Wazuh Server do not collect logs
Ali Bajaj
Dear Wazuh Support Team,
I hope you are doing well.
I am writing to report an issue with my Wazuh server. For approximately the past week, the system has stopped collecting logs.
I have verified that all core services are up and running without any apparent issues, including:
- Wazuh Manager
- Indexer
- Dashboard
- Filebeat
Despite this, no new logs are being ingested or displayed in the dashboard.
Additionally, I ran the following command on the server:
sudo tail -f /var/ossec/logs/archives/archives.logAfter running this command, I was able to see logs being generated in real time via the CLI.
This suggests that logs are still being produced on the system, but they are not being forwarded or indexed correctly.
Could you please assist me in identifying the cause of this issue and advise on possible troubleshooting steps?
In attach the dashboard without any logs!
If you require any additional information (such as logs, configurations, or system details), I would be happy to provide it.
Thank you for your support.
Md. Nazmur Sakib
Hi Ali,
As you have logs in the /var/ossec/logs/archives/archives.log file. That means your Wazuh manager is working fine and receiving logs. That is a good sign.
So now the issue can be most likely with filebeat or Wazuh indexer.
Filebeat is responsible for sending the logs from the Filebeat to the Wazuh indexer. You can check if Filebeat is properly connected with the Wazuh indexer with this command.
filebeat test output
Share the output of the cluster health. On the web interface, go to
Indexer management > Dev Tools
And run this command.
GET _cluster/health
From the cluster health, we can find the status of the cluster health and if the indexer cluster has reached the maximum shards per node.
Check if you have enough disk space on your indexer node.
df -h
Also, share the logs from the indexer and filebeat log files.
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Once I have these information, I will have a better understanding of your problem and I will be able to help you in the right direction to solve your problem.
Ali Bajaj
From what I have seen from the tests it looks that all settings are working correctly.
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
filebeat test output ====>
$ sudo filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
Indexer management > Dev Tools
GET _cluster/health ===>
{
"cluster_name": "wazuh-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 934,
"active_shards": 934,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 12,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 98.73150105708245
}
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
df -h ======>
]$ sudo df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 4.8G 888K 4.8G 1% /dev/shm
tmpfs 1.9G 8.6M 1.9G 1% /run
/dev/sda1 1.0T 77G 948G 8% /
tmpfs 4.8G 1.2M 4.8G 1% /tmp
/dev/sda128 10M 1.3M 8.7M 13% /boot/efi
tmpfs 967M 8.0K 967M 1% /run/user/1000
-*-*-*-*-*-*-*-*-*-*-*--*-*-*-*-*-*-*-*-*-*-*-*-*
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn" ====>
[2026-04-07T08:34:57,042][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:34:57,042][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:34:57,043][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:39:57,043][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:39:57,043][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:39:57,043][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:44:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775543632053 and 1775544232053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T08:44:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:44:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:44:57,041][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:49:57,056][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:49:57,056][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:49:57,056][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:54:52,061][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544232052 and 1775544832052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T08:54:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:54:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:54:57,039][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T08:59:57,113][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:59:57,113][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T08:59:57,113][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:04:52,059][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T09:04:57,038][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:04:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:04:57,039][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:09:57,048][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:09:57,048][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:09:57,048][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
[2026-04-07T09:14:52,092][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775545432052 and 1775546032052 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-07T09:14:57,039][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:sendMessage:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:14:57,040][INFO ][o.o.n.s.SendMessageActionHelper] [node-1] notifications:YIVhgpoBauyjGvvEcRMQ:statusCode=503, statusText=sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1
[2026-04-07T09:14:57,040][WARN ][o.o.n.a.PluginBaseAction ] [node-1] notifications:OpenSearchStatusException:
org.opensearch.OpenSearchStatusException: {"event_status_list": [{"config_id":"aYVkgpoBauyjGvvEiBP0","config_type":"email","config_name":"Channel Alert ","email_recipient_status":[{"recipient":"vs...@sinteza-al.com","delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}],"delivery_status":{"status_code":"503","status_text":"sendEmail Error, status:Couldn't connect to host, port: localhost, 25; timeout -1"}}]}
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/fc303c9e-5c88-4340-8543-1695dffa3dc9n%40googlegroups.com.
