Alerts are not showing in dashboard
362 views
Skip to first unread message
Antonio Kim (Wazuh)
Sep 9, 2024, 4:13:04 AM9/9/24
to Wazuh | Mailing List
Hi Tariq
I was reviewing the attached file you sent and the screenshot.
Regards
Antonio
I was reviewing the attached file you sent and the screenshot.
- What activity log would that file called APP LOGS.txt be?
- Is this a fresh install or are you working on a previously working install?
- From the manager, what information appears in /var/ossec/logs/alerts.json?
Regards
Antonio
Tariq Omer
Sep 9, 2024, 4:30:40 AM9/9/24
to Wazuh | Mailing List
Hello Antonio
I upgrade to wazuh 4.8.1 app version, before that wazuh was working well
for the alerts.jason i sent you a pic for your request
I upgrade to wazuh 4.8.1 app version, before that wazuh was working well
the APP LOGS Generated from
/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
Antonio Kim (Wazuh)
Sep 9, 2024, 4:58:15 AM9/9/24
to Wazuh | Mailing List
My apologies Tariq, the alerts path was '/var/ossec/logs/alerts/alerts.json'
not /var/ossec/logs/alerts.json
1. Let's see if the alerts are being generated and the problem is that they are not impacting the Dashboard. To do this you should check:
/var/ossec/logs/alerts/alerts.json
and
/var/ossec/logs/alerts/alerts.log
If there is updated alert information it means that there is a problem with the connection to the dashboard
2. Let's see
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Let's check the manager and filebeat logs for errors to see if there is a problem with index management
3. Let's check the indexer:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Are there any additional error messages?
4. You have informed me on the dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
Let's see if there is more information about the error here
journalctl -u wazuh-dashboard
not /var/ossec/logs/alerts.json
Considering that the log is coming from /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
I would suggest for you to try the following:
Stop Wazuh dashboard service: systemctl stop wazuh-dashboard.
Delete the file: rm /usr/share/wazuh-dashboard/data/wazuh/config/wazuh-registry.json
Start Wazuh dashboard service: systemctl start wazuh-dashboard
Delete Browser's cache, local storage, etc
I would suggest for you to try the following:
Stop Wazuh dashboard service: systemctl stop wazuh-dashboard.
Delete the file: rm /usr/share/wazuh-dashboard/data/wazuh/config/wazuh-registry.json
Start Wazuh dashboard service: systemctl start wazuh-dashboard
Delete Browser's cache, local storage, etc
Try to access the Wazuh Dashboard again
In case that the previous steps did not work, let's follow doing some troubleshooting.
1. Let's see if the alerts are being generated and the problem is that they are not impacting the Dashboard. To do this you should check:
/var/ossec/logs/alerts/alerts.json
and
/var/ossec/logs/alerts/alerts.log
If there is updated alert information it means that there is a problem with the connection to the dashboard
2. Let's see
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Let's check the manager and filebeat logs for errors to see if there is a problem with index management
3. Let's check the indexer:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Are there any additional error messages?
4. You have informed me on the dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
Let's see if there is more information about the error here
journalctl -u wazuh-dashboard
Please
let me know if it worked for you and if not, I would appreciate if you
could share information about the errors or warnings you encountered
with the troubleshooting steps.
Tariq Omer
Sep 9, 2024, 10:53:40 AM9/9/24
to Wazuh | Mailing List
unfortunatly, the remove of
wazuh-registry.json and restart wazuh dashboard did not solve it
Kindly see the attached file for your Request
Antonio Kim (Wazuh)
Sep 9, 2024, 11:28:17 AM9/9/24
to Wazuh | Mailing List
Apparently, you are having problems with the filebeat certificates and as filebeat identifies itself, it is not able to connect and generate the flow of alerts to the manager.
Can I ask you how you have carried out the upgrade and if you have made any backup of the certificates?
Maybe with that I could help you reconfigure it
On the other hand, can you share the result of:
filebeat test output
Regards
Antonio
Antonio Kim (Wazuh)
Sep 9, 2024, 12:34:54 PM9/9/24
to Wazuh | Mailing List
Hello Tariq,
I've given some more thought to the error found in filebeat.
