Wazuh agents stop reporting after OS update & reboot (v4.14.0.1)
101 views
Skip to first unread message
Adrien Di Cristofaro
Dec 9, 2025, 3:17:31 AMDec 9
to Wazuh | Mailing List
Hello,
Environment:
Environment:
- Wazuh agent: 4.14.0.1 on multiple windpws servers
- Cluster: 3 managers (1 master, 2 workers)
- 1 indexer
- 1 dashboard
Context:
I’m patching servers to remediate CVEs that Wazuh reported on servers. On some hosts, right after the OS update and a reboot, the Wazuh agent appears to stop sending CVE ? Or indexer / manager fail to update CVEs. Other stuff like logs, FIM, CIS Benchmark, ... are working fine. So I guess it's not an agent issue.
For those hosts :
- Cluster: 3 managers (1 master, 2 workers)
- 1 indexer
- 1 dashboard
Context:
I’m patching servers to remediate CVEs that Wazuh reported on servers. On some hosts, right after the OS update and a reboot, the Wazuh agent appears to stop sending CVE ? Or indexer / manager fail to update CVEs. Other stuff like logs, FIM, CIS Benchmark, ... are working fine. So I guess it's not an agent issue.
For those hosts :
- The Vulnerabilities dashboard is empty
- The Inventory is empty
- No events/alerts show up anymore There is no “Active → Resolved” history;
See screenshots : Server was updates after first CVE's reports, old event are OK, but no event logged as status "Solved"
Items simply disappear.
Question: What could cause agents to stop reporting after a reboot in this setup or indexer / manager not handling reports correctly ?
Is this maybe a normal behavior I didn't understood ?
If helpful, please let me know which logs or checks you recommend.
I can share:
- /var/ossec/logs/ossec.log (agent)
- /var/log/filebeat/filebeat* (manager)
- /var/log/wazuh-indexer/wazuh-cluster.log (indexer)
- Agent and manager service status, connectivity tests to the managers, etc.
Thanks in advance for any guidance.
Adrien
Stuti Gupta
Dec 9, 2025, 4:09:27 AMDec 9
to Wazuh | Mailing List
Hi Adrien
Let's first check the agent ossec.log. Sometimes Windows is slow to respond after reboot, which can cause the agent to take time for inventory scans. In such cases, the agent log (ossec.log) shows warnings. So please check if there are any errors or warnings:
C:\Program Files (x86)\ossec-agent\ossec.log"
If there are no warnings or errors, then, secondly, can you please check the manager logs and see if you have an error like this:
2025/10/20 08:56:30 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/10/20 08:56:30 indexer-connector: WARNING: Failed to sync agent
The file will be located at /var/ossec/logs/ossec.log
This error indicates that the indexer connector that is responsible for the vulnerability and IT hygiene indices is sometimes not able to update, as it cannot connect and sync.
Query the indexer’s health with Indexer
Indexer management > Dev Tools
GET _cluster/health
The cluster status must be green or yellow
If everything seems perfect the please share the logs from the manager and agent.
Wazuh-manager:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
wazuh agent logs located at:
C:\Program Files (x86)\ossec-agent\ossec.log
Let's first check the agent ossec.log. Sometimes Windows is slow to respond after reboot, which can cause the agent to take time for inventory scans. In such cases, the agent log (ossec.log) shows warnings. So please check if there are any errors or warnings:
C:\Program Files (x86)\ossec-agent\ossec.log"
If there are no warnings or errors, then, secondly, can you please check the manager logs and see if you have an error like this:
2025/10/20 08:56:30 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/10/20 08:56:30 indexer-connector: WARNING: Failed to sync agent
The file will be located at /var/ossec/logs/ossec.log
This error indicates that the indexer connector that is responsible for the vulnerability and IT hygiene indices is sometimes not able to update, as it cannot connect and sync.
Query the indexer’s health with Indexer
Indexer management > Dev Tools
GET _cluster/health
The cluster status must be green or yellow
If everything seems perfect the please share the logs from the manager and agent.