Md. Nazmur Sakib
I can see you have a total of (934 + 12) = 946 shards. So no problem with the shards limit per node. The maximum shards per indexer node is, by default, 1000.
Also, you have enough disk space left. So no issue with the Storage as well.
I do not see any relevant error in the logs of the indexer. I can only see logs related to the notification channel configuration(mail). This should not be the cause of not getting logs in the dashboard.
I can see there are some logs like this
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775543632053 and 1775544232053 for uAaOWJoBMBQt2Gz7RYhO
Start 1775543632053 April 8, 2026, 09:13:52
End 1775544232053 April 8, 2026, 09:23:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775543632053 April 8, 2026, 09:13:52
End 1775544232053 April 8, 2026, 09:23:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775544832052 and 1775545432052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775544832052 April 8, 2026, 09:33:52
End 1775545432052 April 8, 2026, 09:43:52
Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1775545432052 and 1775546032052 for uAaOWJoBMBQt2Gz7RYhO
Start 1775545432052 April 8, 2026, 09:43:52
End 1775546032052 April 8, 2026, 09:53:52
This indicates that the indexer did not receive and log in between that time.
I know you have already mentioned that you can see the logs in the archive.json file.
Just to confirm, can you check if you have logs in the alerts.json file?
tail /var/ossec/logs/alerts/alerts.json
If you have alerts, check if you have the recent indices.
go to
And run this command.
If you do not see indices for yesterday or today,
Try to restart the indexer and filebeat service and share the
sudo journalctl -u wazuh-indexer --no-pager
Also, share the full indexer log.
sudo cat /var/log/wazuh-indexer/wazuh-cluster.log
Check the filebeat logs
sudo cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"
Also, check if filebeat is listening to alerts.json file.
Try to produce a Wazuh alert and run this command.
sudo lsof /var/ossec/logs/alerts/alerts.json
I will look forward to your update.
Ali Bajaj
Hello Nazmur,
I hope you are doing well.
Thank you for your email.
Regarding the logs related to the notification channel configuration (mail) is a cron that I have created no problem .
Below, I am sharing the results of the commands for your review:
tail /var/ossec/logs/alerts/alerts.json
→ No result with this command.On Dev Tools, after running:
GET /_cat/indices/wazuh-alerts-4.x-2026.04.*
→ Output:green open wazuh-alerts-4.x-2026.04.01 8fIYWp_USNy8npgSQMtfww 3 0 232270 0 75.3mb 75.3mb green open wazuh-alerts-4.x-2026.04.02 seMRHqqcQwma3NfBEUj4dw 3 0 54350 0 25.5mb 25.5mbAfter running:
sudo journalctl -u wazuh-indexer --no-pager
→ The result is attached in the file named 1.txt.
After running:
sudo cat /var/log/wazuh-indexer/wazuh-cluster.log
→ The result is attached in the file named 2.txt.After running:
sudo cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"
→ No result from this command.
After running:
sudo lsof /var/ossec/logs/alerts/alerts.json
→ Output:COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME wazuh-ana 3789 wazuh 13w REG 8,1 0 369104854 /var/ossec/logs/alerts/alerts.json
Please let me know if you need any additional information or further checks from my side.
Thank you for your support.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c498f965-d70e-4a9e-aceb-23118a596c06n%40googlegroups.com.
Md. Nazmur Sakib
tail /var/ossec/logs/alerts/alerts.json
That means the Wazuh manager is not able to generate alerts.
Restart the Wazuh manager
sudo systemctl restart wazuh-manager
Now check the status of the Wazuh manager.
sudo systemctl status wazuh-manager
Also, check the ossec.log of the Wazuh manager.
sudo cat /var/ossec/logs/ossec.log | grep -iE "error|warn"
Ali Bajaj
Thank you in advance.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/4b4a63c0-246b-456a-8ca6-b96cd8e18a7fn%40googlegroups.com.
