indexes are not displayed

doc dodo

unread,

Mar 5, 2026, 2:29:57 AMMar 5

to Wazuh | Mailing List

Hello,

Wazuh agent is connected to server and high-level events arrive by email , but events are not displayed in web interface.

I would be grateful for help in solving the problem.

Rafael Bailon Robles

unread,

Mar 5, 2026, 3:11:50 AMMar 5

to Wazuh | Mailing List

If the agent is connected and alert emails are received, alert generation is working on the server side. The issue is usually in the Dashboard/Indexer ingestion path.

Please run the checks below and share the outputs:

Dashboard scope check
- In Wazuh Dashboard, set time range to Last 24 hours, clear filters, and verify the correct tenant/space.
Service status
systemctl status wazuh-manager filebeat wazuh-indexer wazuh-dashboard --no-pager
Wazuh API availability
curl -k -X GET "https://<api_url>:55000/?pretty=true" \ -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"

More info: Logging into the Wazuh server API via command line
Check alert indices in the indexer
curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> \ "https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-*?v"

More info: Logging into the Wazuh indexer API
Validate Filebeat output to indexer
filebeat test output

More info: Starting the Filebeat service
Confirm server is producing alerts
tail -n 100 /var/ossec/logs/alerts/alerts.json

With these outputs, we can identify whether the problem is API, Filebeat shipping, indexer indexing, or Dashboard filtering. Based on your symptom, the most likely root cause is between Filebeat -> Wazuh Indexer -> Wazuh Dashboard

It would also be useful to know your Wazuh version (manager/indexer/dashboard) and installation type (single-node/distributed) as well as whether you have performed any recent upgrades. A general review of logs for errors could also help if any are found.

More info: Troubleshooting

doc dodo

unread,

Mar 5, 2026, 3:52:02 AMMar 5

to Wazuh | Mailing List

curl -k -X GET "https://172.22.131.50:55000/?pretty=true" -H "Authorization: Bearer $(curl -u u**r:p***d -k -X POST 'https://172.22.131.50:55000/security/user/authenticate?raw=true')"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 404 100 404 0 0 2401 0 --:--:-- --:--:-- --:--:-- 2404
{
"data": {
"title": "Wazuh API REST",
"api_version": "4.14.3",
"revision": "rc3",
"license_name": "GPL 2.0",
"license_url": "https://github.com/wazuh/wazuh/blob/v4.14.3/LICENSE",
"hostname": "wazuh.master",
"timestamp": "2026-03-05T08:16:54Z"
},
"error": 0

