Filebeat not creating Indexes
40 views
Skip to first unread message
Rei Gjata
Sep 4, 2025, 6:45:08 AM (3 days ago) Sep 4
to Wazuh | Mailing List
Hello
Lately I'm occurring a problem with the filebeat.
At the first sight it looks like its working cause "Filebeat test output" shows its working normally.
And the Service its up and running. The problem is that im not getting logs on my dashboard cause Filebeat stopped creating wazuh-alerts-YYYY.MM.DD index for the new day.
I have to restart the filebeat service and than logs start coming normally.
Where may be the problem? Cause before September everything was working correctly.
Thank You
Lately I'm occurring a problem with the filebeat.
At the first sight it looks like its working cause "Filebeat test output" shows its working normally.
And the Service its up and running. The problem is that im not getting logs on my dashboard cause Filebeat stopped creating wazuh-alerts-YYYY.MM.DD index for the new day.
I have to restart the filebeat service and than logs start coming normally.
Where may be the problem? Cause before September everything was working correctly.
Thank You
Stuti Gupta
Sep 4, 2025, 6:54:45 AM (3 days ago) Sep 4
to Wazuh | Mailing List
HI Rei
Can you please share the following details so we can investigate the issue further?
More details about your environment (multi-node setup or all-in-one).
Output of the following command: curl -k -u <wazuh_indexer_user>:<wazuh_indexer_password> https://<WAZUH_INDEXER_IP>:9200/_cluster/health
Please share the following logs:
The Wazuh indexer logs: cat /var/log/wazuh-indexer/wazuh-cluster.log
Can you please share the following details so we can investigate the issue further?
More details about your environment (multi-node setup or all-in-one).
Output of the following command: curl -k -u <wazuh_indexer_user>:<wazuh_indexer_password> https://<WAZUH_INDEXER_IP>:9200/_cluster/health
Please share the following logs:
The Wazuh indexer logs: cat /var/log/wazuh-indexer/wazuh-cluster.log
The Filebeat: /var/log/filebeat/filebeat
Also, let us know if you followed any specific steps or documentation before encountering this error.
Also, let us know if you followed any specific steps or documentation before encountering this error.
Rei Gjata
Sep 4, 2025, 9:15:05 AM (3 days ago) Sep 4
to Wazuh | Mailing List
Hi Stuti
Its an all in one environment , version 4.11.2
Output of the cluster health
----------------------------------------------
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 431,
"active_shards" : 431,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
---------------------------------------------
wazuh-cluster.log
[2025-09-04T13:03:47,243][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:12,921][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep
[2025-09-04T13:04:17,255][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:47,268][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:48,046][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:05:17,295][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:05:47,319][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:05:49,980][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:06:17,342][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:06:47,370][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:06:51,817][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:07:17,385][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
--------------------------------------------------------
Now im noticing that im going out of space , maybe that is the reason that new index arent being written?
Filesystem Size Used Avail Use% Mounted on
tmpfs 1.6G 1.5M 1.6G 1% /run
efivarfs 256K 43K 209K 18% /sys/firmware/efi/efivars
/dev/sda2 294G 263G 16G 95% /
tmpfs 7.8G 80K 7.8G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/sda1 1.1G 6.2M 1.1G 1% /boot/efi
tmpfs 1.6G 12K 1.6G 1% /run/user/1001
------------------------------------------------------------------------------------------------------------------
This are some logs from the filebeat
\":\\\"MSExchangeIS\\\",\\\"eventID\\\":\\\"1046\\\",\\\"level\\\":\\\"2\\\",\\\"task\\\":\\\"1\\\",\\\"keywords\\\":\\\"0x80000000000000\\\",\\\"systemTime\\\":\\\"2025-09-04T12:30:48.000000000Z\\\",\\\"eventRecordID\\\":\\\"41791345\\
\",\\\"channel\\\":\\\"Application\\\",\\\"computer\\\":\\\"SrvMail.cdm.loc\\\",\\\"severityValue\\\":\\\"ERROR\\\",\\\"message\\\":\\\"\\\\\\\"Unexpected error encountered in critical block. Location:(47072), scope: (MailboxShared), ca
llstack: ( in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.OnCriticalBlockFailed(LID lid, Int32 error, CriticalBlockScope criticalBlockScope)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.StoreCommonServices.Contex
t.Microsoft.Exchange.Server.Storage.StoreCommonServices.ICriticalBlockFailureHandler.OnCriticalBlockFailed(LID lid, Int32 error, Context context, CriticalBlockScope criticalBlockScope)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.St
oreCommonServices.Context.CriticalBlockFrame.Dispose()\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessageChangesFlags flags)\\\\r\\\\n in Microsoft.Exchange.Protocols.
MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChanges(MapiContext context, MapiSaveMessageChang
esFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesMode saveChangesMode, SaveChangesMessageResultFacto
ry resultFactory)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Mic
rosoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.InputRop.Execute(ICon
nectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentList, ServerOb
jectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r
\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n
in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u003c\u003ec__DisplayClass29_0.\u003cDoRpc\u003eb__0(MapiContext operationContext, MapiSession\u0026 session, Boolean\u0026 deregisterSession, AuxiliaryData auxiliaryData)\\\\r\\\
\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026 contextHandle, Boolean tryLockSession, String user
Dn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, ExecuteDelegate executeDelegate)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.DoRpc(IExecutionDiagnosti
cs executionDiagnostics, IntPtr\u0026 contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026 sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, Boole
an fakeRequest, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, A
rraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDiagnostics executionDiagnostic
s, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDi
sp.PoolRpcServer.\u003c\u003ec__DisplayClass48_0.\u003cEcPoolSessionDoRpc\u003eb__0()\\\\r\\\\n in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelegate, GenericCatchDelegate
catchDelegate, T state)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegmen
t`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server)\\\\r\\\\n in PoolRpcServer_Wrapper.Inter
nalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState)\\\\r\\\\n in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u003cclass Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHa
ndle\u003e(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState)\\\\r\\\\n in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt
32* pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\\r\\\\n).\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"binary\\\":\\\"5B444941475F4354585D0000A6000000FF1E0000000000000002980000002C9F7020010000071
277F3C2000000002CDF70200000000000000000000000003CDC4010BBF9FFFF80A18030BB530062689BC941BA68E1894EAD749300000000808910104C2700002C9F7020010000071277F3C2000000002CDF70200000000000000000000000005AC9001000000000E0F71010E0B7000080A18030BB530
062689BC941BA68E1894EAD749300000000808910104C270000\\\",\\\"data\\\":\\\"47072, MailboxShared, in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.OnCriticalBlockFailed(LID lid, Int32 error, CriticalBlockScope criticalBl
ockScope) in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.Microsoft.Exchange.Server.Storage.StoreCommonServices.ICriticalBlockFailureHandler.OnCriticalBlockFailed(LID lid, Int32 error, Context context, CriticalBlock
Scope criticalBlockScope) in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.CriticalBlockFrame.Dispose() in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessageCha
ngesFlags flags) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.Save
Changes(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesMode s
aveChangesMode, SaveChangesMessageResultFactory resultFactory) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResultFact
ory resultFactory) in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.
InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentL
ist, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0
026amp; fakeOut) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026amp
; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u0026lt;\u0026gt;c__DisplayClass29_0.\u0026lt;DoRpc\u0026gt;b__0(MapiContext operationContext, MapiSession\u0026amp; session, Boolean\u0026amp; deregisterSession, Aux
iliaryData auxiliaryData) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026amp; contextHandle, Boolea
n tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026amp; sizeAuxOut, ExecuteDelegate executeDelegate) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.
DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026amp; sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxO
ut, Int32\u0026amp; sizeAuxOut, Boolean fakeRequest, Byte[]\u0026amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; sessionHandle, UInt32
flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDi
agnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.
Server.Storage.MapiDisp.PoolRpcServer.\u0026lt;\u0026gt;c__DisplayClass48_0.\u0026lt;EcPoolSessionDoRpc\u0026gt;b__0() in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelega
te, GenericCatchDelegate catchDelegate, T state) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 req
uest, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server) in PoolRpcServer_Wrapper.Inte
rnalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState) in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u0026lt;class Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHandle
\u0026gt;(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState) in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32* pcbOu
t, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\"}}}\\n{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"MSExchangeIS\\\",\\\"eventID\\\":\\\"2006\\\",\\\"level\\\":\\\"2\\\",\\\"task\\\":\\
\"2\\\",\\\"keywords\\\":\\\"0x80000000000000\\\",\\\"systemTime\\\":\\\"2025-09-04T12:30:48.000000000Z\\\",\\\"eventRecordID\\\":\\\"41791344\\\",\\\"channel\\\":\\\"Application\\\",\\\"computer\\\":\\\"SrvMail.cdm.loc\\\",\\\"severity
Value\\\":\\\"ERROR\\\",\\\"message\\\":\\\"\\\\\\\"Microsoft Exchange Information Store worker process (10060) has encountered an unexpected database error (Microsoft.Isam.Esent.Interop.EsentKeyDuplicateException: Illegal duplicate key