Ali Bajaj
Md. Nazmur Sakib
From your OSSEC log, I can see some issues with the vulnerability configuration, but that should not stop the alerts from triggering.
I can see from your archive indices that you have alerts with different levels.
Go to the ossec.conf of your Wazuh manager.
Check the <log_alert_level>
<alerts>
<log_alert_level>3</log_alert_level>
—----
Make sure the level is set to a lower like 3. log_alert_level sets the minimum severity level for alerts that will be stored to alerts.log and/or alerts.json.
And restart the Wazuh Manager.
sudo systemctl restart wazuh-manager
If the issue still persists, also share the ossec.conf with me so that I can also review it from my end.
Ali Bajaj
To view this discussion visit https://groups.google.com/d/msgid/wazuh/448e2c07-1693-4e03-88f9-4bbcc1b836een%40googlegroups.com.
Ali Bajaj
[2026-04-20T05:44:52,063][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776656032054 and 1776656632054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T05:54:52,065][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776656632054 and 1776657232054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:04:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776657232053 and 1776657832053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:14:52,062][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776657832053 and 1776658432053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:24:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776658432053 and 1776659032053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:34:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776659032054 and 1776659632054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:44:52,067][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776659632054 and 1776660232054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T06:54:52,063][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776660232053 and 1776660832053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:04:52,083][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776660832053 and 1776661432053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:14:52,062][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776661432054 and 1776662032054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:24:52,064][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776662032054 and 1776662632054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:34:52,065][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776662632053 and 1776663232053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:44:52,073][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776663232053 and 1776663832053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T07:54:52,072][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776663832054 and 1776664432054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:04:52,072][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776664432054 and 1776665032054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:14:52,088][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776665032053 and 1776665632053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:24:52,072][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776665632053 and 1776666232053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:34:52,076][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776666232054 and 1776666832054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:44:52,071][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776666832054 and 1776667432054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T08:54:52,071][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776667432054 and 1776668032054 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T09:04:52,060][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776668032053 and 1776668632053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T09:14:52,061][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776668632053 and 1776669232053 for uAaOWJoBMBQt2Gz7RYhO
[2026-04-20T09:24:52,060][INFO ][o.o.t.ExecuteResultResponseRecorder] [node-1] Result action run for uAaOWJoBMBQt2Gz7RYhO with error No data in current window between 1776669232053 and 1776669832053 for uAaOWJoBMBQt2Gz7RYhO
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f36e72, ext:1038549047074647, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195081621},"message":"{\"timestamp\":\"2026-04-20T07:29:52.550+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3833,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"012\",\"name\":\"D.Barolli\",\"ip\":\"192.168.33.22\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670192.33716004\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5038\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12290\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8010000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:51.6151823Z\\\",\\\"eventRecordID\\\":\\\"7942960\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"17280\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"Donald-Barolli.sinteza.com.al\\\",\\\"severityValue\\\":\\\"AUDIT_FAILURE\\\",\\\"message\\\":\\\"\\\\\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\\\r\\\\n\\\\r\\\\nFile Name:\\\\t\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\\\\t\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"param1\\\":\\\"\\\\\\\\\\\\\\\\Device\\\\\\\\\\\\\\\\HarddiskVolume3\\\\\\\\\\\\\\\\Program Files\\\\\\\\\\\\\\\\Sophos\\\\\\\\\\\\\\\\Sophos AMSI