Security events are not visible from the Wazuh website

[Daniel Hinojo]

I just noticed that my Wazuh 4.1 is not showing security events from the web but if it is reporting by mail, look if it was collecting information in the / var / ossec / logs / alerts / 2021 / Mar folder and if I see that it is compiling but from the Wazuh website no event is displayed in the graphics, I see that this was no longer displayed since yesterday 03/14 at 18:00, I also observe that all agents are active. 

[Daniel Hinojo]

Good afternoon searching the elasticshare logs, find the following :

[2021-03-15T00: 00: 01,828] [ERROR] [caosasInternalESSink] [node-1] Unable to index audit log {"audit_cluster_name": "elasticsearch", "audit_transport_headers ": {" _ system_index_access_allowed ":" false "}," audit_node_name ":" node-1 "," audit_trace_task_id ":" ELClQUgNRLCsOj76o2GQtw: 53535900 "," audit_transport_request_type ":" audit_transport_request_type ":" Audit_transport_request_type ":" Create "" auditIndexRequest_type, "audit_transport_request_type": "audit_transport_request_type": "CreateIndexReque ":" REST "," audit_request_body ":" {} "," audit_node_id ":" ELClQUgNRLCsOj76o2GQtw "," audit_request_layer ":" TRANSPORT "," @ timestamp ":" 2021-03-15T05: 00: 01.827 + 00: 00 "," audit_format_version ": 4," audit_request_remote_address ":" 127.0.0.1 "," audit_request_privilege ":" indices: admin / auto_create "," audit_node_host_address ":" 127.0.0.1 "," audit_request_effective_user ":" audit_traindices "audit_traindices" audit_traindices ", audit_traindices ": [" <wazuh-alerts-4.x- {2021.03.15 || / d {yyyy.MM.dd | UTC}}> "]," audit_node_host_name ":" 127.0.0.1 "} due to org.elasticsearch .common.ValidationException: Validation Failed : 1: this action would add [2] total shards, but this cluster currently has [999] / [1000] maximum shards open;

Note that the error could be because I had reached the limit in my node of [999] / [1000] maximum shards open, search and I found the following post:Wazuh doesn't show events on Web app (google.com) and I started to investigate the error, then I ran the command that enlarged my node from 1000 to 2000 (which is not recommended according to what they indicate) and finally it worked. I have read the documentation but it is still not clear to me that maximum capacity per node that you have and I would like to please if you could solve the following questions: 

 1) This that indicates the error (limit [999] / [1000] maximum shards open), is it because of the amount of information that I have stored, that is, the indexes? Or is it because of the agents that I currently have? or what do you mean? currently I have only 51 agents in 01 node and I use opendistroforelasticsearch and wazuh 4.1.0 

 2) Will I necessarily have to create more nodes so that this error does not happen again? If so, then from this implementation that I have, how would I do it? I would have to create another server where my node2 is and configure it according to the following documentation: https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/ elasticsearch-cluster / elasticsearch-multi-node-cluster.html # elasticsearch-multi-node-cluster

 3) The Database that Wazuh uses is that of opendistroforelasticsearch? or use another like mysql, mariadb, etc.

[Antonio David Gutiérrez]

Hi Daniel,

1. The error you are experienced is due to your Elasticsearch node reached the default shards limit (1000) by node. Possible solutions are:
- Add more nodes to your Elasticsearch cluster.
- Delete old indices if these couldn't be necessary anymore.
- Increase the shards limit by nodes as you tried. Use with caution.

2. Yes, exactly, you could add another node to your Elasticsearch cluster if you need more shards count to retain your information.

3. Wazuh uses Elasticsearch to store the generated alerts and this information can be accessed at Kibana (using Discover or creating visualizations to compound custom dashboards) or through the application (Wazuh App for Kibana). Open Distro for Elasticsearch adds some extra features like security, index management, etc... to the Elasticsearch database. More info about these features: https://opendistro.github.io/for-elasticsearch/features/security.html

[Daniel Hinojo]

Good afternoon I am trying to remove some old indexes through the index policy  (Wazuh index management ) but when I want to save it the following message appears:

"Sorry, there was an error

[validation_exception] Validation Failed: 1: this action would add [2] total shards, but this cluster currently has [1018]/[1000] maximum shards open;"

I ran the command to expand :curl -XPUT https://localhost:9200/_cluster/settings -H 'Content-type: application/json' --data-binary $'{"transient":{"cluster.max_shards_per_node":2000}}' -k -u admin:xxxxx  

but the above message still appears when I try to create a policy. Please if you could help me