curl -k -u u**r:p***d "https://172.22.131.50:9200/_cat/indices/wazuh-alerts-*?v"
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2026.02.06 dzYu2i7nS_i1J9xtQMU7Tg 3 1 29730857 497 62.5gb 31.2gb
green open wazuh-alerts-4.x-2026.02.28 sV_xgpK9Tbiusgiru5J8dw 3 1 115628200 7 85.6gb 42.8gb
green open wazuh-alerts-4.x-2026.02.05 aXMVavv_TMWAD1zibPhghQ 3 1 31230147 3212 64.9gb 32.4gb
green open wazuh-alerts-4.x-2026.02.27 d6ZBS7xuRGCn2deIPY8gqw 3 1 173123798 6 129.8gb 64.9gb
green open wazuh-alerts-4.x-2026.02.08 _Xclw4pTSwml13m7b7aP3A 3 1 21707010 1467 44.5gb 22.2gb
green open wazuh-alerts-4.x-2026.02.07 4nNLwPvqRxSla26zSj90gA 3 1 21275089 1885 44gb 22gb
green open wazuh-alerts-4.x-2026.02.09 tplt78yARi6eGRP59KTa2g 3 1 34154515 190 67.9gb 33.9gb
green open wazuh-alerts-4.x-2026.03.01 EEJNNo29RlCGjYnv8X9dLQ 3 1 110259677 2 84.7gb 42.3gb
green open wazuh-alerts-4.x-2026.02.11 kxqNg9dRQ72g_LXycMhZ9w 3 1 31033068 65 64.8gb 32.4gb
green open wazuh-alerts-4.x-2026.02.10 qZEFREicRZeu_EqkDeqqXQ 3 1 34551888 104 68.1gb 34gb
green open wazuh-alerts-4.x-2026.03.04 E-a_ec5rTyensPx8oEGXsw 3 1 174576966 15 122.7gb 61.3gb
green open wazuh-alerts-4.x-2026.02.13 NVUhVoIBQbSCV2X-VMBhdw 3 1 30916277 12 63.2gb 31.6gb
green open wazuh-alerts-4.x-2026.03.05 y8lFNr9ORhGR9Yu3QS-DHw 3 1 37090616 32 29.3gb 14.5gb
green open wazuh-alerts-4.x-2026.02.12 IyUTJFskQ0GsszB86qjZTw 3 1 31253849 15 65.7gb 32.8gb
green open wazuh-alerts-4.x-2026.03.02 tnTiBAW6SHqs9ikKpv2pCQ 3 1 163745746 203 123gb 61.5gb
green open wazuh-alerts-4.x-2026.02.15 6cOgziETQeSHYwdHiuwWPA 3 1 19143700 22 39.4gb 19.7gb
green open wazuh-alerts-4.x-2026.03.03 cJ2Y084GR6mvGtTbEuRkgQ 3 1 175079423 52 122.2gb 61.1gb
green open wazuh-alerts-4.x-2026.02.14 x-5ZzA0XQ4-dC2gIZ_nqjQ 3 1 18850686 7 38.8gb 19.4gb
green open wazuh-alerts-4.x-2026.02.17 ABZg0U2rRVWqfNwTFqxktw 3 1 34273950 56 74.9gb 37.4gb
green open wazuh-alerts-4.x-2026.02.16 Q9BnRcu-SNWtAC1a1sij2A 3 1 32266513 46 67gb 33.5gb
green open wazuh-alerts-4.x-2026.02.19 Dh8VvGYSR6mz6kfbIbbHQg 3 1 30630809 91 64.3gb 32.1gb
green open wazuh-alerts-4.x-2026.02.18 I-ArU1KSSlOnN9OsjNBXRQ 3 1 32508160 16 68.3gb 34.1gb
green open wazuh-alerts-4.x-2026.02.20 74sEYfgxQGW29Cl0U1u56w 3 1 93015577 18 90.9gb 45.4gb
green open wazuh-alerts-4.x-2026.02.22 oTxKyzFhS8CP7oA9gsIgTw 3 1 114992543 12 85.2gb 42.6gb
green open wazuh-alerts-4.x-2026.02.21 o3VUVIUFTRSBra0KVxvn7w 3 1 118431959 9 86.7gb 43.3gb
green open wazuh-alerts-4.x-2026.02.24 zVF6CZi2T5uevkm8jjTWnw 3 1 192761935 24 143.2gb 71.6gb
green open wazuh-alerts-4.x-2026.02.23 r6paMiCqT5ObmifIEzEPig 3 1 175090787 14 132.2gb 66.1gb
green open wazuh-alerts-4.x-2026.02.26 3Ww4QSSQSHq5DpxOBlVhLw 3 1 178987578 39 138.2gb 69gb
green open wazuh-alerts-4.x-2026.02.04 JxR1hDEoQoeTU5zcgfB4iw 3 1 31582285 1411 65.9gb 32.9gb
green open wazuh-alerts-4.x-2026.02.25 huRSZfe3Sli0tN010tKCfg 3 1 178191443 228 136.2gb 68gb

filebeat test output
elasticsearch: https://wazuh1.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.18.0.4
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2