Protection\\\\\\\\\\\\\\\\SophosAmsiProvider.dll\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:51.6151823Z\",\"eventRecordID\":\"7942960\",\"processID\":\"4\",\"threadID\":\"17280\",\"channel\":\"Security\",\"computer\":\"Donald-Barolli.sinteza.com.al\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195084050, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f3870e, ext:1038549047080947, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195084050},"message":"{\"timestamp\":\"2026-04-20T07:29:52.555+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3834,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"012\",\"name\":\"D.Barolli\",\"ip\":\"192.168.33.22\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670192.33718126\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5038\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12290\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8010000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:51.6487462Z\\\",\\\"eventRecordID\\\":\\\"7942961\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"17280\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"Donald-Barolli.sinteza.com.al\\\",\\\"severityValue\\\":\\\"AUDIT_FAILURE\\\",\\\"message\\\":\\\"\\\\\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\\\r\\\\n\\\\r\\\\nFile Name:\\\\t\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\\\\t\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"param1\\\":\\\"\\\\\\\\\\\\\\\\Device\\\\\\\\\\\\\\\\HarddiskVolume3\\\\\\\\\\\\\\\\Program Files\\\\\\\\\\\\\\\\Sophos\\\\\\\\\\\\\\\\Sophos AMSI Protection\\\\\\\\\\\\\\\\SophosAmsiProvider.dll\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:51.6487462Z\",\"eventRecordID\":\"7942961\",\"processID\":\"4\",\"threadID\":\"17280\",\"channel\":\"Security\",\"computer\":\"Donald-Barolli.sinteza.com.al\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195086479, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f3ae1e, ext:1038549047091047, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195086479},"message":"{\"timestamp\":\"2026-04-20T07:29:53.093+0000\",\"agent\":{\"id\":\"028\",\"name\":\"ABajaj\",\"ip\":\"192.168.33.13\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33718126\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5158\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12810\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8020000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:46.3629671Z\\\",\\\"eventRecordID\\\":\\\"1429682783\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"23240\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"ABajaj.sinteza.com.al\\\",\\\"severityValue\\\":\\\"AUDIT_SUCCESS\\\",\\\"message\\\":\\\"\\\\\\\"The Windows Filtering Platform has permitted a bind to a local port.\\\\r\\\\n\\\\r\\\\nApplication Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t23752\\\\r\\\\n\\\\tApplication Name:\\\\t\\\\\\\\device\\\\\\\\harddiskvolume3\\\\\\\\program files\\\\\\\\google\\\\\\\\chrome\\\\\\\\application\\\\\\\\chrome.exe\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tSource Address:\\\\t\\\\t::\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t58065\\\\r\\\\n\\\\tProtocol:\\\\t\\\\t17\\\\r\\\\n\\\\r\\\\nFilter Information:\\\\r\\\\n\\\\tFilter Run-Time ID:\\\\t0\\\\r\\\\n\\\\tLayer Name:\\\\t\\\\tResource Assignment\\\\r\\\\n\\\\tLayer Run-Time ID:\\\\t36\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"processId\\\":\\\"23752\\\",\\\"application\\\":\\\"\\\\\\\\\\\\\\\\device\\\\\\\\\\\\\\\\harddiskvolume3\\\\\\\\\\\\\\\\program files\\\\\\\\\\\\\\\\google\\\\\\\\\\\\\\\\chrome\\\\\\\\\\\\\\\\application\\\\\\\\\\\\\\\\chrome.exe\\\",\\\"sourceAddress\\\":\\\"::\\\",\\\"sourcePort\\\":\\\"58065\\\",\\\"protocol\\\":\\\"17\\\",\\\"filterRTID\\\":\\\"0\\\",\\\"layerName\\\":\\\"%%14608\\\",\\\"layerRTID\\\":\\\"36\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5158\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12810\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2026-04-20T07:29:46.3629671Z\",\"eventRecordID\":\"1429682783\",\"processID\":\"4\",\"threadID\":\"23240\",\"channel\":\"Security\",\"computer\":\"ABajaj.sinteza.com.al\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"The Windows Filtering Platform has permitted a bind to a local port.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t23752\\r\\n\\tApplication Name:\\t\\\\device\\\\harddiskvolume3\\\\program files\\\\google\\\\chrome\\\\application\\\\chrome.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tSource Address:\\t\\t::\\r\\n\\tSource Port:\\t\\t58065\\r\\n\\tProtocol:\\t\\t17\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t0\\r\\n\\tLayer Name:\\t\\tResource Assignment\\r\\n\\tLayer Run-Time ID:\\t36\\\"\"},\"eventdata\":{\"processId\":\"23752\",\"application\":\"\\\\\\\\device\\\\\\\\harddiskvolume3\\\\\\\\program