Wazuh-manager:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
wazuh agent logs located at:
C:\Program Files (x86)\ossec-agent\ossec.log
Adrien Di Cristofaro
Dec 9, 2025, 6:15:56 AMDec 9
to Wazuh | Mailing List
Hello Gupta,
Here the information you asked :
Ossec.Log :
2025/12/09 00:00:10 wazuh-agent: INFO: Starting new log after rotation.
2025/12/09 00:22:21 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 00:22:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 01:22:38 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 01:22:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 02:22:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 02:23:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 02:34:11 sca: INFO: Starting Security Configuration Assessment scan.
2025/12/09 02:34:11 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2025/12/09 02:34:20 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2025/12/09 02:34:20 sca: INFO: Security Configuration Assessment scan finished. Duration: 9 seconds.
2025/12/09 02:38:14 rootcheck: INFO: Starting rootcheck scan.
2025/12/09 02:38:14 rootcheck: WARNING: No winmalware file: './shared/win_malware_rcl.txt'
2025/12/09 02:38:14 rootcheck: WARNING: No winapps file: './shared/win_applications_rcl.txt'
2025/12/09 02:38:19 rootcheck: INFO: Ending rootcheck scan.
2025/12/09 02:44:06 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2025/12/09 02:44:20 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2025/12/09 03:23:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 03:23:20 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 04:23:22 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 04:23:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 05:23:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 05:23:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 06:23:50 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 06:24:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 07:24:05 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 07:24:23 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 08:24:24 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 08:24:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 09:24:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 09:24:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 10:24:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 10:25:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 11:25:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 11:25:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 00:22:21 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 00:22:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 01:22:38 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 01:22:51 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 02:22:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 02:23:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 02:34:11 sca: INFO: Starting Security Configuration Assessment scan.
2025/12/09 02:34:11 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2025/12/09 02:34:20 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2019.yml'
2025/12/09 02:34:20 sca: INFO: Security Configuration Assessment scan finished. Duration: 9 seconds.
2025/12/09 02:38:14 rootcheck: INFO: Starting rootcheck scan.
2025/12/09 02:38:14 rootcheck: WARNING: No winmalware file: './shared/win_malware_rcl.txt'
2025/12/09 02:38:14 rootcheck: WARNING: No winapps file: './shared/win_applications_rcl.txt'
2025/12/09 02:38:19 rootcheck: INFO: Ending rootcheck scan.
2025/12/09 02:44:06 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2025/12/09 02:44:20 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2025/12/09 03:23:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 03:23:20 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 04:23:22 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 04:23:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 05:23:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 05:23:48 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 06:23:50 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 06:24:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 07:24:05 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 07:24:23 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 08:24:24 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 08:24:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 09:24:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 09:24:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 10:24:54 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 10:25:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/09 11:25:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/09 11:25:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Health check :
{
"cluster_name": "wazuh-indexer-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 147,
"active_shards": 147,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 8,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 94.83870967741936
}
"cluster_name": "wazuh-indexer-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 147,
"active_shards": 147,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 8,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 94.83870967741936
}
root@vm-4-wazuh-m-1:/home/informatique# /var/ossec/bin/cluster_control -i
Cluster name: wazuh_cluster
Last completed synchronization for connected nodes (2):
wazuh-2 (192.168.194.177): Integrity check: 2025-12-09T11:06:02.489810Z | Integrity sync: 2025-12-09T08:54:49.340788Z | Agents-info: 2025-12-09T11:05:58.305743Z | Agent-groups: n/a | Agent-groups full: n/a | Last keep alive: 2025-12-09T11:05:08.603875Z.
wazuh-3 (192.168.228.33): Integrity check: 2025-12-09T11:05:56.528245Z | Integrity sync: 2025-12-09T08:54:17.784672Z | Agents-info: 2025-12-09T11:06:03.804415Z | Agent-groups: n/a | Agent-groups full: n/a | Last keep alive: 2025-12-09T11:05:07.690943Z.
root@vm-4-wazuh-m-1:/home/informatique# /var/ossec/bin/cluster_control -i more
Cluster name: wazuh_cluster
Connected nodes (2):
wazuh-1 (192.168.246.146)
Version: 4.14.0
Type: master
Active agents: 54
wazuh-2 (192.168.194.177)
Version: 4.14.0
Type: worker
Active agents: 6
Status:
Last keep Alive:
Last received: 2025-12-09T11:06:08.606271Z.
