Unknown problem somewhere in the system.
695 views
Skip to first unread message
Basim Ibrahim
Nov 9, 2022, 8:28:10 AM11/9/22
to Wazuh mailing list
Hello Team,
I am getting the following alert in Wazuh : Unknown problem somewhere in the system."
Here's the full log:
Nov 9 17:21:55 wazuh-server opensearch-dashboards: {"type":"log","@timestamp":"2022-11-09T13:21:55Z","tags":["error","opensearch","data"],"pid":424,"message":"[version_conflict_engine_exception]: [search-telemetry:search-telemetry]: version conflict, required seqNo [3222], primary term [6]. current document has seqNo [3223] and primary term [6]"}
I have wazuh deployed via wazuh VM.
Federico Rodriguez
Nov 9, 2022, 10:26:40 AM11/9/22
to Wazuh mailing list
Hi!
Unknown problem somewhere in the system is a level 2 rule that will trigger if no other rule matches and the event contains words such as "error". By default, Wazuh will only log alerts above level 3.
Level 2 events are not considered to be identified as security relevant. If you wish, you can restore the default value by setting <log_alert_level> in Wazuh manager ossec.conf file to 3.
Unknown problem somewhere in the system is a level 2 rule that will trigger if no other rule matches and the event contains words such as "error". By default, Wazuh will only log alerts above level 3.
Level 2 events are not considered to be identified as security relevant. If you wish, you can restore the default value by setting <log_alert_level> in Wazuh manager ossec.conf file to 3.
version_conflict_engine_exception error relates to a version conflict between opensearch-telemetry and opensearch. This happens when Wazuh Dashboard attempts to update a document within Wazuh Indexer and temporarily fails to do so.
There are background tasks running that only allow one instance to execute at a time, so there are version checks that happen before any data gets updated to make sure that works.
This feature exists in order to prevent concurrent changes to the same documents by tasks that run simultaneously. When you try to update a document that is already being updated by another task you might run into this issue.
This is not a critical error and in most cases can be safely ignored.
Basim Ibrahim
Nov 11, 2022, 5:37:07 AM11/11/22
to Wazuh mailing list
Hi,
i am getting unlnown error for SEP logs also, is there any way i can set the name like Symantec to filter it out easily?
Federico Rodriguez
Nov 11, 2022, 12:55:09 PM11/11/22
to Wazuh mailing list
Sure,
you can create a custom rule that matches the target log and set a low rule level if you want to dismiss it or a high one if you want to make it more visible.
Follow this guide on how to create your own custom rules. Once the error matches a rule, you shouldn't trigger the Unknown problem somewhere in the system alert.
Hope it helps
you can create a custom rule that matches the target log and set a low rule level if you want to dismiss it or a high one if you want to make it more visible.
Follow this guide on how to create your own custom rules. Once the error matches a rule, you shouldn't trigger the Unknown problem somewhere in the system alert.
Hope it helps
Reply all
Reply to author
Forward
0 new messages