files\\\\\\\\google\\\\\\\\chrome\\\\\\\\application\\\\\\\\chrome.exe\",\"sourceAddress\":\"::\",\"sourcePort\":\"58065\",\"protocol\":\"17\",\"filterRTID\":\"0\",\"layerName\":\"%%14608\",\"layerRTID\":\"36\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195089256, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c75459e9b, ext:1038549572554624, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30787896},"message":"{\"timestamp\":\"2026-04-20T07:29:53.479+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3835,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33720248\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.2928373Z\",\"eventRecordID\":\"4677056\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30789279, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c754643d7, ext:1038549572597024, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30789279},"message":"{\"timestamp\":\"2026-04-20T07:29:53.491+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3836,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33722337\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.3224611Z\",\"eventRecordID\":\"4677057\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30790662, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c754664a7, ext:1038549572605324, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30790662},"message":"{\"timestamp\":\"2026-04-20T07:29:53.501+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3837,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33724426\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.3369949Z\",\"eventRecordID\":\"4677058\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30792045, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026/04/20 07:23:00 wazuh-remoted: WARNING: Agent key already in use: agent ID '014'
2026/04/20 07:33:31 wazuh-maild: ERROR: (1764): Mail from not accepted by server
2026/04/20 07:33:31 wazuh-maild: ERROR: (1263): Error Sending email to 52.97.141.86 (smtp server)
[wazuh-user@wazuh-server ~]$ 2026/04/20 08:59:46 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:46 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:46 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:46 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:46 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:46 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:46 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:46 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:46 wazuh-integratord: ERROR: Exit status was: 1
2026/04/20 08:59:47 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:47 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:47 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:47 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:47 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:47 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:48 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:48 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:48 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:48 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:48 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:48 wazuh-integratord: ERROR: Exit status was: 1
2026/04/20 08:59:48 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:48 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:48 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:49 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:49 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:49 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:49 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:49 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:49 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:50 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:50 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:50 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:50 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:50 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:50 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:51 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:51 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:51 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:51 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:51 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:51 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:51 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:51 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:51 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:52 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
2026/04/20 08:59:52 wazuh-integratord: ERROR: While running virustotal -> integrations. Output: Exception
2026/04/20 08:59:52 wazuh-integratord: ERROR: Exit status was: 4
2026/04/20 08:59:52 wazuh-integratord: ERROR: Unable to run integration for virustotal -> integrations
^C26/04/20 09:02:23 wazuh-integratord: ERROR: Exit status was: 4stotal -> integrations. Output: Exception
Ali Bajaj
Dear Wazuh Support Team,
I hope you are doing well.
I am writing to report an issue with my Wazuh server. For approximately the past week, the system has stopped collecting logs.
I have verified that all core services are up and running without any apparent issues, including:
- Wazuh Manager
- Indexer
- Dashboard
- Filebeat
Despite this, no new logs are being ingested or displayed in the dashboard. This is the second time that succeed this behavior first time was the configuration on ossec the alerts was in value 10, but this time i have checked the config and all is ok.
Additionally, I ran the following command on the server:
sudo tail -f /var/ossec/logs/archives/archives.logAfter running this command, I was able to see logs being generated in real time via the CLI.
This suggests that logs are still being produced on the system, but they are not being forwarded or indexed correctly.
Could you please assist me in identifying the cause of this issue and advise on possible troubleshooting steps?
below you will see some logs from the commands:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
If you require any additional information (such as logs, configurations, or system details), I would be happy to provide it.
Thank you for your support.