tail -n 100 /var/ossec/logs/alerts/alerts.json | grep okb11
bash-5.2# tail -f /var/ossec/logs/alerts/alerts.json | grep okb11
{"timestamp":"2026-03-05T08:23:40.402+0000","rule":{"level":3,"description":"Sysmon - Event 3: Network connection to 192.168.105.101:8999 by C:\\\\Program Files (x86)\\\\svhost\\\\svhost2\\\\svhost.exe","id":"61605","firedtimes":263897,"mail":false,"groups":["local","syslog","sshd","sysmon_event3"]},"agent":{"id":"005","name":"okb11","ip":"172.22.31.105"},"manager":{"name":"wazuh.master"},"id":"1772699020.4388950153","cluster":{"name":"wazuh","node":"manager"},"decoder":{"name":"windows_eventchannel"},"data":{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"3","version":"5","level":"4","task":"3","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-03-05T08:23:39.4917670Z","eventRecordID":"5198768","processID":"4072","threadID":"5968","channel":"Microsoft-Windows-Sysmon/Operational","computer":"okb11.airport.local","severityValue":"INFORMATION","message":"\"Network connection detected:\r\nRuleName: -\r\nUtcTime: 2026-03-05 08:23:39.961\r\nProcessGuid: {ad8c47d7-9c35-69a6-5600-000000008c00}\r\nProcessId: 3992\r\nImage: C:\\Program Files (x86)\\svhost\\svhost2\\svhost.exe\r\nUser: NT AUTHORITY\\СИСТЕМА\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 172.22.31.105\r\nSourceHostname: okb11.airport.local\r\nSourcePort: 61945\r\nSourcePortName: -\r\nDestinationIsIpv6: false\r\nDestinationIp: 192.168.105.101\r\nDestinationHostname: siendpoint.airport.local\r\nDestinationPort: 8999\r\nDestinationPortName: -\""},"eventdata":{"utcTime":"2026-03-05 08:23:39.961","processGuid":"{ad8c47d7-9c35-69a6-5600-000000008c00}","processId":"3992","image":"C:\\\\Program Files (x86)\\\\svhost\\\\svhost2\\\\svhost.exe","user":"NT AUTHORITY\\\\СИСТЕМА","protocol":"tcp","initiated":"true","sourceIsIpv6":"false","sourceIp":"172.22.31.105","sourceHostname":"okb11.airport.local","sourcePort":"61945","destinationIsIpv6":"false","destinationIp":"192.168.105.101","destinationHostname":"siendpoint.airport.local","destinationPort":"8999"}}},"location":"EventChannel"}

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

[2026-03-05T07:03:03,018][WARN ][stderr ] [wazuh1.indexer] WARNING: A restricted method in java.lang.foreign.Linker has been called
[2026-03-05T07:03:03,019][WARN ][stderr ] [wazuh1.indexer] WARNING: java.lang.foreign.Linker::downcallHandle has been called by the unnamed module
[2026-03-05T07:03:03,019][WARN ][stderr ] [wazuh1.indexer] WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for this module
[2026-03-05T07:03:05,036][WARN ][o.o.s.c.Salt ] [wazuh1.indexer] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2026-03-05T07:03:05,064][ERROR][o.o.s.a.s.SinkProvider ] [wazuh1.indexer] Default endpoint could not be created, auditlog will not work properly.
[2026-03-05T07:03:05,065][WARN ][o.o.s.a.r.AuditMessageRouter] [wazuh1.indexer] No default storage available, audit log may not work properly. Please check configuration.
[2026-03-05T07:03:05,656][WARN ][o.o.s.p.SQLPlugin ] [wazuh1.indexer] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2026-03-05T07:03:06,601][WARN ][o.o.g.DanglingIndicesState] [wazuh1.indexer] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2026-03-05T07:03:08,015][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:08,020][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [wazuh1.indexer] Config override setting update called with empty string. Ignoring.
[2026-03-05T07:03:08,050][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:08,055][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:08,518][WARN ][o.o.o.i.ObservabilityIndex] [wazuh1.indexer] message: index [.opensearch-observability/rfBtsf3eRlC4UNuMV006Dw] already exists
[2026-03-05T07:03:10,457][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,460][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,462][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,463][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,587][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,876][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:10,963][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:11,049][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:11,162][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:11,241][ERROR][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Not yet initialized (you may need to run securityadmin)
[2026-03-05T07:03:13,366][WARN ][r.suppressed ] [wazuh1.indexer] path: /.kibana/_count, params: {index=.kibana}
[2026-03-05T07:03:15,877][WARN ][r.suppressed ] [wazuh1.indexer] path: /.kibana/_count, params: {index=.kibana}
[2026-03-05T07:03:18,387][WARN ][r.suppressed ] [wazuh1.indexer] path: /.kibana/_count, params: {index=.kibana}
[2026-03-05T08:18:14,501][WARN ][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Authentication finally failed for wazuh-wui from 172.22.131.50:53962
[2026-03-05T08:18:24,705][WARN ][o.o.s.a.BackendRegistry ] [wazuh1.indexer] Authentication finally failed for wazuh-wui from 172.22.131.50:37782

root@soc08:~# docker logs multi-node-wazuh.dashboard-1 | grep error
{"type":"log","@timestamp":"2026-03-05T07:03:02Z","tags":["error","opensearch","data"],"pid":54,"message":"[ConnectionError]: connect ECONNREFUSED 172.18.0.4:9200"}
{"type":"log","@timestamp":"2026-03-05T07:03:02Z","tags":["error","savedobjects-service"],"pid":54,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2026-03-05T07:03:05Z","tags":["error","opensearch","data"],"pid":54,"message":"[ConnectionError]: connect ECONNREFUSED 172.18.0.4:9200"}
{"type":"log","@timestamp":"2026-03-05T07:03:08Z","tags":["error","opensearch","data"],"pid":54,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-03-05T07:03:10Z","tags":["error","opensearch","data"],"pid":54,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-03-05T07:03:13Z","tags":["error","opensearch","data"],"pid":54,"message":"[search_phase_execution_exception]: all shards failed"}
{"type":"log","@timestamp":"2026-03-05T07:03:15Z","tags":["error","opensearch","data"],"pid":54,"message":"[search_phase_execution_exception]: all shards failed"}
{"type":"log","@timestamp":"2026-03-05T07:03:18Z","tags":["error","opensearch","data"],"pid":54,"message":"[search_phase_execution_exception]: all shards failed"}
{"type":"error","@timestamp":"2026-03-05T07:03:39Z","tags":["connection","client","error"],"pid":54,"level":"error","error":{"message":"0041C6BAE57D0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","name":"Error","stack":"Error: 0041C6BAE57D0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"0041C6BAE57D0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n"}

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" | grep okb11

2026-03-05T09:42:01.238+0300 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc262674dc4926ac8, ext:905343439929, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"8d3eb546-869e-4d78-9e17-c5cf0b801449","hostname":"wazuh.master","id":"b8105749-9a35-4fbe-8314-df36565fff14","name":"wazuh.master","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh.master"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":22853715856},"message":"{\"timestamp\":\"2026-03-05T06:07:00.390+0000\",\"rule\":{\"level\":7,\"description\":\"Multiple failed attempts to logon by the same user\",\"id\":\"301501\",\"frequency\":10,\"firedtimes\":52,\"mail\":false,\"groups\":[\"local\",\"syslogfailure_auth_to_win\"]},\"agent\":{\"id\":\"005\",\"name\":\"okb11\",\"ip\":\"172.22.31.105\"},\"manager\":{\"name\":\"wazuh.master\"},\"id\":\"1772690820.1882724938\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"manager\"},\"previous_output\":\"{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"Microsoft-Windows-Security-Auditing\\\",\\\"providerGuid\\\":\\\"{54849625-5478-4994-a5ba-3e3b0328c30d}\\\",\\\"eventID\\\":\\\"4625\\\",\\\"version\\\":\\\"0\\\",\\\"level\\\":\\\"0\\\",\\\"task\\\":\\\"12544\\\",\\\"opcode\\\":\\\"0\\\",\\\"keywords\\\":\\\"0x8010000000000000\\\",\\\"systemTime\\\":\\\"2026-03-05T06

четверг, 5 марта 2026 г. в 11:11:50 UTC+3, Rafael Bailon Robles:

Message has been deleted

Rafael Bailon Robles

unread,

Mar 6, 2026, 2:02:34 AMMar 6

to Wazuh | Mailing List

Based on what you posted, the issue appears to be in the Dashboard - Indexer connection/authentication path.

From your logs:

Dashboard:
- ConnectionError: connect ECONNREFUSED 172.18.0.4:9200 (startup stage)
- ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN
Indexer:

- Authentication finally failed for wazuh-wui from 172.22.131.50

What this suggests:

There may be a TLS trust/certificate problem between Dashboard and Indexer.
There may be a credential/config mismatch.
The username in the Indexer auth failure is unusual: wazuh-wui is the Wazuh Manager API user. This specific point should be reviewed carefully.

Please verify the Dashboard configuration in:

/etc/wazuh-dashboard/opensearch_dashboards.yml

Check at least:

opensearch.hosts
opensearch.username
opensearch.password
opensearch.ssl.certificateAuthorities
server.ssl.key
server.ssl.certificate

Also validate TLS material:

The certificate chain presented/used by Dashboard must be trusted by Indexer.
The configured key/certificate pair must match.
CA files and certificate paths must be correct and readable.

If you changed the wazuh-wui password or related auth settings, ensure the Dashboard-side configuration was updated accordingly.

To continue troubleshooting, please share:

Whether you made any recent configuration changes (and which documentation/steps you followed).
The current cluster health output from the Indexer.
Relevant sanitized snippets of opensearch_dashboards.yml.

After any fixes, restart in this order and re-check logs:

wazuh-indexer
wazuh-manager
filebeat
wazuh-dashboard

Then confirm whether the Authentication finally failed and SSL errors persist.

Reply all

Reply to author

Forward