Cant see any Events/Logs in Kibana Or Wazuh manager

648 views
Skip to first unread message

Albert Ashkhatoyan

unread,
Feb 13, 2023, 3:31:31 AM2/13/23
to Wazuh mailing list
I'm new in wazuh and have single infrastructure Kibana And Wazuh and setup 2 Agnets but can't see any logs. In attachments, you can face "filebeat test output"



Filebeat_test.png

Jonathan Martín Valera

unread,
Feb 13, 2023, 4:27:39 AM2/13/23
to Wazuh mailing list

Hi,

Let’s see what might be happening.

First of all, you have to verify if the wazuh-manager is generating alerts. If it is and you don’t see them in the wazuh-dashboard, probably they are not being sent correctly with Filebeat or they are not indexed in wazuh-indexer.

To check the wazuh-manager alerts, you can check the /var/ossec/logs/alerts/alerts.json file that contains the alerts of the current date (this file is rotated every day). If you would like to check the alerts for a past date, you can find them by navigating through the directories corresponding to the date(e.g /var/ossec/logs/alerts/2022/Jun/ ....).

If the alerts have been generated correctly, the next step would be to check the Filebeat process and configuration. Because you shared the Filebeat screenshot, let’s assume that the configuration is correct, so we move on to the next component wazuh-indexer.

A common problem is that if you are running the wazuh-manager, wazuh-indexer and wazuh-dashboard in the same host, that host doesn’t have enough resources, so the wazuh-indexer services will not work correctly. Please check this (you can check the hardware recommendations for each component in the wazuh documentation. For example, https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html).

Let’s check if there is any unwanted status or error in wazuh-indexer:

  • Check if the wazuh-indexer service is running:
systemctl status wazuh-indexer
  • Run the following requests to confirm that the installation is successful.
curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200 curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200/_cluster/health?pretty
  • Run both commands and check if there are any errors in the logs:
journalctl -u wazuh-indexer -e grep "ERROR" /var/log/wazuh-indexer/wazuh-cluster.log
  • Check if the wazuh alert index for the current date has been created in wazuh-indexer and if that index has any document (alerts).
curl -k -u <user>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-4.x-*

If everything is fine, the next component to check would be the wazuh-dashboard although if you can access the web interface through the browser and access the wazuh-dashboard, the problem should not be in this component.

Please check all the above steps and let me know the results.

Best regards.

Reply all
Reply to author
Forward
0 new messages