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f36e72, ext:1038549047074647, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195081621},"message":"{\"timestamp\":\"2026-04-20T07:29:52.550+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3833,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"012\",\"name\":\"D.Barolli\",\"ip\":\"192.168.33.22\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670192.33716004\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5038\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12290\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8010000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:51.6151823Z\\\",\\\"eventRecordID\\\":\\\"7942960\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"17280\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"name\\\",\\\"severityValue\\\":\\\"AUDIT_FAILURE\\\",\\\"message\\\":\\\"\\\\\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\\\r\\\\n\\\\r\\\\nFile Name:\\\\t\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\\\\t\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"param1\\\":\\\"\\\\\\\\\\\\\\\\Device\\\\\\\\\\\\\\\\HarddiskVolume3\\\\\\\\\\\\\\\\Program Files\\\\\\\\\\\\\\\\Sophos\\\\\\\\\\\\\\\\Sophos AMSI Protection\\\\\\\\\\\\\\\\SophosAmsiProvider.dll\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:51.6151823Z\",\"eventRecordID\":\"7942960\",\"processID\":\"4\",\"threadID\":\"17280\",\"channel\":\"Security\",\"computer\":\"name\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195084050, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f3870e, ext:1038549047080947, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195084050},"message":"{\"timestamp\":\"2026-04-20T07:29:52.555+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3834,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"012\",\"name\":\"D.Barolli\",\"ip\":\"192.168.33.22\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670192.33718126\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5038\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12290\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8010000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:51.6487462Z\\\",\\\"eventRecordID\\\":\\\"7942961\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"17280\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"name\\\",\\\"severityValue\\\":\\\"AUDIT_FAILURE\\\",\\\"message\\\":\\\"\\\\\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\\\r\\\\n\\\\r\\\\nFile Name:\\\\t\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\\\\t\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"param1\\\":\\\"\\\\\\\\\\\\\\\\Device\\\\\\\\\\\\\\\\HarddiskVolume3\\\\\\\\\\\\\\\\Program Files\\\\\\\\\\\\\\\\Sophos\\\\\\\\\\\\\\\\Sophos AMSI Protection\\\\\\\\\\\\\\\\SophosAmsiProvider.dll\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:51.6487462Z\",\"eventRecordID\":\"7942961\",\"processID\":\"4\",\"threadID\":\"17280\",\"channel\":\"Security\",\"computer\":\"name\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195086479, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c55f3ae1e, ext:1038549047091047, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/archives/archives.json"},"offset":195086479},"message":"{\"timestamp\":\"2026-04-20T07:29:53.093+0000\",\"agent\":{\"id\":\"028\",\"name\":\"ABajaj\",\"ip\":\"192.168.33.13\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33718126\",\"full_log\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"5158\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12810\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8020000000000000\\\",\\\"systemTime\\\":\\\"2026-04-20T07:29:46.3629671Z\\\",\\\"eventRecordID\\\":\\\"1429682783\\\",\\\"processID\\\":\\\"4\\\",\\\"threadID\\\":\\\"23240\\\",\\\"channel\\\":\\\"Security\\\",\\\"computer\\\":\\\"name\\\",\\\"severityValue\\\":\\\"AUDIT_SUCCESS\\\",\\\"message\\\":\\\"\\\\\\\"The Windows Filtering Platform has permitted a bind to a local port.