Integrity check:
Last integrity check: 0.006s (2025-12-09T11:06:20.517946Z - 2025-12-09T11:06:20.523554Z).
Permission to check integrity: True.
Integrity sync:
Last integrity synchronization: 0.007s (2025-12-09T08:54:49.333760Z - 2025-12-09T08:54:49.340788Z).
Synchronized files: Shared: 0 | Missing: 0 | Extra: 1.
Agents-info:
Last synchronization: 0.006s (2025-12-09T11:06:18.320128Z - 2025-12-09T11:06:18.326242Z).
Number of synchronized chunks: 1.
Permission to synchronize agent-info: True.
Agents-groups:
Last synchronization: n/a (2025-12-09T11:06:16.715853Z - n/a).
Number of synchronized chunks: 0.
Agents-groups full:
Last synchronization: n/a (n/a - n/a).
Number of synchronized chunks: 0.
wazuh-3 (192.168.228.33)
Version: 4.14.0
Type: worker
Active agents: 22
Status:
Last keep Alive:
Last received: 2025-12-09T11:06:07.694603Z.
Integrity check:
Last integrity check: 0.006s (2025-12-09T11:06:23.573547Z - 2025-12-09T11:06:23.579118Z).
Permission to check integrity: True.
Integrity sync:
Last integrity synchronization: 0.007s (2025-12-09T08:54:17.777520Z - 2025-12-09T08:54:17.784672Z).
Synchronized files: Shared: 1 | Missing: 0 | Extra: 0.
Agents-info:
Last synchronization: 0.007s (2025-12-09T11:06:23.828010Z - 2025-12-09T11:06:23.835391Z).
Number of synchronized chunks: 1.
Permission to synchronize agent-info: True.
Agents-groups:
Last synchronization: n/a (2025-12-09T11:06:16.715311Z - n/a).
Number of synchronized chunks: 0.
Agents-groups full:
Last synchronization: n/a (n/a - n/a).
Number of synchronized chunks: 0.
Cluster name: wazuh_cluster
Last completed synchronization for connected nodes (2):
wazuh-2 (192.168.194.177): Integrity check: 2025-12-09T11:06:02.489810Z | Integrity sync: 2025-12-09T08:54:49.340788Z | Agents-info: 2025-12-09T11:05:58.305743Z | Agent-groups: n/a | Agent-groups full: n/a | Last keep alive: 2025-12-09T11:05:08.603875Z.
wazuh-3 (192.168.228.33): Integrity check: 2025-12-09T11:05:56.528245Z | Integrity sync: 2025-12-09T08:54:17.784672Z | Agents-info: 2025-12-09T11:06:03.804415Z | Agent-groups: n/a | Agent-groups full: n/a | Last keep alive: 2025-12-09T11:05:07.690943Z.
root@vm-4-wazuh-m-1:/home/informatique# /var/ossec/bin/cluster_control -i more
Cluster name: wazuh_cluster
Connected nodes (2):
wazuh-1 (192.168.246.146)
Version: 4.14.0
Type: master
Active agents: 54
wazuh-2 (192.168.194.177)
Version: 4.14.0
Type: worker
Active agents: 6
Status:
Last keep Alive:
Last received: 2025-12-09T11:06:08.606271Z.
Integrity check:
Last integrity check: 0.006s (2025-12-09T11:06:20.517946Z - 2025-12-09T11:06:20.523554Z).
Permission to check integrity: True.
Integrity sync:
Last integrity synchronization: 0.007s (2025-12-09T08:54:49.333760Z - 2025-12-09T08:54:49.340788Z).
Synchronized files: Shared: 0 | Missing: 0 | Extra: 1.
Agents-info:
Last synchronization: 0.006s (2025-12-09T11:06:18.320128Z - 2025-12-09T11:06:18.326242Z).
Number of synchronized chunks: 1.
