5 minute delay in wazuh dashboard

21 views
Skip to first unread message

Rahul Manoj

unread,
Jun 3, 2026, 6:43:46 AM (4 days ago) Jun 3
to Wazuh | Mailing List
Hi everyone,

I'm running a Wazuh distributed deployment and facing a consistent ~5 minute delay in alerts appearing on the Wazuh Dashboard, even though the alerts are being written to alerts.json in real time.

Environment
- Wazuh Manager (distributed setup)
- Filebeat shipping alerts to wazuh Indexer
- Wazuh Dashboard for visualization

Observed behavior:
- alerts.json is live and current — events appear there immediately
- Wazuh Dashboard shows alerts with a consistent ~5 minute delay
- Delay is uniform across all alert types and rule groups
- No errors in ossec.log or filebeat logs pointing to a bottleneck
- Indexer logs and resource utilization (CPU, memory, disk I/O) appear normal

What I've checked so far:
- Wazuh Manager ossec.log — no errors or warnings
- Filebeat logs — no pipeline errors or connection issues
- OpenSearch Indexer logs — no ingestion errors
- htop on both Manager and Indexer servers — resource utilization looks healthy

Suspected area:
Since alerts.json is current, the manager-side processing is fine. The delay seems to be somewhere between Filebeat flushing events and OpenSearch making them searchable in the Dashboard. Possible candidates I'm looking into:
- Filebeat flush_timeout or bulk_max_size settings
- OpenSearch index refresh_interval on wazuh-alerts-* indices
- OpenSearch write thread pool queue backpressure

Has anyone encountered this before or has pointers on what to tune? Any help is appreciated.

Thanks!

Bony V John

unread,
Jun 3, 2026, 7:15:20 AM (4 days ago) Jun 3
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Jun 3, 2026, 8:15:31 AM (4 days ago) Jun 3
to Wazuh | Mailing List
Hi,

Based on your input, there are no resource issues on the servers and no error logs, but the alerts are still showing on the dashboard around 5 minutes late.

If the alerts are appearing on time in alerts.json but not on the dashboard, then the delay may be between alert generation and ingestion into the Wazuh indexer.

You can follow the steps below.

First, ensure that all Wazuh servers are using the same timezone and that NTP is enabled on all servers.

Run the below commands on all Wazuh servers:

date
date -u
timedatectl

Compare the timezone and time output across all servers. If they are not aligned, update the timezone and time configuration so they are consistent across all Wazuh servers.

Also, ensure that NTP is active.

After that, check whether alerts are showing correctly on the dashboard or if the delay still exists.

If there is still a delay, on the dashboard go to:

Hamburger menu > Dashboard Management > Dashboards Management > Advanced Settings

Search for the Timezone for date formatting option and ensure that the timezone is configured correctly.

Also, clear the browser cache and check whether the alerts are appearing on the dashboard on time.

If the issue still persists, follow the steps below.

Trigger a specific alert, for example, an SSH failed login alert.

Then on the Wazuh manager, tail the alerts.json file for that rule ID:

tail -f /var/ossec/logs/alerts/alerts.json | grep -iE "<rule-id>"

Replace <rule-id> with the alert rule ID you triggered. For example, the default rule ID for SSH failed login is 5760.

Then, on the Wazuh indexer server, run the below command to fetch the latest 10 logs for the same rule ID:

curl -k -u admin:<password> "https://<indexer-IP>:9200/wazuh-alerts-*/_search?pretty" \
-H 'Content-Type: application/json' \
-d '{
  "size": 10,
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ],
  "_source": [
    "@timestamp",
    "timestamp",
    "rule.id",
    "rule.description",
    "agent.id",
    "agent.name",
    "manager.name",
    "location",
    "full_log"
  ],
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "rule.id": "5760"
          }
        }
      ]
    }
  }
}'

Replace the following values:

  • <password> with the default admin dashboard user credential.
  • <indexer-IP> with your Wazuh indexer server IP address.
  • Replace rule ID 5760 with the rule ID from the alert captured in alerts.json.

Then share the both command output with us.


Also, please share the following Filebeat alerts pipeline file from the Wazuh manager: /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json

Run and share the output of the below command:

curl -sk -u admin:<password> "https://<indexer-ip>:9200/_index_template?pretty"

This will show whether any composable index templates exist.

Please share the Filebeat configuration file: /etc/filebeat/filebeat.yml

Finally, please share the Wazuh indexer and Filebeat log files as well. These details will help us analyze the issue further and assist you better.

Reply all
Reply to author
Forward
0 new messages