History is lost in the dashboard after a docker restart
61 views
Skip to first unread message
Matthieu B
Oct 25, 2023, 9:48:42 AM10/25/23
to Wazuh | Mailing List
Hello everyone,
I have a issue with my Wazuh v4.5.2,
I picked the install with docker (multi-node deployment), but once I restart my containers, I lost all the history (security events, integrity monitoring etc) in the dashboard,
I checked a couple of things :
In my manager container I don't lost the history because I can find older alerts in : /var/ossec/logs/alerts/alerts.json
Filebeat test is OK :
elasticsearch: https://wazuh1.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.25.0.7
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
My cluster is healthy :
curl -k -u admin:xxxx https://wazuh1.indexer:9200/_cluster/health
In my manager container I don't lost the history because I can find older alerts in : /var/ossec/logs/alerts/alerts.json
Filebeat test is OK :
elasticsearch: https://wazuh1.indexer:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.25.0.7
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
My cluster is healthy :
curl -k -u admin:xxxx https://wazuh1.indexer:9200/_cluster/health
>>
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":3,"number_of_data_nodes":3,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":31,"active_shards
":60,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards
_percent_as_number":100.0}
":60,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards
_percent_as_number":100.0}
Before the docker restart I have got 11104 events, and after juste a couple ...
I can't seem to solve this problem. Is it a problem with the indexer or the dashboard?
Regards,
MB
I can't seem to solve this problem. Is it a problem with the indexer or the dashboard?
Regards,
MB
Carlos Vendrell
Oct 26, 2023, 12:19:06 PM10/26/23
to Wazuh | Mailing List
Hello Matthieu,
Thank you for using Wazuh.
docker-compose stop
And when you resume the containers, the information should remain indexed.
I look forward to your response.
Carlos
Thank you for using Wazuh.
In order to assist you better, I would like to have a bit more information:
- Could you tell me more about this deployment?
- Did you follow the article in our documentation, or did you use an external link?
- Could you please let me know which command you are using to stop or restart the containers?
With the default configuration, as described in the following article:
You should be able to stop the cluster using the following command:
You should be able to stop the cluster using the following command:
docker-compose stop
And when you resume the containers, the information should remain indexed.
I look forward to your response.
Carlos
Reply all
Reply to author
Forward
0 new messages