Permission to synchronize agent-info: True.
Agents-groups:
Last synchronization: n/a (2025-12-09T11:06:16.715853Z - n/a).
Number of synchronized chunks: 0.
Agents-groups full:
Last synchronization: n/a (n/a - n/a).
Number of synchronized chunks: 0.
wazuh-3 (192.168.228.33)
Version: 4.14.0
Type: worker
Active agents: 22
Status:
Last keep Alive:
Last received: 2025-12-09T11:06:07.694603Z.
Integrity check:
Last integrity check: 0.006s (2025-12-09T11:06:23.573547Z - 2025-12-09T11:06:23.579118Z).
Permission to check integrity: True.
Integrity sync:
Last integrity synchronization: 0.007s (2025-12-09T08:54:17.777520Z - 2025-12-09T08:54:17.784672Z).
Synchronized files: Shared: 1 | Missing: 0 | Extra: 0.
Agents-info:
Last synchronization: 0.007s (2025-12-09T11:06:23.828010Z - 2025-12-09T11:06:23.835391Z).
Number of synchronized chunks: 1.
Permission to synchronize agent-info: True.
Agents-groups:
Last synchronization: n/a (2025-12-09T11:06:16.715311Z - n/a).
Number of synchronized chunks: 0.
Agents-groups full:
Last synchronization: n/a (n/a - n/a).
Number of synchronized chunks: 0.
root@vm-6-wazuh-m-1:/home/informatique# cat /var/ossec/logs/ossec.log | grep -i "error"
2025/12/09 08:52:38 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:40 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:41 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:41 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:44 indexer-connector: ERROR: Could not connect to server, status code: -1.
root@vm-6-wazuh-m-1:/home/informatique# cat /var/ossec/logs/ossec.log | grep -i "warn"
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:38 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:40 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:41 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:41 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/12/09 08:52:44 indexer-connector: ERROR: Could not connect to server, status code: -1.
root@vm-6-wazuh-m-1:/home/informatique# cat /var/ossec/logs/ossec.log | grep -i "warn"
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
2025/12/09 08:52:55 indexer-connector: WARNING: Failed to sync agent '070' with the indexer.
I guess warning & error is because i've restarted the indexer this morning around 8:52.
Best regards,
Adrien
Adrien Di Cristofaro
Dec 9, 2025, 6:27:03 AMDec 9
to Wazuh | Mailing List
More informations :
Adrien
The problem seems to be only on SLAVE manager nodes.
Everything is reporting fine on MASTER node.
Did I miss something during configuration ?
Br,
Adrien
Adrien Di Cristofaro
Dec 10, 2025, 4:33:55 AMDec 10
to Wazuh | Mailing List
Update : I was wrong, it seems random accross all 3 managers...
Any idea ?
Br,
Adrien
Adrien Di Cristofaro
Dec 11, 2025, 2:31:22 AMDec 11
to Wazuh | Mailing List
Up !
Stuti Gupta
Dec 11, 2025, 7:00:43 AM (14 days ago) Dec 11
to Wazuh | Mailing List
This error indicates that the indexer connector that is responsible for the vulnerability and inventory indices is sometimes not able to update, as it cannot connect and sync.
Make sure to update the configuration in the worker node as well. https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html#wazuh-manager-configuration
Ensure to save the Wazuh indexer username and password in the Wazuh manager keystore.
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin_PASSWORD' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Replace admin_PASSWORD with the password of the admin user.
Now restart the manager.
systemctl restart wazuh-manager
It might take a few minutes to complete the scan.
Make sure to update the configuration in the worker node as well. https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html#wazuh-manager-configuration
Ensure to save the Wazuh indexer username and password in the Wazuh manager keystore.
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin_PASSWORD' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Replace admin_PASSWORD with the password of the admin user.
Now restart the manager.
systemctl restart wazuh-manager
It might take a few minutes to complete the scan.
Adrien Di Cristofaro
Dec 11, 2025, 7:47:53 AM (14 days ago) Dec 11
to Wazuh | Mailing List
Hello Gupta,
I've followed your advice, but the issue stay the same.