\\\\r\\\\n in Microsoft.Isam.Esent.Interop.Server2003.Server2003Api.JetUpdate2(JET_SESID sesid, JET_TABLEID tableid, Byte[] bookmark, Int32 bookmarkSize, Int32\u0026 actualBookmarkSize, UpdateGrbit grbit)\\\\r\\\\n in Microsoft.Exch
ange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDuplicateKey, Object\u0026 identityValue)) for database 'Mailbox DB Cdm' wit
h a call stack of\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDuplicateKey, Object\u0026 id
entityValue)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetInsertOperator.ExecuteScalar()\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccess.DataRow.Insert(IConnectionProvider connectionProvider, Boo
lean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.StoreCommonServices.ObjectPropertyBag.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel
.Item.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Stora
ge.LogicalDataModel.Item.SaveChanges(Context context)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.SaveChanges(Context context)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.Sa
veChanges(Context context, SaveMessageChangesFlags flags)\\\\r\\\\n in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n
in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChanges(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(Ma
piContext context, MapiMessage message, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObje
ct, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, Array
Segment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer)\\\\r\\\\n in
Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentList, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMa
xSize, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer,
Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u003c\u003ec__DisplayClass29_0.\u003cDoRpc\u003eb__0(MapiContext operationCon
text, MapiSession\u0026 session, Boolean\u0026 deregisterSession, AuxiliaryData auxiliaryData)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContex
t, String functionName, Boolean isRpc, IntPtr\u0026 contextHandle, Boolean tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, ExecuteDelegate execut
eDelegate)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026 contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026 sizeRopOut, Boolea
n internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, Boolean fakeRequest, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDia
gnostics executionDiagnostics, IntPtr\u0026 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.St
orage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDiagnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxili
aryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.\u003c\u003ec__DisplayClass48_0.\u003cEcPoolSessionDoRpc\u003eb__0()\\\\r\\\\n in Microsoft.Exchange.Common.IL.ILUt
il.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelegate, GenericCatchDelegate catchDelegate, T state)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandl
e, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* ,
SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server)\\\\r\\\\n in PoolRpcServer_Wrapper.InternalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState)\\\\r\\\\n in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCr
ashWrapper.Execute\u003cclass Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHandle\u003e(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState)\\\\r\\\\n in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_ST
ATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32* pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\\r\\\\n.\\\\\\\"\\\"},\\\"eventdata\
\\":{\\\"binary\\\":\\\"5B444941475F4354585D000056000000FF1E0000000000000002480000002C9F7020010000071277F3C2000000002CDF70200000000000000000000000003CDC4010BBF9FFFF80A18030BB530062689BC941BA68E1894EAD749300000000808910104C270000\\\",\\\
"data\\\":\\\"Microsoft.Isam.Esent.Interop.EsentKeyDuplicateException: Illegal duplicate key in Microsoft.Isam.Esent.Interop.Server2003.Server2003Api.JetUpdate2(JET_SESID sesid, JET_TABLEID tableid, Byte[] bookmark, Int32 bookmarkSi
ze, Int32\u0026amp; actualBookmarkSize, UpdateGrbit grbit) in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ig
noreDuplicateKey, Object\u0026amp; identityValue), in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDupli
cateKey, Object\u0026amp; identityValue) in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetInsertOperator.ExecuteScalar() in Microsoft.Exchange.Server.Storage.PhysicalAccess.DataRow.Insert(IConnectionProvider connectionP
rovider, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.StoreCommonServices.ObjectPropertyBag.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Ite
m.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.
Item.SaveChanges(Context context) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.SaveChanges(Context context) in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessa
geChangesFlags flags) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Protocols.MAPI.MapiMessage
.SaveChanges(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesM
ode saveChangesMode, SaveChangesMessageResultFactory resultFactory) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResul
tFactory resultFactory) in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Pa
rser.InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySeg
mentList, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte
[]\u0026amp; fakeOut) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u00
26amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u0026lt;\u0026gt;c__DisplayClass29_0.\u0026lt;DoRpc\u0026gt;b__0(MapiContext operationContext, MapiSession\u0026amp; session, Boolean\u0026amp; deregisterSession
, AuxiliaryData auxiliaryData) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026amp; contextHandle, B
oolean tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026amp; sizeAuxOut, ExecuteDelegate executeDelegate) in Microsoft.Exchange.Server.Storage.MapiDisp.Map
