Some trouble with delivering logs between Filebeat and Elastic

931 views
Skip to first unread message

Aleksey Subbotin

unread,
Apr 10, 2023, 10:30:47 AM4/10/23
to Wazuh mailing list
Hi. First want to say thank for your product. 

I want to try wazuh before implement in company, but have some trouble with it. I use docker single-node model. All seems good. I do all steps in manual, change default password for root and can login with admin. Install two agent. But cant recive alerts form they in discover. 

I googled some troubleshooting article and this my statement. (version v4.4.0)
1. Alerts generate and deliver to manager. 
tail -f /var/ossec/logs/alerts/alerts.json
tail -f /var/ossec/logs/alerts/alerts.log
if i generate alert (usb install for example) i see this events in logs. 
2. After i change /etc/filebeat/filebeat.yml in manager docker image
and setup new password (plz add this step in instruction). 

root@wazuh:/# filebeat test output
elasticsearch: https://wazuh.indexer:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.160.3
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

3. But in log i see 

2023-04-10T14:22:20.029Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): 401 Unauthorized: Unauthorized

2023-04-10T14:22:20.029Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 93 reconnect attempt(s)

2023-04-10T14:22:20.029Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer


4. I dont know its ok or not but filebeat serivce always stop every time i want to start it. 


filebeat.PNG


5. Some of component dont run while i start service   ыефегы.PNG


6. In Discover tab i cant see any alets, but step 1 they are generated. How can i solve trouble with 401 error while Filebeat test is ok. I dont understant where i can find some logs to see what happened. 


Thx a lot for help or advice

Nicolas Agustin Guevara Pihen

unread,
Apr 10, 2023, 12:00:50 PM4/10/23
to Wazuh mailing list
Hello Aleksey, thank you for using Wazuh.
I was able to reproduce the issue. I will analyze it to find the cause and come up with an update as soon as I have it.

Kind regards,

Nicolas Agustin Guevara Pihen

unread,
Apr 10, 2023, 12:23:38 PM4/10/23
to Wazuh mailing list
Hello Aleksey
The password in the filebeat.yml file is taken from the INDEXER_PASSWORD variable in the docker-compose.yml. That's why in the instructions it is mentioned to modify it in all the occurrences (there are 2 in total), and not to modify the filebeat.yml itself. However, it is not applied if the environment is restarted, you need to drop it with docker compose down and start it again with docker compose up.

All the information is stored in volumes, so you will not lose the applied configuration or previous events if you do that. After doing that, you should be able to receive alerts again.

I hope you find this information helpful, let me know if you have any questions.

Kind regards,

Aleksey Subbotin

unread,
Apr 11, 2023, 9:51:13 AM4/11/23
to Wazuh mailing list
Thx for clarification and advice seems its work fine now. 
Reply all
Reply to author
Forward
0 new messages