\\\\r\\\\n\\\\r\\\\nApplication Information:\\\\r\\\\n\\\\tProcess ID:\\\\t\\\\t23752\\\\r\\\\n\\\\tApplication Name:\\\\t\\\\\\\\device\\\\\\\\harddiskvolume3\\\\\\\\program files\\\\\\\\google\\\\\\\\chrome\\\\\\\\application\\\\\\\\chrome.exe\\\\r\\\\n\\\\r\\\\nNetwork Information:\\\\r\\\\n\\\\tSource Address:\\\\t\\\\t::\\\\r\\\\n\\\\tSource Port:\\\\t\\\\t58065\\\\r\\\\n\\\\tProtocol:\\\\t\\\\t17\\\\r\\\\n\\\\r\\\\nFilter Information:\\\\r\\\\n\\\\tFilter Run-Time ID:\\\\t0\\\\r\\\\n\\\\tLayer Name:\\\\t\\\\tResource Assignment\\\\r\\\\n\\\\tLayer Run-Time ID:\\\\t36\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"processId\\\":\\\"23752\\\",\\\"application\\\":\\\"\\\\\\\\\\\\\\\\device\\\\\\\\\\\\\\\\harddiskvolume3\\\\\\\\\\\\\\\\program files\\\\\\\\\\\\\\\\google\\\\\\\\\\\\\\\\chrome\\\\\\\\\\\\\\\\application\\\\\\\\\\\\\\\\chrome.exe\\\",\\\"sourceAddress\\\":\\\"::\\\",\\\"sourcePort\\\":\\\"58065\\\",\\\"protocol\\\":\\\"17\\\",\\\"filterRTID\\\":\\\"0\\\",\\\"layerName\\\":\\\"%%14608\\\",\\\"layerRTID\\\":\\\"36\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5158\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12810\",\"opcode\":\"0\",\"keywords\":\"0x8020000000000000\",\"systemTime\":\"2026-04-20T07:29:46.3629671Z\",\"eventRecordID\":\"1429682783\",\"processID\":\"4\",\"threadID\":\"23240\",\"channel\":\"Security\",\"computer\":\"name\",\"severityValue\":\"AUDIT_SUCCESS\",\"message\":\"\\\"The Windows Filtering Platform has permitted a bind to a local port.\\r\\n\\r\\nApplication Information:\\r\\n\\tProcess ID:\\t\\t23752\\r\\n\\tApplication Name:\\t\\\\device\\\\harddiskvolume3\\\\program files\\\\google\\\\chrome\\\\application\\\\chrome.exe\\r\\n\\r\\nNetwork Information:\\r\\n\\tSource Address:\\t\\t::\\r\\n\\tSource Port:\\t\\t58065\\r\\n\\tProtocol:\\t\\t17\\r\\n\\r\\nFilter Information:\\r\\n\\tFilter Run-Time ID:\\t0\\r\\n\\tLayer Name:\\t\\tResource Assignment\\r\\n\\tLayer Run-Time ID:\\t36\\\"\"},\"eventdata\":{\"processId\":\"23752\",\"application\":\"\\\\\\\\device\\\\\\\\harddiskvolume3\\\\\\\\program files\\\\\\\\google\\\\\\\\chrome\\\\\\\\application\\\\\\\\chrome.exe\",\"sourceAddress\":\"::\",\"sourcePort\":\"58065\",\"protocol\":\"17\",\"filterRTID\":\"0\",\"layerName\":\"%%14608\",\"layerRTID\":\"36\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::336036495-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0000c76c0), Source:"/var/ossec/logs/archives/archives.json", Offset:195089256, Timestamp:time.Time{wall:0xc27179033219fa30, ext:1011568519362837, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x1407828f, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c75459e9b, ext:1038549572554624, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30787896},"message":"{\"timestamp\":\"2026-04-20T07:29:53.479+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3835,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33720248\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.2928373Z\",\"eventRecordID\":\"4677056\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30789279, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c754643d7, ext:1038549572597024, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30789279},"message":"{\"timestamp\":\"2026-04-20T07:29:53.491+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3836,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33722337\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.3224611Z\",\"eventRecordID\":\"4677057\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30790662, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026-04-20T09:29:54.373+0200 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc271935c754664a7, ext:1038549572605324, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"97106e2d-51df-4051-b80d-d85a5d7bc322","hostname":"wazuh-server","id":"a7e59e99-958b-4981-a656-dcb94a669b1e","name":"wazuh-server","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh-server"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":30790662},"message":"{\"timestamp\":\"2026-04-20T07:29:53.501+0000\",\"rule\":{\"level\":5,\"description\":\"Windows audit failure event\",\"id\":\"60104\",\"firedtimes\":3837,\"mail\":false,\"groups\":[\"windows\",\"windows_security\"],\"pci_dss\":[\"10.6.1\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\"],\"tsc\":[\"CC7.2\",\"CC7.3\"]},\"agent\":{\"id\":\"025\",\"name\":\"E.Tato-Financa\",\"ip\":\"192.168.0.16\"},\"manager\":{\"name\":\"wazuh-server\"},\"id\":\"1776670193.33724426\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Security-Auditing\",\"providerGuid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"eventID\":\"5038\",\"version\":\"0\",\"level\":\"0\",\"task\":\"12290\",\"opcode\":\"0\",\"keywords\":\"0x8010000000000000\",\"systemTime\":\"2026-04-20T07:29:52.3369949Z\",\"eventRecordID\":\"4677058\",\"processID\":\"4\",\"threadID\":\"19392\",\"channel\":\"Security\",\"computer\":\"Arlinda-Pc\",\"severityValue\":\"AUDIT_FAILURE\",\"message\":\"\\\"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.\\r\\n\\r\\nFile Name:\\t\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\Sophos\\\\Sophos AMSI Protection\\\\SophosAmsiProvider.dll\\t\\\"\"},\"eventdata\":{\"param1\":\"\\\\\\\\Device\\\\\\\\HarddiskVolume3\\\\\\\\Program Files\\\\\\\\Sophos\\\\\\\\Sophos AMSI Protection\\\\\\\\SophosAmsiProvider.dll\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::369105976-2049", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002f7450), Source:"/var/ossec/logs/alerts/alerts.json", Offset:30792045, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