I extend the following analysis: This could be due to several issues, such as incorrect permissions, a missing file, or a misconfiguration after the upgrade.
1. Check if the wazuh-server.pem file exists at /etc/filebeat/certs/.
If it does not exist, confirm if it is located elsewhere.
You can search for it with:
find / -name wazuh-server.pem
If the certificate does not exist, you may need to generate a new one or restore a backup of the certificate.
2. The Filebeat process may not have the correct permissions to read the certificate file.
Check the permissions of the certificate file:
ls -l /etc/filebeat/certs/wazuh-server.pem
Ensure that the user running Filebeat (usually filebeat) has read permissions.
If not, change the permissions and make sure that the certificate is reachable by filebeat.
I've given some more thought to the error found in filebeat.
I extend the following analysis: This could be due to several issues, such as incorrect permissions, a missing file, or a misconfiguration after the upgrade.
1. Check if the wazuh-server.pem file exists at /etc/filebeat/certs/.
If it does not exist, confirm if it is located elsewhere.
You can search for it with:
find / -name wazuh-server.pem
If the certificate does not exist, you may need to generate a new one or restore a backup of the certificate.
2. The Filebeat process may not have the correct permissions to read the certificate file.
Check the permissions of the certificate file:
ls -l /etc/filebeat/certs/wazuh-server.pem
Ensure that the user running Filebeat (usually filebeat) has read permissions.
If not, change the permissions and make sure that the certificate is reachable by filebeat.
3. Incorrect Configuration in filebeat.yml
The Filebeat configuration file (filebeat.yml) might be pointing to the wrong certificate path after the upgrade.nano /etc/filebeat/filebeat.yml
Look for SSL-related configurations and make sure they point to the correct certificate location.
4. Corrupt or Malformed Certificate
Verify that the certificate file is readable and not corrupted:
cat /etc/filebeat/certs/wazuh-server.pem
I hope this information is useful to you, I'm here for any questions you may have.
Antonio
Antonio
Tariq Omer
Sep 10, 2024, 6:01:30 AM9/10/24
to Wazuh | Mailing List
Hello Antonio
it seems the
wazuh-server.pem is missing, kindly check the attached file for your request
Message has been deleted
Antonio Kim (Wazuh)
Sep 10, 2024, 6:44:52 AM9/10/24
to Wazuh | Mailing List
Ok Tariq, thanks for your quick reply
If you can't find the previous certificates, or they have not been backed up correctly, you will need to create new certificates by following the guide below:
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/certificates.html
After creating them, you must place them in the corresponding path.
You can use this documentation as a reference since it is similar to backing up certificates and restoring them (performing only the actions related to certificates)
I hope this information is useful to you.
Antonio
Antonio
Tariq Omer
Sep 17, 2024, 4:27:33 AM9/17/24
to Wazuh | Mailing List
Hello Antonio hope you are doing well
sorry for the late respond, I have created new certificates and replace them in the corresponding path but still not working, I found new alert in the wazzuh app logs
kindly check the attached file for more details
regards
Antonio Kim (Wazuh)
Sep 18, 2024, 5:41:55 AM9/18/24
to Wazuh | Mailing List
Hi Tariq
It seems that filebeat is not able to go through the handshake process due to a data mismatch between the certificates and the components configuration.
This means that perhaps the naming of the components was different than what you set in the config.yaml.
I suggest you:
1. Check the corresponding IPs
2. Check the naming of the components and make sure that the certificates were created with the correct data
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html
It seems that filebeat is not able to go through the handshake process due to a data mismatch between the certificates and the components configuration.
This means that perhaps the naming of the components was different than what you set in the config.yaml.
I suggest you:
1. Check the corresponding IPs
2. Check the naming of the components and make sure that the certificates were created with the correct data
3. Keep in mind that the certificates must be created depending on the installation method you performed initially. (assisted vs step-by-step)
Some information about the certs creation:
Regards
Antonio
Antonio
Reply all
Reply to author
Forward
0 new messages