Wazuh not showing alerts on dashboard
107 views
Skip to first unread message
EugenX
Dec 5, 2025, 8:00:32 AM12/5/25
to Wazuh | Mailing List
Hello everyone.
I've been using Wazuh for same time and because the logs was growing I was left without space so I've use the "Index lifecycle management" from the manual to set the logs retention policy. But after some time I've discovered that dashboard is not showing any alerts on the dashboard, so I decided to remove the retention policy rule and in a hurry I've deleted maybe by mistake in Reporting, some reports rule.
Can someone help me please solve this issue, I want my dashboard to be populated again.
1. The agents are active and there are events (I receive them in slack)
2. All the services are running fine (
wazuh-manager wazuh-indexer wazuh-dashboard filebeat
)
3. sudo journalctl -u open --no-pager | grep -E 'ERROR|WARN - shows no errors
Output from different commands can be found in attached screenshots...
Thank you in advance.
*Using Wazuh OVA 4.14.1
Javier Medeot
Dec 5, 2025, 10:38:54 AM12/5/25
to Wazuh | Mailing List
Hi.
If it's indexing correctly it should list indices for every day such as wazuh-alerts-4.x-2025.12.05, each with a total docs count other than zero. Look for errors and warnings reported in /var/log/filebeat/filebeat (and /var/log/wazuh-indexer/ logs such as /var/log/wazuh-indexer/wazuh-cluster.log) this could give as a better clue on what could be the cause of this.
This looks more like Wazuh alerts are being generated but not indexed. You can verify this by:
- Going to Indexer management > Index management and filtering for the wazuh-alerts-4.x- indices or by
- Running curl -k -u admin:<YOUR_ADMIN_PASSWORD> https://<INDEXER_IP_ADDRESS>:9200/_cat/indices/wazuh-alerts*?v
If it's indexing correctly it should list indices for every day such as wazuh-alerts-4.x-2025.12.05, each with a total docs count other than zero. Look for errors and warnings reported in /var/log/filebeat/filebeat (and /var/log/wazuh-indexer/ logs such as /var/log/wazuh-indexer/wazuh-cluster.log) this could give as a better clue on what could be the cause of this.
Also, check the status of your indexer cluster by running curl -k -u admin:<YOUR_ADMIN_PASSWORD> https://<INDEXER_IP_ADDRESS>:9200/_cluster/health?pretty
and consider tuning the Wazuh indexer.
Let me know what you find.
EugenX
Dec 8, 2025, 4:29:08 AM12/8/25
to Wazuh | Mailing List
Hello and thank you for your support.
In the Indexer Management, there are no indexes since November 10.
Please, find attached below screenshots and logs of the commands you delivered.
Thank you.
Javier Medeot
Dec 9, 2025, 7:01:50 AM12/9/25
to Wazuh | Mailing List
EugenX, this line in the logs indicates you're hitting shard limits:
- org.opensearch.common.ValidationException: Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1000]/[1000] maximum shards open;
Your cluster health is showing yellow status with 22 unassigned shards. Tune your indexer cluster configuration as explained here:
You can get more details by running these indexer API requests in Indexer management > Dev Tools or the command line:
GET _cat/shards
GET _cluster/allocation/explain?pretty
GET _cluster/allocation/explain?pretty
GET <UNASSIGNED_INDEX>/_settings
As you already know, retention policies help in keeping only the most recent indices, so consider re-activating your retention policies.
Also consider increasing the size of your infrastructure. Adding more nodes enhances the indexer capacity:
Let me know what you've got. Thanks.
EugenX
Dec 10, 2025, 8:46:10 AM12/10/25
to Wazuh | Mailing List
Hello once again. So, after running the command below the dashboard started to populate with alerts. Attached you can find the results from the commands you offered. Thank you.
PUT _index_template/ism_history_indices
{
"index_patterns": [
".opendistro-ism-managed-index-history-*"
],
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0
}
}
}
Reply all
Reply to author
Forward
0 new messages