iRpc.DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026amp; sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1
auxOut, Int32\u0026amp; sizeAuxOut, Boolean fakeRequest, Byte[]\u0026amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; sessionHandle, U
Int32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecut
ionDiagnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exch
ange.Server.Storage.MapiDisp.PoolRpcServer.\u0026lt;\u0026gt;c__DisplayClass48_0.\u0026lt;EcPoolSessionDoRpc\u0026gt;b__0() in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterD
elegate, GenericCatchDelegate catchDelegate, T state) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`
1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server) in PoolRpcServer_Wrapper
.InternalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState) in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u0026lt;class Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateH
andle\u0026gt;(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState) in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32*
pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut), 10060, Mailbox DB Cdm\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Application Er
ror\",\"eventID\":\"1000\",\"level\":\"2\",\"task\":\"100\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2025-09-04T12:31:06.000000000Z\",\"eventRecordID\":\"41791377\",\"channel\":\"Application\",\"computer\":\"SrvMail.cdm.loc\",
\"severityValue\":\"ERROR\",\"message\":\"\\\"Nome dell'applicazione che ha generato l'errore: lmservice.exe, versione: 2.0.2.3, timestamp: 0x66602b66\\r\\nNome del modulo che ha generato l'errore: KERNELBASE.dll, versione: 6.3.9600.216
15, timestamp: 0x64fff567\\r\\nCodice eccezione: 0xe0434352\\r\\nOffset errore 0x000000000001804c\\r\\nID processo che ha generato l'errore: 0x168bc\\r\\nOra di avvio dell'applicazione che ha generato l'errore: 0x01dc1d97c7a82aca\\r\\nP
ercorso dell'applicazione che ha generato l'errore: C:\\\\Program Files (x86)\\\\Log Manager Agent\\\\lmservice.exe\\r\\nPercorso del modulo che ha generato l'errore: C:\\\\Windows\\\\system32\\\\KERNELBASE.dll\\r\\nID segnalazione: 068
ef4cb-898b-11f0-8628-000c292637e2\\r\\nNome completo pacchetto che ha generato l'errore: \\r\\nID applicazione relativo al pacchetto che ha generato l'errore: \\\"\"},\"eventdata\":{\"data\":\"lmservice.exe, 2.0.2.3, 66602b66, KERNELBAS
E.dll, 6.3.9600.21615, 64fff567, e0434352, 000000000001804c, 168bc, 01dc1d97c7a82aca, C:\\\\\\\\Program Files (x86)\\\\\\\\Log Manager Agent\\\\\\\\lmservice.exe, C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\KERNELBASE.dll, 068ef4cb-898b-11
f0-8628-000c292637e2\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::4591316-2050", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00052b5f0), Source:"/var/ossec/logs/alerts/alerts
.json", Offset:3921538443, Timestamp:time.Time{wall:0xc226790d0ad3417a, ext:442269182, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x460ed4, Device:0x802}, Identifier
Name:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","reason":"Document contains at least one immense term in field=\"previous_output\" (whose
UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[123, 34, 119, 105, 110, 34, 58, 123, 34, 115, 121, 115,
116, 101, 109, 34, 58, 123, 34, 112, 114, 111, 118, 105, 100, 101, 114, 78, 97, 109]...', original message: bytes can be at most 32766 in length; got 38029","caused_by":{"type":"max_bytes_length_exceeded_exception","reason":"bytes can b
e at most 32766 in length; got 38029"}}
------------------------------------------------------------
Its an all in one environment , version 4.11.2
Output of the cluster health
----------------------------------------------
{
"cluster_name" : "wazuh-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 431,
"active_shards" : 431,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
---------------------------------------------
wazuh-cluster.log
[2025-09-04T13:03:47,243][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:12,921][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep
[2025-09-04T13:04:17,255][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:47,268][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:04:48,046][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:05:17,295][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:05:47,319][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:05:49,980][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:06:17,342][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:06:47,370][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
[2025-09-04T13:06:51,817][ERROR][o.o.h.n.s.SecureNetty4HttpServerTransport] [node-1] Exception during establishing a SSL connection: java.net.SocketException: Connection reset
java.net.SocketException: Connection reset
at java.base/sun.nio.ch.SocketChannelImpl.throwConnectionReset(SocketChannelImpl.java:401) ~[?:?]
at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:434) ~[?:?]
at org.opensearch.transport.CopyBytesSocketChannel.readFromSocketChannel(CopyBytesSocketChannel.java:156) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at org.opensearch.transport.CopyBytesSocketChannel.doReadBytes(CopyBytesSocketChannel.java:141) ~[transport-netty4-client-2.16.0.jar:2.16.0]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:151) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:994) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.111.Final.jar:4.1.111.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2025-09-04T13:07:17,385][WARN ][o.o.c.r.a.DiskThresholdMonitor] [node-1] Putting index create block on cluster as all nodes are breaching high disk watermark. Number of nodes above high watermark: 1.
--------------------------------------------------------
Now im noticing that im going out of space , maybe that is the reason that new index arent being written?
