No Office 365 alerts have been displayed for 6 days.

12 views
Skip to first unread message

Paulo Magalhães

unread,
Jul 2, 2026, 10:24:52 AM (17 hours ago) Jul 2
to Wazuh | Mailing List
Hello friends! I'm having trouble displaying Office 365 alerts. The dashboard stopped displaying them 6 days ago. If I filter from day 7 onwards, logs appear, but only from SharePoint. I've updated Indexer and Dashboard, but it still doesn't work. I've also tried API validations directly with Microsoft, but without success.

Has anyone else experienced this problem?


7dias.png
6dias.png

Olamilekan Abdullateef Ajani

unread,
Jul 2, 2026, 11:09:21 AM (16 hours ago) Jul 2
to Wazuh | Mailing List
Hello,

This could be a subscription issue, as only SharePoint logs appear, however can we check for a few things to help isolate the issue?

Please check whether events are being ingested in alerts.json file: grep -i "office365" /var/ossec/logs/alerts/alerts.json | tail -20
And also query the Wazuh indexer for recent events: curl -k -u admin:<password> "https://localhost:9200/wazuh-alerts-*/_search?q=rule.groups:office365&size=5&sort=timestamp:desc" | jq '.hits.hits[]._source.timestamp'

If there are no events, then it means there is a problem with ingestion especially if it correlates with the result of alerts.json result.

You can also check the logs for office365 related events: grep -i "office365\|wm_office365" /var/ossec/logs/ossec.log | tail -50


Also confirm/verify the subscriptions with the command, make sure to obtain the token from Microsoft's identity platform:
curl -s -H "Authorization: Bearer $TOKEN" \
"https://manage.office.com/api/v1.0/<TENANT_ID>/activity/feed/subscriptions/list"


You can use this to capture the token:

curl -s -X POST \
  "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=<CLIENT_ID>" \
  -d "client_secret=<CLIENT_SECRET>" \
  -d "scope=https://manage.office.com/.default" \
  -d "grant_type=client_credentials"


Please share all the results of all queries.

Paulo Magalhães

unread,
Jul 2, 2026, 2:16:35 PM (13 hours ago) Jul 2
to Wazuh | Mailing List
What happened, The problem was never the Office 365 integration. In fact, what happened was: Wazuh Manager continued generating events normally. The alerts.json file continued to grow (we saw that it was over 4 GB). Filebeat continued reading alerts.json. Wazuh Indexer reached the limit of 1000 shards. Filebeat started continuously receiving: Validation Failed: this action would add [3] total shards, but this cluster currently has [1000]/[1000] maximum shards open

Olamilekan Abdullateef Ajani

unread,
Jul 2, 2026, 2:37:14 PM (13 hours ago) Jul 2
to Wazuh | Mailing List
Hello,

This changes the narrative entirely, but to confirm, please run the command to check the cluster health and if you see something similar to the below: curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> -XGET https://<WAZUH_INDEXER_IP>:9200/_cluster/health?pretty


> `"active_primary_shards" : 1000,
>   "active_shards" : 1000,`

Then this means you have maxed out on the shards usage and in turn data would not be populated on the dashboard anymore.
To fix this, there are different ways, you can add more nodes to the Indexer cluster, this would enhance capacity and resiliency of your setup, more about this here.
Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.html

The other option is to delete old indices or better still setup a retention policy via the indexer lifecycle management.

curl -k -u admin:<password> "https://localhost:9200/_cat/indices?v&s=index"
curl -k -u admin:<password> "https://localhost:9200/_cat/shards?v"

You can delete old indices by making use of Dev Tools.

To list the indices you have, use UI>> Indexer Management > Dev Tools, run command `GET _cat/indices?v` . This will list the indices you have. From there you can now delete the old indices of your choice, `run DELETE /<indices_to_delete>`. For example  `DELETE /wazuh-alerts-4.x-2025.01.02`

But please note, deleting shards by deleting indices means removing data, maybe old, but you need to be careful with the indices you delete.

Once you have freed up shards, then follow the guide below to set up a retention policy, which is a long-term fix.

Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html
Reply all
Reply to author
Forward
0 new messages