No indices match pattern "wazuh-alerts-*"
74 views
Skip to first unread message
Rick Gutierrez
Oct 11, 2023, 6:23:20 PM10/11/23
to Wazuh mailing list
Hi list , I am doing a wazuh deploy with kibana, and when I enter
wazuh it shows me the following message:
No matching indices found: No indices match pattern "wazuh-alerts-*"
if i look in:
kibana -> stack management -> index pattern -> wazuh-alerts-* (it is empty)
version the kibana and elasticsearch:
elasticsearch-7.17.10-x86_64.rpm
kibana-7.17.10-x86_64.rpm
metricbeat-7.17.10-x86_64.rpm
filebeat-7.17.10-x86_64.rpm
logstash-7.17.10-x86_64.rpm
What I can be doing wrong?
--
rickygm
http://gnuforever.homelinux.com
wazuh it shows me the following message:
No matching indices found: No indices match pattern "wazuh-alerts-*"
if i look in:
kibana -> stack management -> index pattern -> wazuh-alerts-* (it is empty)
version the kibana and elasticsearch:
elasticsearch-7.17.10-x86_64.rpm
kibana-7.17.10-x86_64.rpm
metricbeat-7.17.10-x86_64.rpm
filebeat-7.17.10-x86_64.rpm
logstash-7.17.10-x86_64.rpm
What I can be doing wrong?
--
rickygm
http://gnuforever.homelinux.com
Stuti Gupta
Oct 11, 2023, 11:10:50 PM10/11/23
to Wazuh | Mailing List
Hi Rick
Hope you are doing well today and thank you for using wazuh.
A possible cause of the error could be that Filebeat is not functioning correctly thus Elasticsearch is not receiving data. You could try checking the status of the Filebeat process and Elasticsearch and check if there are any error logs, share the output and filebeat.yml. You can do all these things with the following commands:
filebeat test output
systemctl status elasticsearch
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"
Can you please if there are alerts in the Wazuh indexer, run the command:
curl https://<ElasticsearchIp>:9200/_cat/indices/wazuh-alerts-* -u user:pass -k
Please share the output of ls -lrt /etc/filebeat/wazuh-template.json
Hope to hear from you soon.
Regards,
Hope you are doing well today and thank you for using wazuh.
A possible cause of the error could be that Filebeat is not functioning correctly thus Elasticsearch is not receiving data. You could try checking the status of the Filebeat process and Elasticsearch and check if there are any error logs, share the output and filebeat.yml. You can do all these things with the following commands:
filebeat test output
systemctl status elasticsearch
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"
Can you please if there are alerts in the Wazuh indexer, run the command:
curl https://<ElasticsearchIp>:9200/_cat/indices/wazuh-alerts-* -u user:pass -k
Please share the output of ls -lrt /etc/filebeat/wazuh-template.json
Hope to hear from you soon.
Regards,
Rick Gutierrez
Oct 12, 2023, 4:57:24 PM10/12/23
to Wazuh | Mailing List
El mié, 11 oct 2023 a las 23:10, 'Stuti Gupta' via Wazuh | Mailing
List (<wa...@googlegroups.com>) escribió:
>
> A possible cause of the error could be that Filebeat is not functioning correctly thus Elasticsearch is not receiving data. You could try checking the status of the Filebeat process and Elasticsearch and check if there are any error logs, share the output and filebeat.yml. You can do all these things with the following commands:
ok
> filebeat test output
elasticsearch: http://192.168.11.4:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.11.4
dial up... OK
TLS... WARN secure connection disabled
talk to server... ERROR Get "http://192.168.11.4:9200": EOF
> systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service;
enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/elasticsearch.service.d
└─elasticsearch.conf
Active: active (running) since Thu 2023-10-12 14:51:00 CST; 14s ago
Docs: https://www.elastic.co
Main PID: 3358249 (java)
Tasks: 162 (limit: 824388)
Memory: 8.7G
CGroup: /system.slice/elasticsearch.service
├─3358249 /usr/share/elasticsearch/jdk/bin/java
-Xshare:auto -Des.networkaddress.cache.ttl=60
-Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch ->
└─3358484
/usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Oct 12 14:50:45 monitor.fomav.gob.ni systemd[1]: Starting Elasticsearch...
Oct 12 14:51:00 monitor.fomav.gob.ni systemd[1]: Started Elasticsearch.
> cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
2023-10-12T14:44:35.257-0600 WARN [add_cloud_metadata]
add_cloud_metadata/provider_aws_ec2.go:79 read token request for
getting IMDSv2 token returns empty: Put
"http://169.254.169.254/latest/api/token": context deadline exceeded
(Client.Timeout exceeded while awaiting headers). No token in the
metadata request will be used.
> cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"
[2023-10-12T14:41:49,840][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:28206}
[2023-10-12T14:42:44,981][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:42576}
[2023-10-12T14:43:17,005][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:22220}
[2023-10-12T14:43:47,178][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:21166}
[2023-10-12T14:44:05,993][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:27242}
[2023-10-12T14:44:35,262][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:23020}
> Can you please if there are alerts in the Wazuh indexer, run the command:
> curl https://<ElasticsearchIp>:9200/_cat/indices/wazuh-alerts-* -u user:pass -k
curl https://192.168.11.4:9200/_cat/indices/wazuh-alerts-* -u
elastic:xxxxxxxxx -k
Nothing happens here, when I execute this command
> Please share the output of ls -lrt /etc/filebeat/wazuh-template.json
ls -lrt /etc/filebeat/wazuh-template.json
-rw-r--r-- 1 root root 58391 Oct 11 15:35 /etc/filebeat/wazuh-template.json
>
> Hope to hear from you soon.
> Regards,
I await your advice
List (<wa...@googlegroups.com>) escribió:
>
> Hi Rick
> Hope you are doing well today and thank you for using wazuh.
Hi Stuti
> Hi Rick
> Hope you are doing well today and thank you for using wazuh.
>
> A possible cause of the error could be that Filebeat is not functioning correctly thus Elasticsearch is not receiving data. You could try checking the status of the Filebeat process and Elasticsearch and check if there are any error logs, share the output and filebeat.yml. You can do all these things with the following commands:
> filebeat test output
elasticsearch: http://192.168.11.4:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.11.4
dial up... OK
TLS... WARN secure connection disabled
talk to server... ERROR Get "http://192.168.11.4:9200": EOF
> systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service;
enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/elasticsearch.service.d
└─elasticsearch.conf
Active: active (running) since Thu 2023-10-12 14:51:00 CST; 14s ago
Docs: https://www.elastic.co
Main PID: 3358249 (java)
Tasks: 162 (limit: 824388)
Memory: 8.7G
CGroup: /system.slice/elasticsearch.service
├─3358249 /usr/share/elasticsearch/jdk/bin/java
-Xshare:auto -Des.networkaddress.cache.ttl=60
-Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch ->
└─3358484
/usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Oct 12 14:50:45 monitor.fomav.gob.ni systemd[1]: Starting Elasticsearch...
Oct 12 14:51:00 monitor.fomav.gob.ni systemd[1]: Started Elasticsearch.
> cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
add_cloud_metadata/provider_aws_ec2.go:79 read token request for
getting IMDSv2 token returns empty: Put
"http://169.254.169.254/latest/api/token": context deadline exceeded
(Client.Timeout exceeded while awaiting headers). No token in the
metadata request will be used.
> cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:28206}
[2023-10-12T14:42:44,981][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:42576}
[2023-10-12T14:43:17,005][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:22220}
[2023-10-12T14:43:47,178][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:21166}
[2023-10-12T14:44:05,993][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:27242}
[2023-10-12T14:44:35,262][WARN
][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [monitor] received
plaintext http traffic on an https channel, closing connection
Netty4HttpChannel{localAddress=/192.168.11.4:9200,
remoteAddress=/192.168.11.4:23020}
> Can you please if there are alerts in the Wazuh indexer, run the command:
> curl https://<ElasticsearchIp>:9200/_cat/indices/wazuh-alerts-* -u user:pass -k
elastic:xxxxxxxxx -k
Nothing happens here, when I execute this command
> Please share the output of ls -lrt /etc/filebeat/wazuh-template.json
-rw-r--r-- 1 root root 58391 Oct 11 15:35 /etc/filebeat/wazuh-template.json
>
> Hope to hear from you soon.
> Regards,
Stuti Gupta
Oct 13, 2023, 4:27:58 AM10/13/23
to Wazuh | Mailing List
Hi again,
It seems that filebeat is unable to connect to the elasticsearch, could you check that filebeat is properly configured and pointing to the right address? To check that the installation was made successfully, run the following command replacing <elastic_password> with the password generated in the previous step for elastic user:
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
Make sure that both Filebeat and Elasticsearch are configured with the correct certificate paths and settings. Can you Please share with us the following?
Which install guide you have followed?
Which versio of wazuh you have installed and os details?
Please share the /etc/filebeat/filebeat.yml
Hope to hear from you soon
It seems that filebeat is unable to connect to the elasticsearch, could you check that filebeat is properly configured and pointing to the right address? To check that the installation was made successfully, run the following command replacing <elastic_password> with the password generated in the previous step for elastic user:
curl -XGET https://localhost:9200 -u elastic:<elastic_password> -k
Make sure that both Filebeat and Elasticsearch are configured with the correct certificate paths and settings. Can you Please share with us the following?
Which install guide you have followed?
Which versio of wazuh you have installed and os details?
Please share the /etc/filebeat/filebeat.yml
Hope to hear from you soon
Reply all
Reply to author
Forward
0 new messages