No data shown on the security event on Wazuh application

Lanny

unread,

May 17, 2023, 11:37:12 PM5/17/23

to Wazuh mailing list

Hi,

After All-in-One installed wazuh server application on CentOS, and I also installed agent on my endpoint, I also received a email alert but cannot show any security event information on security events on Wazuh server web GUI, run the command

systemctl status filebeat.service

and show the result

Active: failed (Result: start-limit) since ....

and also the log

<date> wazuh01 systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch

I tried to type this command to start up the filebeat but failed

systemctl start filebeat

Can anyone give me any idea of how to solve this problem?

Thanks!

Gonzalo Membrillo Solbes

unread,

May 18, 2023, 2:55:39 AM5/18/23

to Wazuh mailing list

Hello Lanny,

Based on the error message, it seems like the filebeat service is failing to start. This could be due to a configuration issue or a problem with the installation. In order to check what the problem could be, you can try to restart Filebeat and then, after it fails, you can run the following command: journalctl -xe. This will give additional information as to what is happening to Filebeat. You could also check the messages displayed when running the systemctl status filebeat -l command. Additionally, you can try reinstalling the filebeat service and restarting the server. If the issue persists, please provide us with more information such as the filebeat logs, which can be found under /var/log/filebeat/filebeat, and any error messages you receive when attempting to start the service.

Best regards,

Gonzalo

Lanny

unread,

May 18, 2023, 3:20:24 AM5/18/23

to Wazuh mailing list

Hi Gonzalo,

Thanks your response, I ran the following command

filebeat -v -e -d "*"

it is so weird that they cannot found the wazuh directory under the following path

/usr/share/filebeat/module/

after i checked, it was disappear, and I tried to copy the directory from another machine which not the same OS, it works

because I used All-in-One installation method to install, may I know are there missing of the installation script?

Gonzalo Membrillo Solbes 在 2023年5月18日星期四下午2:55:39 [UTC+8] 的信中寫道：

Gonzalo Membrillo Solbes

unread,

May 19, 2023, 4:33:58 AM5/19/23

to Wazuh mailing list

Hello again,

Ordinarily, there is no reason for the directory to be missing. I have tested the All-in-One installation script and ran into no problems. It could be that the installation failed for any reason or it could be that you are using an unsupported OS. Regardless, this is not a common occurrence. If you were to observe this behaviour again, I recommend reinstalling Filebeat.