Wazuh absence of alerts

[Tony Montana]

Hi everyone,

I have 2 clusters: tech-gcp and aws. I want to make alerting from both separately. From the GCP cluster, I successfully configured some alerts, whereas from AWS, I am not receiving a single alert. I tested a 100% trigger scenario: 'if documents are greater than 0 - trigger the alert.' I am attaching screenshots of the alert query and trigger, as well as a screenshot of the graph showing that the number of documents is always greater than 0.

I only have one idea, that this might be because two clusters are specified (tech-gcp and aws), but tech-gcp appears there automatically, and if I remove it, save the alert, and refresh the page, it still reappears.

Thank you in advance,

Anthony

[Diego Cappri]

Hi Tony,

The reason alerts were not firing is that the monitor was configured to query both clusters at once.
OpenSearch Alerting doesn’t properly evaluate remote data when a local cluster is also selected — it defaults to the local one even if data exists remotely.

You can try fixing this by targeting only the remote AWS cluster (aws:wazuh-alerts-*), aligning the time range and schedule to 10 minutes, and using the extraction query editor for a clean configuration.

You can paste this directly into the monitor’s Extraction query editor to bypass the UI issue and make sure it queries only the AWS remote cluster:

{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        { "term": { "rule.groups": "aws" } },
        { "range": { "@timestamp": { "gte": "now-10m", "lte": "now" } } }
      ]
    }
  },
  "aggs": {
    "docs_count": {
      "value_count": { "field": "_id" }
    }
  },
  "indices": ["aws:wazuh-alerts-*"]
}

Once saved, the monitor will correctly detect documents from the AWS cluster and generate alerts as expected.

Please let me know how it goes. 

Diego.

[Tony Montana]

Hi Diego, 

Thank you for your reply. 

I have tried inserting your query in Extraction query editor and I got the problem with incorrect type of data for indices (see screenshot and error description).

Failed to run the query

[alerting_exception] Unknown key for a START_ARRAY in [indices].

вівторок, 11 листопада 2025 р. о 16:32:47 UTC+2 Diego Cappri пише:

[Diego Cappri]

Hi Tony,

it seems that the alerts weren’t firing because the monitor was mixing local and remote clusters and the JSON used an unsupported indices format. Please check this approach:

{
  "size": 0,
  "query": {
    "bool": {
      "must": [
        { "term": { "rule.groups": "aws" } },
        { "range": { "@timestamp": { "gte": "now-10m", "lte": "now" } } }
      ]
    }
  },

  "track_total_hits": true
}

Regards.

Diego.

[Tony Montana]

Hi Diego, 
As previously, I entered the query and nothing changed. Alert is still not firing.

I want to ask, do you mean that it must work even when 2 clusters are selected? (I can't remove the local one)

Thanks,

Anton

пʼятниця, 14 листопада 2025 р. о 21:10:46 UTC+2 Diego Cappri пише:

[Diego Cappri]

Hi Tony,

Just double-checked the behaviour with cross-cluster monitors.
In our current OpenSearch version, index-based “Per query” monitors don’t actually evaluate data that exists only on a remote cluster, even though the UI let select multiple clusters and shows a correct graph. The preview uses cross-cluster search, but the alerting engine only evaluates local indices, so the trigger never fires. Because of this, the alert won’t work as expected when the data is only in the AWS cluster. To have separate alerting for AWS you can try:

* creating the same monitor directly on the AWS/OpenSearch domain

* replicating the AWS indices into a local index on the tech-gcp cluster and pointing the monitor there. Once the data is local to the cluster where the monitor runs, the alert triggers correctly.

Here's a link that could be helpful: https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/

Regards.