Filesystem Size Used Avail Use% Mounted on
tmpfs 1.6G 1.5M 1.6G 1% /run
efivarfs 256K 43K 209K 18% /sys/firmware/efi/efivars
/dev/sda2 294G 263G 16G 95% /
tmpfs 7.8G 80K 7.8G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
/dev/sda1 1.1G 6.2M 1.1G 1% /boot/efi
tmpfs 1.6G 12K 1.6G 1% /run/user/1001
------------------------------------------------------------------------------------------------------------------
This are some logs from the filebeat
\":\\\"MSExchangeIS\\\",\\\"eventID\\\":\\\"1046\\\",\\\"level\\\":\\\"2\\\",\\\"task\\\":\\\"1\\\",\\\"keywords\\\":\\\"0x80000000000000\\\",\\\"systemTime\\\":\\\"2025-09-04T12:30:48.000000000Z\\\",\\\"eventRecordID\\\":\\\"41791345\\
\",\\\"channel\\\":\\\"Application\\\",\\\"computer\\\":\\\"SrvMail.cdm.loc\\\",\\\"severityValue\\\":\\\"ERROR\\\",\\\"message\\\":\\\"\\\\\\\"Unexpected error encountered in critical block. Location:(47072), scope: (MailboxShared), ca
llstack: ( in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.OnCriticalBlockFailed(LID lid, Int32 error, CriticalBlockScope criticalBlockScope)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.StoreCommonServices.Contex
t.Microsoft.Exchange.Server.Storage.StoreCommonServices.ICriticalBlockFailureHandler.OnCriticalBlockFailed(LID lid, Int32 error, Context context, CriticalBlockScope criticalBlockScope)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.St
oreCommonServices.Context.CriticalBlockFrame.Dispose()\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessageChangesFlags flags)\\\\r\\\\n in Microsoft.Exchange.Protocols.
MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChanges(MapiContext context, MapiSaveMessageChang
esFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesMode saveChangesMode, SaveChangesMessageResultFacto
ry resultFactory)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Mic
rosoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.InputRop.Execute(ICon
nectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentList, ServerOb
jectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r
\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n
in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u003c\u003ec__DisplayClass29_0.\u003cDoRpc\u003eb__0(MapiContext operationContext, MapiSession\u0026 session, Boolean\u0026 deregisterSession, AuxiliaryData auxiliaryData)\\\\r\\\
\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026 contextHandle, Boolean tryLockSession, String user
Dn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, ExecuteDelegate executeDelegate)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.DoRpc(IExecutionDiagnosti
cs executionDiagnostics, IntPtr\u0026 contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026 sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, Boole
an fakeRequest, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, A
rraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDiagnostics executionDiagnostic
s, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDi
sp.PoolRpcServer.\u003c\u003ec__DisplayClass48_0.\u003cEcPoolSessionDoRpc\u003eb__0()\\\\r\\\\n in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelegate, GenericCatchDelegate
catchDelegate, T state)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegmen
t`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server)\\\\r\\\\n in PoolRpcServer_Wrapper.Inter
nalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState)\\\\r\\\\n in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u003cclass Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHa
ndle\u003e(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState)\\\\r\\\\n in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt
32* pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\\r\\\\n).\\\\\\\"\\\"},\\\"eventdata\\\":{\\\"binary\\\":\\\"5B444941475F4354585D0000A6000000FF1E0000000000000002980000002C9F7020010000071
277F3C2000000002CDF70200000000000000000000000003CDC4010BBF9FFFF80A18030BB530062689BC941BA68E1894EAD749300000000808910104C2700002C9F7020010000071277F3C2000000002CDF70200000000000000000000000005AC9001000000000E0F71010E0B7000080A18030BB530
062689BC941BA68E1894EAD749300000000808910104C270000\\\",\\\"data\\\":\\\"47072, MailboxShared, in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.OnCriticalBlockFailed(LID lid, Int32 error, CriticalBlockScope criticalBl
ockScope) in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.Microsoft.Exchange.Server.Storage.StoreCommonServices.ICriticalBlockFailureHandler.OnCriticalBlockFailed(LID lid, Int32 error, Context context, CriticalBlock
Scope criticalBlockScope) in Microsoft.Exchange.Server.Storage.StoreCommonServices.Context.CriticalBlockFrame.Dispose() in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessageCha
ngesFlags flags) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.Save
Changes(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesMode s
aveChangesMode, SaveChangesMessageResultFactory resultFactory) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResultFact
ory resultFactory) in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.
InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentL
ist, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0
026amp; fakeOut) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026amp
; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u0026lt;\u0026gt;c__DisplayClass29_0.\u0026lt;DoRpc\u0026gt;b__0(MapiContext operationContext, MapiSession\u0026amp; session, Boolean\u0026amp; deregisterSession, Aux
iliaryData auxiliaryData) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026amp; contextHandle, Boolea
n tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026amp; sizeAuxOut, ExecuteDelegate executeDelegate) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.
DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026amp; sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxO
ut, Int32\u0026amp; sizeAuxOut, Boolean fakeRequest, Byte[]\u0026amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; sessionHandle, UInt32
flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDi
agnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.
Server.Storage.MapiDisp.PoolRpcServer.\u0026lt;\u0026gt;c__DisplayClass48_0.\u0026lt;EcPoolSessionDoRpc\u0026gt;b__0() in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelega
te, GenericCatchDelegate catchDelegate, T state) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 req
uest, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server) in PoolRpcServer_Wrapper.Inte
rnalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState) in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u0026lt;class Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHandle
\u0026gt;(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState) in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32* pcbOu
t, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\"}}}\\n{\\\"win\\\":{\\\"system\\\":{\\\"providerName\\\":\\\"MSExchangeIS\\\",\\\"eventID\\\":\\\"2006\\\",\\\"level\\\":\\\"2\\\",\\\"task\\\":\\
\"2\\\",\\\"keywords\\\":\\\"0x80000000000000\\\",\\\"systemTime\\\":\\\"2025-09-04T12:30:48.000000000Z\\\",\\\"eventRecordID\\\":\\\"41791344\\\",\\\"channel\\\":\\\"Application\\\",\\\"computer\\\":\\\"SrvMail.cdm.loc\\\",\\\"severity
Value\\\":\\\"ERROR\\\",\\\"message\\\":\\\"\\\\\\\"Microsoft Exchange Information Store worker process (10060) has encountered an unexpected database error (Microsoft.Isam.Esent.Interop.EsentKeyDuplicateException: Illegal duplicate key
\\\\r\\\\n in Microsoft.Isam.Esent.Interop.Server2003.Server2003Api.JetUpdate2(JET_SESID sesid, JET_TABLEID tableid, Byte[] bookmark, Int32 bookmarkSize, Int32\u0026 actualBookmarkSize, UpdateGrbit grbit)\\\\r\\\\n in Microsoft.Exch
ange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDuplicateKey, Object\u0026 identityValue)) for database 'Mailbox DB Cdm' wit
h a call stack of\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDuplicateKey, Object\u0026 id
entityValue)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetInsertOperator.ExecuteScalar()\\\\r\\\\n in Microsoft.Exchange.Server.Storage.PhysicalAccess.DataRow.Insert(IConnectionProvider connectionProvider, Boo
lean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.StoreCommonServices.ObjectPropertyBag.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel
.Item.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.Flush(Context context, Boolean flushLargeDirtyStreams)\\\\r\\\\n in Microsoft.Exchange.Server.Stora
ge.LogicalDataModel.Item.SaveChanges(Context context)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.SaveChanges(Context context)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.Sa
veChanges(Context context, SaveMessageChangesFlags flags)\\\\r\\\\n in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n
in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChanges(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026 newMid)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(Ma
piContext context, MapiMessage message, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObje
ct, SaveChangesMode saveChangesMode, SaveChangesMessageResultFactory resultFactory)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, Array
Segment`1 outputBuffer)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer)\\\\r\\\\n in
Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySegmentList, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMa
xSize, Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer,
Int32\u0026 outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u003c\u003ec__DisplayClass29_0.\u003cDoRpc\u003eb__0(MapiContext operationCon
text, MapiSession\u0026 session, Boolean\u0026 deregisterSession, AuxiliaryData auxiliaryData)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContex
t, String functionName, Boolean isRpc, IntPtr\u0026 contextHandle, Boolean tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, ExecuteDelegate execut
eDelegate)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026 contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026 sizeRopOut, Boolea
n internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026 sizeAuxOut, Boolean fakeRequest, Byte[]\u0026 fakeOut)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDia
gnostics executionDiagnostics, IntPtr\u0026 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.St
orage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecutionDiagnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxili
aryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.\u003c\u003ec__DisplayClass48_0.\u003cEcPoolSessionDoRpc\u003eb__0()\\\\r\\\\n in Microsoft.Exchange.Common.IL.ILUt
il.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterDelegate, GenericCatchDelegate catchDelegate, T state)\\\\r\\\\n in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandl
e, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion)\\\\r\\\\n in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* ,
SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server)\\\\r\\\\n in PoolRpcServer_Wrapper.InternalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState)\\\\r\\\\n in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCr
ashWrapper.Execute\u003cclass Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateHandle\u003e(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState)\\\\r\\\\n in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_ST
ATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32* pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut)\\\\r\\\\n.\\\\\\\"\\\"},\\\"eventdata\
\\":{\\\"binary\\\":\\\"5B444941475F4354585D000056000000FF1E0000000000000002480000002C9F7020010000071277F3C2000000002CDF70200000000000000000000000003CDC4010BBF9FFFF80A18030BB530062689BC941BA68E1894EAD749300000000808910104C270000\\\",\\\
"data\\\":\\\"Microsoft.Isam.Esent.Interop.EsentKeyDuplicateException: Illegal duplicate key in Microsoft.Isam.Esent.Interop.Server2003.Server2003Api.JetUpdate2(JET_SESID sesid, JET_TABLEID tableid, Byte[] bookmark, Int32 bookmarkSi
ze, Int32\u0026amp; actualBookmarkSize, UpdateGrbit grbit) in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ig
noreDuplicateKey, Object\u0026amp; identityValue), in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetTableOperator.Insert(IList`1 columns, IList`1 values, Column identityColumnToFetch, Boolean unversioned, Boolean ignoreDupli
cateKey, Object\u0026amp; identityValue) in Microsoft.Exchange.Server.Storage.PhysicalAccessJet.JetInsertOperator.ExecuteScalar() in Microsoft.Exchange.Server.Storage.PhysicalAccess.DataRow.Insert(IConnectionProvider connectionP
rovider, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.StoreCommonServices.ObjectPropertyBag.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Ite
m.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.Flush(Context context, Boolean flushLargeDirtyStreams) in Microsoft.Exchange.Server.Storage.LogicalDataModel.
Item.SaveChanges(Context context) in Microsoft.Exchange.Server.Storage.LogicalDataModel.Message.SaveChanges(Context context) in Microsoft.Exchange.Server.Storage.LogicalDataModel.TopMessage.SaveChanges(Context context, SaveMessa
geChangesFlags flags) in Microsoft.Exchange.Protocols.MAPI.MapiMessage.SaveChangesInternal(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Protocols.MAPI.MapiMessage
.SaveChanges(MapiContext context, MapiSaveMessageChangesFlags saveFlags, ExchangeId\u0026amp; newMid) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandler.SaveChangesMessage(MapiContext context, MapiMessage message, SaveChangesM
ode saveChangesMode, SaveChangesMessageResultFactory resultFactory) in Microsoft.Exchange.Server.Storage.MapiDisp.RopHandlerBase.SaveChangesMessage(IServerObject serverObject, SaveChangesMode saveChangesMode, SaveChangesMessageResul
tFactory resultFactory) in Microsoft.Exchange.RpcClientAccess.Parser.RopSaveChangesMessage.InternalExecute(IServerObject serverObject, IRopHandler ropHandler, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Pa
rser.InputRop.Execute(IConnectionInformation connection, IRopDriver ropDriver, ServerObjectHandleTable handleTable, ArraySegment`1 outputBuffer) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteRops(List`1 inputArraySeg
mentList, ServerObjectHandleTable serverObjectHandleTable, ArraySegment`1 outputBuffer, Int32 outputIndex, Int32 maxOutputSize, Boolean isOutputBufferMaxSize, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte
[]\u0026amp; fakeOut) in Microsoft.Exchange.RpcClientAccess.Parser.RopDriver.ExecuteOrBackoff(IList`1 inputBufferArray, ArraySegment`1 outputBuffer, Int32\u0026amp; outputSize, AuxiliaryData auxiliaryData, Boolean isFake, Byte[]\u00
26amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.\u0026lt;\u0026gt;c__DisplayClass29_0.\u0026lt;DoRpc\u0026gt;b__0(MapiContext operationContext, MapiSession\u0026amp; session, Boolean\u0026amp; deregisterSession
, AuxiliaryData auxiliaryData) in Microsoft.Exchange.Server.Storage.MapiDisp.MapiRpc.Execute(IExecutionDiagnostics executionDiagnostics, MapiContext outerContext, String functionName, Boolean isRpc, IntPtr\u0026amp; contextHandle, B
oolean tryLockSession, String userDn, IList`1 dataIn, Int32 sizeInMegabytes, ArraySegment`1 auxIn, ArraySegment`1 auxOut, Int32\u0026amp; sizeAuxOut, ExecuteDelegate executeDelegate) in Microsoft.Exchange.Server.Storage.MapiDisp.Map
iRpc.DoRpc(IExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; contextHandle, IList`1 ropInArraySegments, ArraySegment`1 ropOut, Int32\u0026amp; sizeRopOut, Boolean internalAccessPrivileges, ArraySegment`1 auxIn, ArraySegment`1
auxOut, Int32\u0026amp; sizeAuxOut, Boolean fakeRequest, Byte[]\u0026amp; fakeOut) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcDoRpc(MapiExecutionDiagnostics executionDiagnostics, IntPtr\u0026amp; sessionHandle, U
Int32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc_Unwrapped(MapiExecut
ionDiagnostics executionDiagnostics, IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in Microsoft.Exch
ange.Server.Storage.MapiDisp.PoolRpcServer.\u0026lt;\u0026gt;c__DisplayClass48_0.\u0026lt;EcPoolSessionDoRpc\u0026gt;b__0() in Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch[T](Action tryDelegate, GenericFilterDelegate filterD
elegate, GenericCatchDelegate catchDelegate, T state) in Microsoft.Exchange.Server.Storage.MapiDisp.PoolRpcServer.EcPoolSessionDoRpc(IntPtr contextHandle, UInt32 sessionHandle, UInt32 flags, UInt32 maximumResponseSize, ArraySegment`
1 request, ArraySegment`1 auxiliaryIn, IPoolSessionDoRpcCompletion completion) in EcPoolSessionDoRpcRpc.EcDispatchCall(EcPoolSessionDoRpcRpc* , SafeRpcAsyncStateHandle pAsyncState, IPoolRpcServer server) in PoolRpcServer_Wrapper
