Empty fields in alerts OpenSearch Plugins - alerting

[Alx Ch]

Hi everybody!
Please, explain me what im doing wrong.
case: i try to tune my Wazuh up for alerting (OpenSearch Plugins - alerting)
And they are working fine (screen 1)
For tests, I set some setting to create an alert, if some rule.id happened. And i pointed to group by agent.name and agent.ip. (Screen 2) I see these parametrs if i try to view  "Preview query and performance" at Monitor tab (screen 3, I deleted ip and hostnames from screen)
But i cant see them in Alerts tab (screens 4,5 Monitor tab and alerts tab)
I tryed to create another Monitors, with another triggers, for another events, but i got the same result: there are no fields with agent.name and agent.ip in Alerts tab.
Any ideas?

[Md. Nazmur Sakib]

Hi Alx,

Hope you are doing well. Thank you for using Wazuh.

Can you share details about your Wazuh environment?

The type of deployment 

Also, can you share your updated configuration for Wazuh alerting (OpenSearch Plugins - alerting)? What kind of changes did you make?

So that I can have a better understanding of your problem and guide you accordingly.

Regards

Md. Nazmur Sakib

[Alx Ch]

Hi!
That's my fault, i didn't describe my environment.
Wazuh ver v4.5.3 (i updated it to the actual ver), all-in-one installation, Ubuntu 22.04
yesterday i followed the instruction from this link
https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/
and added anomalyDetectionDashboards plugin for the future games.

There werent any configured alerts before in this module, i just started to practice with it.
So, i can say that system is close to default with tunes in this direction.

четверг, 19 октября 2023 г. в 14:50:29 UTC+3, Md. Nazmur Sakib:

[Md. Nazmur Sakib]

Hi Alx,

Hope you are doing well. 

I was trying to reproduce your issue in my lab but I was unable to reproduce it.

I am looking into it. Meanwhile, check this document to get related help.

https://opensearch.org/docs/latest/observing-your-data/alerting/per-query-bucket-monitors/

https://opensearch.org/docs/latest/observing-your-data/alerting/monitors/

I hope this helps. I will update you if I can make any further progress. Let me know the update on the issue.

Regards 

Md. Nazmur Sakib

[Md. Nazmur Sakib]

Hi Alx,

Any update on the issue. 

Can you share your trigger configuration? It will help me replicate the issue.

Also check this reference document: https://opensearch.org/docs/latest/observing-your-data/alerting/triggers/

Please let me know the update on the issue.

Regards 

Md. Nazmur Sakib

[Alx Ch]

Good day!

Sorry for long response.

I attached screen with trigger.

Now im going to create virtual lab and make test setup. It will be interesting to find out on a clear system .

понедельник, 23 октября 2023 г. в 15:23:00 UTC+3, Md. Nazmur Sakib:

[Alx Ch]

What's the interesting case:

i've installed clear server already (curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a) Ubuntu 22.04

1 agent (on Ubuntu 22.04)

Created a simple monitor: per bucket, query - count of rule.id, data filter - rule.id, group by agent.ip and agent.name

Created a simple trigger: if event number N happened -> create alert if count of event >0

and I see that screen

How does this module works?

вторник, 24 октября 2023 г. в 14:05:11 UTC+3, Alx Ch:

[Md. Nazmur Sakib]

Hi Alx Ch,

Hope you are doing well. 

I was able to reproduce the issue in my lab 

It seems like the parameters used in Group By are missing while showing it in the user interface.

Seems like it is a bug or something.

You can look for relevant information in Opensearch as this is a plugin of Opensearch.

https://forum.opensearch.org/

Regards

Md. Nazmur Sakib

[Alx Ch]

Hi!

Thanks for your response!

I found the same issue by your link, but there are no answers there. 

https://forum.opensearch.org/t/alerting-ui-has-group-by-bug/16224

I'll try to find some more information and follow this thread

Have a nice day.

среда, 25 октября 2023 г. в 12:50:50 UTC+3, Md. Nazmur Sakib: