Wazuh v4.7.2 don't show events anymore

[Roger Mas Miro]

Hi,

We've got a Wazuh version 4.7.2 installation (no cluster) and it's been working fine until today at night at 01:58. Since then all events stopped showing in the dashboard or in the events list. Nor yesterday nor at that time we've changed any configuration or made any modification on the server. We've also don't have any alert at that time from our server monitorin systems.

I've checked the services and wazuh-manager, wazuh-indexer, wazuh-dashboard and filebeat are active.

I can only see a Warning message in the state of the wazuh-indexer service:

systemd-entrypoint[972]: WARNING: A terminally deprecated method in java.lang.System has been called
systemd-entrypoint[972]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opense>
systemd-entrypoint[972]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
systemd-entrypoint[972]: WARNING: System::setSecurityManager will be removed in a future release

If i check the ossec.log i cant see anything up to 01:58, the first log line starts at 02:38, and i just get some INFO message and the WARNINGs:

 wazuh-modulesd:osquery: WARNING: The configuration file '/etc/osquery/osquery.conf' is not accessible: No such file or directory (2)
wazuh-modulesd:osquery: WARNING: Results file '/var/log/osquery/osqueryd.results.log' not available: No such file or directory (2). Retrying in 60 sec.

When i test the filebeat output it seems fine:

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security... WARN server's certificate chain verification is disabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

If i check the /var/ossec/logs/alerts/alerts.log file i can see that events are being generated right now. We even can receive some emails from configured alarms in the local_rules.xml file, but from today at 01:58 there are no events in the dashboard.

Please, can anyone help us?

Thank you in advance,

[Roger Mas Miro]

Hi, again,

My bad, i just checked index policy management and we hadn't configured any index retention.

I've just deleted old indexes and created a new index policy of 180 days using the steps from this guide:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

Best regards,

[Md. Nazmur Sakib]

Hi Roger,

We see a similar issue in many causes. The most possible reason can be the current status of your disk is very low, you have maximum shards open or your filebeat is not started properly.

In your case I believe the issue was your disk space was very low, you had maximum shards open

In this kind of issue.

Try to restart your Elasticsearch/ Wazuh-indexer and Filebeat

systemctl restart elasticsearch

or

systemctl restart filebeat

systemctl restart filebeat

Check if restarting the service solves the issue. If you still see no alerts on security events. You can use the Wazuh indexer log to find the root cause,

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn|cri"

I am glad that you have resolved the issue.