2026/04/20 07:23:00 wazuh-remoted: WARNING: Agent key already in use: agent ID '014'
2026/04/20 07:33:31 wazuh-maild: ERROR: (1764): Mail from not accepted by server
2026/04/20 07:33:31 wazuh-maild: ERROR: (1263): Error Sending email to 52.97.141.86 (smtp server)
Md. Nazmur Sakib
If you look at this error log
Source:"/var/ossec/logs/alerts/alerts.json", Offset:30792045, Timestamp:time.Time{wall:0xc27179033222ed38, ext:1011568519949341, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x16001c38, Device:0x801}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"validation_exception","reason":"Validation Failed: 1: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
A single-node indexer cluster can have 1000 shards at maximum. If you have one indexer
cluster, you need to add another indexer node or delete some old indices
from your server to free up some space.
To add more Wazuh indexer nodes, follow this document:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster.html#adding-wazuh-indexer-nodes>
To delete old indices, go to
Index Management > Indices
Search with Wazuh-alerts
Select the indices you want to delete
Click on Action and select Delete from the drop-down.
Check the screenshot for reference.
.
I will also suggest you check the ILM and snapshot documents for better
Management of your indices.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html
You can chnage the number of shards per index following this document. For a single-node indexer, keep the primary shards to 1 and the replicas to 0.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#setting-the-number-of-shards
To chnage the primary shards number, if the index has already been created, it must be re-indexed.
After that, you can recover your missing alerts using this document.
https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/
Let me know if this solves your problem.
Ali Bajaj
The version of wazuh server is: 4.14.0
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/aaf69946-876a-4792-93d3-b6927e1ab9a1n%40googlegroups.com.
Md. Nazmur Sakib
When it is possible to increase the shard limit, it is not advisable to increase the number too high for the long run, as it will bring more problems in the future, as more indices will create more load on the system.
If your indexer node has more space left, I suggest you change the number of shards to 1 for each index if there are more than 1. The default number is 3 shards for the alerts indices, but as you have a single indexer node. Shards are a kind of packet of data. When you have 3 shards, you are keeping the data in three small packets. If you make it one, you are keeping it one big packet.
Go to this index file /etc/filebeat/wazuh-template.json
Once you enter the file, then edit the index.number_of_shards to 1 and index.auto_expand_replicas to false
"settings": {
"index.refresh_interval": "5s",
"index.number_of_shards": "1",
"index.number_of_replicas": "0",
"index.auto_expand_replicas": "false",
Now load the configuration and restart the filebeat.
sudo filebeat setup -index-management
sudo systemctl restart filebeat
After configuring this, the new indices will have one primary shard instead of three.
Ref:https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#setting-the-number-of-shards
For the old indices, if you want to make changes in the number of shards, you will need to reindex every indices one by one.
Ex:
Go to Indexer Management > Dev Tools
Make a backup index.
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2026.02.05"
},
"dest": {
"index": "wazuh-alerts-4.x-backup"
}
}
Delete the main index
DELETE /wazuh-alerts-4.x-2026.02.05
Create the main index from back-up
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-backup"
},
"dest": {
"index": "wazuh-alerts-4.x-2026.02.05"
}
}
Delete the backup index
DELETE /wazuh-alerts-4.x-backup
Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html
