Alerts and Archives logs doesn't appear on dashboard and indexes

33 views
Skip to first unread message

m mun

unread,
Nov 28, 2025, 9:58:49 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Hi Wazuh Team,

I am facing an issue where the the logs doesn't appear in my dashboard, however the archives and alerts logs file are there. Last logs that could be searched was on 26th Nov (which is last 2 days). I have tried to restart all services including indexers and filebeat but no difference.

Hope anyone could give advice on this matter. Thankyou

victor....@wazuh.com

unread,
Nov 28, 2025, 11:53:26 AM (3 days ago) Nov 28
to Wazuh | Mailing List

Hello, If you suddenly stop receiving alerts or events in your dashboard, it’s possible that an unexpected issue occurred in the connection between your indexer and Filebeat.

First, I recommend checking whether Filebeat is properly configured and running:


filebeat test output


You should see an output similar to:

elasticsearch: https://127.0.0.1:9200...

  parse url... OK

  connection...

    parse host... OK

    dns lookup... OK

    addresses: 127.0.0.1

    dial up... OK

  TLS...

    security: server's certificate chain verification is enabled

    handshake... OK

    TLS version: TLSv1.3

    dial up... OK

  talk to server... OK

  version: 7.10.2


This documentation may also be helpful: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html#no-alerts-on-the-wazuh-dashboard-error


Next, review the Indexer and Filebeat logs for any errors or warnings:


cat /var/log/wazuh-indexer/wazuh-indexer-cluster.log | grep -i -E "error|warn"

cat /var/log/filebeat/filebeat | grep -i -E "error|warn"


Finally, check the disk space on your system, as full storage can prevent new indices from being created.


Please review and send back any evidence you collect to help determine the root cause of the issue.

m mun

unread,
Nov 30, 2025, 1:24:47 AM (yesterday) Nov 30
to Wazuh | Mailing List
Hi,

Thankyou  for the advice, i have tried the suggestion and the result is as  below:
1. the filebeat test output is all OK
2. i also tried this command referring to the guideline you shared : 

curl https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-* -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -k ,

and there are list of indexes files but it is the same as the one i saw on dasboard where the lates indexes file are on 25/11

3. I have tried to find for wazuh-indexer-cluster.log file but the file is not there,
only these file exists :
-rw-r-----  1 wazuh-indexer wazuh-indexer    99854 Nov 28 12:09 wazuh-cluster_deprecation.json
-rw-r-----  1 wazuh-indexer wazuh-indexer    56855 Nov 28 12:09 wazuh-cluster_deprecation.log
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_index_indexing_slowlog.json
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_index_indexing_slowlog.log
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_index_search_slowlog.json
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_index_search_slowlog.log
-rw-r-----  1 wazuh-indexer wazuh-indexer   131993 Nov 29 17:09 wazuh-cluster.log
-rw-r-----  1 wazuh-indexer wazuh-indexer   324003 Nov 29 17:09 wazuh-cluster_server.json
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_task_detailslog.json
-rw-r-----  1 wazuh-indexer wazuh-indexer        0 Jun 19 23:41 wazuh-cluster_task_detailslog.log

4. I have run this command : 

cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

there are no error message, just warnings that is similar to this :
2025-11-29T17:03:43.407+0800    WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc242cb9ba0e6a6fc, ext:104092023870402, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, .......... 

5. the disk space is only on 38% of usage





victor....@wazuh.com

unread,
4:46 AM (3 hours ago) 4:46 AM
to Wazuh | Mailing List

Perfect. Let’s take a deeper look into your environment.


Verify that the Wazuh manager is generating alerts

First, we need to confirm whether the manager is producing alerts and whether the issue lies in forwarding them to the Wazuh indexer.

Please provide the following:

  • The /var/ossec/logs/ossec.log file, including any errors or warnings you find.
  • The timestamp of the most recent alert generated by the manager.


Also, check the manager status and share the output:

/var/ossec/bin/wazuh-control status



Check the Wazuh indexer logs

From the indexer side, please share your wazuh-cluster.log file, including any complete error or warning messages. You can filter them with:

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"


If you see any errors or warnings, paste the full log lines so we can analyze them thoroughly.


Also, share the indexer service status:

systemctl status wazuh-indexer



Share the complete Filebeat warning

Please also provide the full Filebeat warning message, as it may give us valuable clues:


2025-11-29T17:03:43.407+0800 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc242cb9ba0e6a6fc, ext:104092023870402, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, ...


In this case, it appears to be a mapping-type conflict; we should take a look at the full event


Finally, please share the version you are using.



Please share all relevant evidence you can gather to help us troubleshoot the environment.

Reply all
Reply to author
Forward
0 new messages