Elasticsearch wazuh template not indexing json correctly

782 views
Skip to first unread message

Azaralho

unread,
May 20, 2019, 7:16:03 AM5/20/19
to Wazuh mailing list
Hi everyone, 

I have a Wazuh + ELK setup. I've installed both elasticsearch template and plugin.

Everything was working fine until I started creating some dashboards and updated kibana index fields. Now it seems it cannot index json top level fields and thus its not able to index childs as well.

wazuh.jpg


When I navigate through kibana index fields, e.g. "agent" I can see that the top level field is of type unkown:

wazuh2.PNG


From what I can see on another working installation, is that the top level field doesn't even appear on the indexed fields:

wazuh3.jpg


On this kibana, everything is working as it supposed to.


I've already remove/reinstall wazuh template and created new indexes.

Any ideias or suggestion?


Thanks in advance!


Jesús Ángel González

unread,
May 21, 2019, 3:36:31 AM5/21/19
to Wazuh mailing list

Hello Azaralho,

Those are symptoms of a wrong mapping being applied. Once an index is created, it doesn’t matter if you put a new template, the index was created and its mapping has been set.

Fix the indices

Stop Logstash:

systemctl stop logstash

Ensure the template is inserted:

curl https://raw.githubusercontent.com/wazuh/wazuh/3.9/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elastic_ip:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

Check if the template was inserted:

curl elastic:9200/_cat/templates/wazuh

You should see:

wazuh [wazuh-alerts-3.x-*] 0

Assuming the only one affected index is wazuh-alerts-3.x-2019.01.29 (repeat this procedure if you have more affected indices):

1) Reindex affected index into a backup index:

curl -X POST "elastic_ip:9200/_reindex" -H 'Content-Type: application/json' -d'
{
    "source": {
        "index": "wazuh-alerts-3.x-2019.01.29"
    },
    "dest": {
        "index": "wazuh-alerts-3.x-backup"
    }
}
'

2) Remove affected index:

curl -XDELETE elastic_ip:9200/wazuh-alerts-3.x-2019.01.29

3) Reindex backup index into a new index (using the same name as before):

curl -X POST "elastic_ip:9200/_reindex" -H 'Content-Type: application/json' -d'
{
    "source": {
        "index": "wazuh-alerts-3.x-backup"
    },
    "dest": {
        "index": "wazuh-alerts-3.x-2019.01.29"
    }
}
'

4) Remove backup index:

curl -XDELETE elastic_ip:9200/wazuh-alerts-3.x-backup

Resume Logstash once finished

systemctl restart logstash

Fix Kibana

Your index pattern has a wrong fieldset too due to the wrong mapping. Please, remove the index pattern, then restart Kibana so the Wazuh app will create a new one for you.

I hope it helps.

Best regards,
Jesús

Azaralho

unread,
May 23, 2019, 4:45:55 AM5/23/19
to Wazuh mailing list
Hi Jesús!

Thank you for your detailed answer. I was suspecting that... 

I will try that approach and get back to you!
Thank you!

Regards,

Azaralho

unread,
May 29, 2019, 10:15:24 AM5/29/19
to Wazuh mailing list
Hi Jesús,

You were right about the mapping and I've found out what happened. I forgot to disable elasticsearch updates.
I've done an upgrade recently and didn't notice elasticsearch version was upgraded. Seems that the template for the old version didn't work on the new one. :)

Made the downgrade and apparently it solved :)

Everything's working now.

Thank you for your help!
Reply all
Reply to author
Forward
0 new messages