Alerts not showing up in dashboard

[Leginho]

Hi im new into wazuh and i did a clavister connection with my wazuh server a few days ago, when i try the log in the ruleset all is okay, it gives me an alert but after that i cant see the alert showing up in alerts.log or in the dashboard:

THIS IS THE LOG:

[2022-09-27 02:02:05] EFW: CONN: prio=1 id=00600120 rev=1 event=ip_reputation action=none ip=184.32.141.100 score=81 categories="none" connipproto=TCP connrecvif=WIFI_MNMGT connrecvzone="" connsrcdevice="LEXUS-4" connsrcmac="74-83-C2-23-4F-C8" connsrcip=10.5.99.8 connsrcport=35414 conndestif=WAN conndestzone="" conndestdevice="" conndestmac="" conndestip=184.32.141.100 conndestport=8080 origsent=0 termsent=0

THIS IS THE RULESET OUTPUT:

**Phase 1: Completed pre-decoding. full event: [2022-09-27 02:02:05] EFW: CONN: prio=1 id=00600120 rev=1 event=ip_reputation action=none ip=185.30.142.200 score=81 categories="none" connipproto=TCP connrecvif=WIFI_MNMGT connrecvzone="" connsrcdevice="LEXUS-4" connsrcmac="74-83-C2-23-4F-C8" connsrcip=10.5.99.8 connsrcport=35414 conndestif=WAN conndestzone="" conndestdevice="" conndestmac="" conndestip=185.30.142.200 conndestport=8080 origsent=0 termsent=0 timestamp: - hostname: - program_name: -

 **Phase 2: Completed decoding. name: decoder_EFW data: { "id": "00600120", "prio": "1", "rev": "1", "connipproto": "TCP", "connrecvif": "WIFI_MNMGT", "connsrcip": "10.5.99.8", "connsrcport": "35414", "conndestif": "WAN" }

**Phase 3: Completed filtering (rules). id: 100700 level: 5 description: Clavister alert groups: ["clavister"] firedtimes: 1 gdpr: "-" gpg13: "-" hipaa: "-" mail: "-" mitre.id: "-" mitre.technique: "-" nist_800_53: "-" pci_dss: "-" tsc: "-" **Alert to be generated.

[Sebastian Falcone]

Hello Leginho, how's that going?

- Can you please tell me which version of wazuh-manager and agent are you using?
- And please share with me the custom rule you created

[Sebastian Falcone]

Hello Leginho, I see that you also created a custom decoder. Would you mind sending it?

Associated custom rule:
<group name="clavister">
  <rule id="100700" level="5">
   <decoded_as>decoder_EFW</decoded_as>
   <description>Clavister alert</description>
  </rule>
</group>

PD: please use the reply all button to keep the conversation on the chat

[Leginho]

Hello!  Sorry for the mistake in the answer, here it is the decoder:

<decoder name="decoder_EFW">
    <prematch>\.*EFW:</prematch>
    <regex>(\.*)</regex>
    <order>testing</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>prio=(\S+)</regex>
    <order>prio</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>id=(\S+)</regex>
    <order>id</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>rev=(\S+)</regex>
    <order>rev</order>
</decoder>


<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>srccountry="(\S+)"</regex>
    <order>srccountry</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>srcusername="(\S+)"</regex>
    <order>srcusername</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>destusername="(\S+)"</regex>
    <order>destusername</order>
</decoder>

<decoder name="decoder_EFW">
    <parent>decoder_EFW</parent>
    <regex>conn=(\S+)</regex>
    <order>conn</order>
</decoder>

[Sebastian Falcone]

Hello! No need to apologize :)

Well it looks like the decoder and rules are good.
Could you please check the status of the indexer?
# systemctl status wazuh-indexer

[Leginho]

Hello!  this is the output when i put the command:

 systemctl status wazuh-indexer -l
● wazuh-indexer.service - Wazuh-indexer
   Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
   Active: active (running) since mié 2022-09-28 06:51:34 UTC; 1 weeks 6 days ago
     Docs: https://documentation.wazuh.com
 Main PID: 1101 (java)
   CGroup: /system.slice/wazuh-indexer.service
           └─1101 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dio.netty.allocator.numDirectArenas=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.locale.providers=SPI,COMPAT -Xms3815m -Xmx3815m -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djava.io.tmpdir=/tmp/opensearch-7336117302337414727 -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m -XX:MaxDirectMemorySize=2000683008 -Dopensearch.path.home=/usr/share/wazuh-indexer -Dopensearch.path.conf=/etc/wazuh-indexer -Dopensearch.distribution.type=rpm -Dopensearch.bundled_jdk=true -cp /usr/share/wazuh-indexer/lib/* org.opensearch.bootstrap.OpenSearch -p /run/wazuh-indexer/wazuh-indexer.pid --quiet

sep 28 06:51:15 vps-0d68f9d9.vps.ovh.net systemd[1]: Starting Wazuh-indexer...
sep 28 06:51:31 vps-0d68f9d9.vps.ovh.net systemd-entrypoint[1101]: WARNING: An illegal reflective access operation has occurred
sep 28 06:51:31 vps-0d68f9d9.vps.ovh.net systemd-entrypoint[1101]: WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/wazuh-indexer/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
sep 28 06:51:31 vps-0d68f9d9.vps.ovh.net systemd-entrypoint[1101]: WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
sep 28 06:51:31 vps-0d68f9d9.vps.ovh.net systemd-entrypoint[1101]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
sep 28 06:51:31 vps-0d68f9d9.vps.ovh.net systemd-entrypoint[1101]: WARNING: All illegal access operations will be denied in a future release
sep 28 06:51:34 vps-0d68f9d9.vps.ovh.net systemd[1]: Started Wazuh-indexer.

[Sebastian Falcone]

Hi!

Indexer looks good.

When you created the new rule and decoder, did you restarted the manager? New rules and decoder take effect once you restart the manager (# systemctl restart wazuh-manager)

[Leginho]

Hi!  Sorry for the delay in my answer but when i do that i don't see any changes

[Sebastian Falcone]

Hello, so lets make a recap:
- Rule and decoder are working (tested on the wazuh-logtest tool)
- The manager was restarted (so new configurations are in place)
- The indexer is working

Are we sure that this alerts should be triggered? What I mean is:
Are new logs like  

[2022-09-27 02:02:05] EFW: CONN: prio=1 id=00600120 rev=1 event=ip_reputation action=none ip=184.32.141.100 score=81 categories="none" connipproto=TCP connrecvif=WIFI_MNMGT connrecvzone="" connsrcdevice="LEXUS-4" connsrcmac="74-83-C2-23-4F-C8" connsrcip=10.5.99.8 connsrcport=35414 conndestif=WAN conndestzone="" conndestdevice="" conndestmac="" conndestip=184.32.141.100 conndestport=8080 origsent=0 termsent=0 

Being generated?