All Dashboard showing No results match your search criteria for the last 5 months
chris ryland
all the agent show they are sending the data to the server
health check shows all green ticks
GET _cluster/health
"cluster_name": "wazuh-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 992,
"active_shards": 992,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 8,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 99.2
}
Md. Nazmur Sakib
Hi Chris,
I can see from your indexer cluster health that you have "active_shards": 992 and unassigned_shards": 8, which makes a total of 1000 shards
If you check your indexer log, you should see a warning like this.
: this action would add [X] total shards, but this cluster currently has [1000]/[1000] maximum shards open;"}
It seems that your indexer has reached the maximum shard limit.
A single-node indexer cluster can have up to 1000 shards by default. If you have one indexer cluster, you need to add another indexer node or delete some old indices
from your server to free up some space.
To add more Wazuh indexer nodes, follow this document:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster.html#adding-wazuh-indexer-nodes>
To delete old indices, go to
Index Management > Indices
Search with Wazuh-alerts
Select the indices you want to delete
Click on Action and select Delete from the drop-down.
Check the screenshot for reference.
.
By default, Wazuh alerts have three shards per index. You can change the number of shards per index to one if you have a single-node index.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#setting-the-number-of-shards
I will also suggest you check the ILM and snapshot documents for better
Management of your indices.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html
There is an option for increasing the shard limit of the index. But it is not advisable in the long run, as it can bring more problems in the future.
After that, you can recover your missing alerts using this document.
https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/
I also suggest you change the number of shards to 1 for each index. The default number is 3 shards for the alerts indices, but as you have a single indexer node. Shards are a kind of packet of data. When you have 3 shards, you are keeping the data in three small packets. If you make it one, you are keeping it one big packet.
Go to this index file /etc/filebeat/wazuh-template.json
Once you enter the file, then edit the index.number_of_shards to 1 and index.auto_expand_replicas to false
"settings": {
"index.refresh_interval": "5s",
"index.number_of_shards": "1",
"index.number_of_replicas": "0",
"index.auto_expand_replicas": "false",
Now load the configuration and restart the filebeat.
sudo filebeat setup -index-management
sudo systemctl restart filebeat
After configuring this, the new indices will have one primary shard instead of three.
Ref:https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#setting-the-number-of-shards
For the old indices, if you want to make changes in the number of shards, you will need to reindex every indices one by one.
Ex:
Go to Indexer Management > Dev Tools
Make a backup index.
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2026.02.05"
},
"dest": {
"index": "wazuh-alerts-4.x-backup"
}
}
Delete the main index
DELETE /wazuh-alerts-4.x-2026.02.05
Create the main index from the backup
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-backup"
},
"dest": {
"index": "wazuh-alerts-4.x-2026.02.05"
}
}
Delete the backup index
DELETE /wazuh-alerts-4.x-backup
Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/re-indexing.html
Let me know if you need any further help on this.