Error while saving wazuh configuration file

110 views
Skip to first unread message

Milan Patel

unread,
Feb 3, 2023, 3:31:45 PM2/3/23
to Wazuh mailing list
Hello,

I am trying to make changes in wazuh configuration file and trying to save it but It is throwing this error. Not sure why suddenly it is showing to me. I have not deployed any agent. Just have installed elaastiflow but it was working fine after that. I have elasticsearch with wazuh deployment.

Thanks

image (2).png

Kevin Ledesma

unread,
Feb 3, 2023, 5:28:05 PM2/3/23
to Wazuh mailing list
Hello!

First lets try to figure out whats going on here, could you please share the following log files:
  • Wazuh indexer: cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
  • Wazuh manager: cat /var/log/filebeat/filebeat | grep -i -E "error|warn" and cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
  • Wazuh dashboard: journalctl -u wazuh-dashboard and cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Also I think its good to always give a try to the good ol' "restart", so please restart every module and check if there is any new error or something interesting
  •  Wazuh indexer: systemctl restart wazuh-indexer
  •  Wazuh manager: systemctl restart filebeat and systemctl restart wazuh-manager
  •  Wazuh dashboard: systemctl restart wazuh-dashboard
Regards

Milan Patel

unread,
Feb 3, 2023, 5:45:53 PM2/3/23
to Wazuh mailing list
Hello Kevin,

Thank you so much restarting wazuh-manager resolved the issue but I would like to know during the restart will we miss any logs to be reacord ? any kind of log that I have forwarded to wazuh from any device ?

Thanks Also if you could help me with apache logs. As I can receive logs in wazuh i can see it under /var/log/syslog but I can not see it under wazuh dashboard. i am using kibana/elasticsearch with wazuh.
During the testing using the command  /var/ossec/bin/wazuh-logtest

I see phase2 : completed decoding.

I assume rules and decoders are good.

what else can I look forward to resolve this ?

Thanks

Kevin Ledesma

unread,
Feb 10, 2023, 6:37:40 AM2/10/23
to Wazuh mailing list
Hello Milan! Sorry for the delay

Well, If everything is OK you will find log in /var/ossec/logs/alerts/alerts.json, if the event is not there, it could be that the rule is not working properly. Could you share the complete logtest output?

Thanks!
Reply all
Reply to author
Forward
0 new messages