.InternalExecute(PoolRpcServer_Wrapper* , SafeRpcAsyncStateHandle pAsyncState) in Microsoft.Exchange.Rpc.ManagedExceptionAsyncCrashWrapper.Execute\u0026lt;class Microsoft::Exchange::Rpc::PoolRpc::SafeEcPoolSessionDoRpcRpcAsyncStateH
andle\u0026gt;(ManagedExceptionAsyncCrashWrapper* , _RPC_ASYNC_STATE* pAsyncState) in EcPoolSessionDoRpc_Managed(_RPC_ASYNC_STATE* pAsyncState, Void* cpxh, UInt32 ulSessionHandle, UInt32* pulFlags, UInt32 cbIn, Byte* rgbIn, UInt32*
pcbOut, Byte** ppbOut, UInt32 cbAuxIn, Byte* rgbAuxIn, UInt32* pcbAuxOut, Byte** ppbAuxOut), 10060, Mailbox DB Cdm\\\"}}}\",\"decoder\":{\"name\":\"windows_eventchannel\"},\"data\":{\"win\":{\"system\":{\"providerName\":\"Application Er
ror\",\"eventID\":\"1000\",\"level\":\"2\",\"task\":\"100\",\"keywords\":\"0x80000000000000\",\"systemTime\":\"2025-09-04T12:31:06.000000000Z\",\"eventRecordID\":\"41791377\",\"channel\":\"Application\",\"computer\":\"SrvMail.cdm.loc\",
\"severityValue\":\"ERROR\",\"message\":\"\\\"Nome dell'applicazione che ha generato l'errore: lmservice.exe, versione: 2.0.2.3, timestamp: 0x66602b66\\r\\nNome del modulo che ha generato l'errore: KERNELBASE.dll, versione: 6.3.9600.216
15, timestamp: 0x64fff567\\r\\nCodice eccezione: 0xe0434352\\r\\nOffset errore 0x000000000001804c\\r\\nID processo che ha generato l'errore: 0x168bc\\r\\nOra di avvio dell'applicazione che ha generato l'errore: 0x01dc1d97c7a82aca\\r\\nP
ercorso dell'applicazione che ha generato l'errore: C:\\\\Program Files (x86)\\\\Log Manager Agent\\\\lmservice.exe\\r\\nPercorso del modulo che ha generato l'errore: C:\\\\Windows\\\\system32\\\\KERNELBASE.dll\\r\\nID segnalazione: 068
ef4cb-898b-11f0-8628-000c292637e2\\r\\nNome completo pacchetto che ha generato l'errore: \\r\\nID applicazione relativo al pacchetto che ha generato l'errore: \\\"\"},\"eventdata\":{\"data\":\"lmservice.exe, 2.0.2.3, 66602b66, KERNELBAS
E.dll, 6.3.9600.21615, 64fff567, e0434352, 000000000001804c, 168bc, 01dc1d97c7a82aca, C:\\\\\\\\Program Files (x86)\\\\\\\\Log Manager Agent\\\\\\\\lmservice.exe, C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\KERNELBASE.dll, 068ef4cb-898b-11
f0-8628-000c292637e2\"}}},\"location\":\"EventChannel\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::4591316-2050", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00052b5f0), Source:"/var/ossec/logs/alerts/alerts
.json", Offset:3921538443, Timestamp:time.Time{wall:0xc226790d0ad3417a, ext:442269182, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x460ed4, Device:0x802}, Identifier
Name:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","reason":"Document contains at least one immense term in field=\"previous_output\" (whose
UTF8 encoding is longer than the max length 32766), all of which were skipped. Please correct the analyzer to not produce such terms. The prefix of the first immense term is: '[123, 34, 119, 105, 110, 34, 58, 123, 34, 115, 121, 115,
116, 101, 109, 34, 58, 123, 34, 112, 114, 111, 118, 105, 100, 101, 114, 78, 97, 109]...', original message: bytes can be at most 32766 in length; got 38029","caused_by":{"type":"max_bytes_length_exceeded_exception","reason":"bytes can b
e at most 32766 in length; got 38029"}}
------------------------------------------------------------
I did delete some Alert Files from /var/ossec/logs/alerts/2025/
I deleted alertes from months folders, Apr, May ,June cause i was going low on space..
But still after that i did not ocurred any problems...
It worked for like 2 weeks normaly.
The problem happened right when September arrived, first day of September...
Thank youI deleted alertes from months folders, Apr, May ,June cause i was going low on space..
But still after that i did not ocurred any problems...
It worked for like 2 weeks normaly.
The problem happened right when September arrived, first day of September...
Reply all
Reply to author
Forward
0 new messages