Elastic Search template Error

198 views
Skip to first unread message

MaliceDaModeler

unread,
May 23, 2021, 7:09:54 PM5/23/21
to Wazuh mailing list
Good Afternoon, 

I am attempting to resolve an issue with elastic not finding a template. I just installed Elastic open distro and Wazuh using this page but when I went to use it, I get the below error in the attachment. I attempted to update the filebeat.yml file as directed from a different source but it will not allow it even though I can see the directory there it says no such directory found. 

Would you be able to assist me?
WazuhList.JPG
WazuhErrorTemplate.JPG

Alejandro Cuellar

unread,
May 24, 2021, 9:31:52 AM5/24/21
to Wazuh mailing list
Hello,

Could you please run the following commands and paste the results?
You can also check if there are obsolete indexes in Stack Management -> Index Patterns
image (6).png
image (7).png

If you want to, the requests can be run with the dev tools
image (8).png

Then we will need to make sure that filebeat is running, which we can know from the filebeat host with:

  • service filebeat status
or
  • systemctl status filebeat.
 Finally, we would need you to run the following test from the filebeat host: filebeat test output

MaliceDaModeler

unread,
May 24, 2021, 12:23:43 PM5/24/21
to Wazuh mailing list
From dev tools:

#! Deprecation: this request accesses system indices: [.kibana_1], but in a future major version, direct access to system indices will be prevented by default
#! Deprecation: this request accesses system indices: [.kibana_1, .opendistro_security], but in a future major version, direct access to system indices will be prevented by default
green  open wazuh-monitoring-2021.05.23  BIaa81oXRiC3A5_RIqz_sA 2 0   0 0    416b    416b
green  open wazuh-monitoring-2021.05.24  T6oT32lQTr6bm6INi1Wl-A 2 0   0 0    416b    416b
green  open wazuh-statistics-2021.21w    8XdfU2txSfSANaaIzUQ0Bw 2 0  32 0 127.5kb 127.5kb
green  open wazuh-statistics-2021.22w    cllbSIr9TO2WfGFqea7ZMw 2 0 380 0 343.9kb 343.9kb
yellow open security-auditlog-2021.05.23 YfIJU3hdSpCudW-PeVrrqw 1 1  26 0 103.8kb 103.8kb
yellow open security-auditlog-2021.05.24 dKs7ErnCSWmAdSONDRVxLg 1 1  15 0 209.8kb 209.8kb
green  open .opendistro_security         iH40Ivi-TsWb4NIz0alj9Q 1 0   9 0  55.1kb  55.1kb
green  open .kibana_1                    -CPYfDduR5CdxFSZYcpqrQ 1 0  17 2  76.7kb  76.7kb


From wazuh Manager:

Filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset; enabled)
Active: Failed (Result: exit-code) since Sun 2021-05-23 23:11:01 UTC; 17h ago
Main PID: 1040 (code =exited, Status=1/FAILURE)

FIlebeat test from Wazuh Manager:

Error initializing beat: error loading config file: open /etc/filebeat/filebeat.yml: permission denied

MaliceDaModeler

unread,
May 25, 2021, 9:42:26 AM5/25/21
to Wazuh mailing list
From dev tools:

#! Deprecation: this request accesses system indices: [.kibana_1], but in a future major version, direct access to system indices will be prevented by default
#! Deprecation: this request accesses system indices: [.kibana_1, .opendistro_security], but in a future major version, direct access to system indices will be prevented by default
green  open wazuh-monitoring-2021.05.23  BIaa81oXRiC3A5_RIqz_sA 2 0   0 0    416b    416b
green  open wazuh-monitoring-2021.05.24  T6oT32lQTr6bm6INi1Wl-A 2 0   0 0    416b    416b
green  open wazuh-statistics-2021.21w    8XdfU2txSfSANaaIzUQ0Bw 2 0  32 0 127.5kb 127.5kb
green  open wazuh-statistics-2021.22w    cllbSIr9TO2WfGFqea7ZMw 2 0 380 0 343.9kb 343.9kb
yellow open security-auditlog-2021.05.23 YfIJU3hdSpCudW-PeVrrqw 1 1  26 0 103.8kb 103.8kb
yellow open security-auditlog-2021.05.24 dKs7ErnCSWmAdSONDRVxLg 1 1  15 0 209.8kb 209.8kb
green  open .opendistro_security         iH40Ivi-TsWb4NIz0alj9Q 1 0   9 0  55.1kb  55.1kb
green  open .kibana_1                    -CPYfDduR5CdxFSZYcpqrQ 1 0  17 2  76.7kb  76.7kb


From wazuh Manager:

Filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset; enabled)
Active: Failed (Result: exit-code) since Sun 2021-05-23 23:11:01 UTC; 17h ago
Main PID: 1040 (code =exited, Status=1/FAILURE)

FIlebeat test from Wazuh Manager:

Error initializing beat: error loading config file: open /etc/filebeat/filebeat.yml: permission denied

On Monday, May 24, 2021 at 6:31:52 AM UTC-7 alejandr...@wazuh.com wrote:

MaliceDaModeler

unread,
May 25, 2021, 3:19:50 PM5/25/21
to Wazuh mailing list
Good Afternoon, 


Has someone seen this message? We have supplied the information that was requested can we get a response back if the information was correct and if so a possible solution?


Best Regards, 

Alejandro Cuellar

unread,
May 26, 2021, 3:02:31 AM5/26/21
to Wazuh mailing list
Good Morning,

Let's go step by step, to solve the permissions error that appears when trying to execute the filebeat test, I am attaching the following link that will surely be useful. Once fixed, I ask you to show us the result of filebeat test output, once the permission problem you are giving it is fixed.

Then as for the outputs of the requests, could you send me the result of GET _cat/templates, I see that you have only attached the output of GET _cat/indices. 

I also ask you to review the documentation to add OpenDistro to Wazuh, in case you might have accidentally skipped a relevant step.

Finally, if it's not too much trouble, you could share your filebeat.yml with us, obfuscating the sensitive information, so that we can find the problem together.

Regards,
Alejandro.
Reply all
Reply to author
Forward
0 new messages