log
It might contain some clues as to what is going on.
As extra data, regarding the blogpost you have passed "Detecting Log4Shell with Wazuh", did you have any problem with any of the steps? Have you been able to complete everything ok?

Regards

[Iman Mikhael]

Hi jose,

Yes you are right and the wazuh-manager is still on. However, it will work after a couple of reboots.

Regarding the log4j rule, I am also facing an issue as my docker container logs is successfully decoded but it did not trigger the rule. I actually posted another discussion regarding that. 

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d053eb07-cf97-4929-9107-300fff174b07n%40googlegroups.com.

[Iman Mikhael]

This is the link to the mentioned discussion: 

https://groups.google.com/g/wazuh/c/DY8brh9TUiM

If you have any opinion on this, feel free to let me know.

Regards.

[Iman Mikhael]

Hello Jose,

Any updates on this?

Regards.