The worker & master node are correctly configured, filebeat too.
Outputs :
Worker 2 & 3 :
root@vm-6-wazuh-m-1:/home/informatique# curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-2.pem --key /etc/filebeat/certs/wazuh-2-key.pem -u admin -XGET https://192.168.246.148:9200/_cluster/health
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
root@vm-6-wazuh-m-1:/home/informatique# curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-2.pem --key /etc/filebeat/certs/wazuh-2-key.pem -u admin -XGET https://192.168.246.148:9200/_cluster/health
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
root@vm-3-wazuh-m-1:/home/informatique# curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-3.pem --key /etc/filebeat/certs/wazuh-3-key.pem -u admin -XGET https://192.168.246.148:9200/_cluster/health
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
root@vm-3-wazuh-m-1:/home/informatique# filebeat test output
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
root@vm-6-wazuh-m-1:/home/informatique# filebeat test output
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
Master :
root@vm-4-wazuh-m-1:/home/informatique# curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-1.pem --key /etc/filebeat/certs/wazuh-1-key.pem -u admin -XGET https://192.168.246.148:9200/_cluster/health
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
Enter host password for user 'admin':
{"cluster_name":"wazuh-indexer-cluster","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":155,"active_shards":155,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":10,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":93.93939393939394}
root@vm-4-wazuh-m-1:/home/informatique# filebeat test output
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://192.168.246.148:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.246.148
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
Cluster status is yellow -> can this be the issue ?
Br,
Adrien
Adrien Di Cristofaro
Dec 11, 2025, 7:53:36 AM (14 days ago) Dec 11
to Wazuh | Mailing List
Are unasigned shards an issue ?
rwazuh-statistics-2025.49w 0 p STARTED 12048 4mb 192.168.246.148 node-1
.ql-datasources 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-states-inventory-hardware-wazuh_cluster 0 p STARTED 88 918.6kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 0 p STARTED 233654 192.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 1 p STARTED 233965 193.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 2 p STARTED 232606 193.1mb 192.168.246.148 node-1
.opendistro-reports-definitions 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 0 p STARTED 268441 183.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 1 p STARTED 269087 183.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 2 p STARTED 268021 182.2mb 192.168.246.148 node-1
.opendistro-reports-instances 0 p STARTED 1 26.3kb 192.168.246.148 node-1
.opendistro_security 0 p STARTED 10 80kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 0 p STARTED 108639 113.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 1 p STARTED 107899 112.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 2 p STARTED 108395 112.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 0 p STARTED 904263 869.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 1 p STARTED 904656 865.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 2 p STARTED 906774 868.5mb 192.168.246.148 node-1
wazuh-statistics-2025.45w 0 p STARTED 7671 2.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 0 p STARTED 473560 455.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 1 p STARTED 474296 458mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 2 p STARTED 474398 453.4mb 192.168.246.148 node-1
wazuh-states-inventory-services-wazuh_cluster 0 p STARTED 52567 29.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 0 p STARTED 359 770.5kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 1 p STARTED 333 942.3kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 2 p STARTED 328 673kb 192.168.246.148 node-1
.opensearch-observability 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 0 p STARTED 173655 121mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 1 p STARTED 174576 125.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 2 p STARTED 173325 123.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 0 p STARTED 73 242.1kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 1 p STARTED 97 217.8kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 2 p STARTED 77 304.3kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 0 p STARTED 220194 222.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 1 p STARTED 219688 222.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 2 p STARTED 219413 218.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 0 p STARTED 216626 214.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 1 p STARTED 216756 217.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 2 p STARTED 216745 220.3mb 192.168.246.148 node-1
wazuh-states-inventory-users-wazuh_cluster 0 p STARTED 7147 1.7mb 192.168.246.148 node-1
wazuh-monitoring-2025.47w 0 p STARTED 54653 10.8mb 192.168.246.148 node-1
wazuh-states-inventory-hotfixes-wazuh_cluster 0 p STARTED 3742 201.9kb 192.168.246.148 node-1
wazuh-states-vulnerabilities-wazuh_cluster 0 p STARTED 9632 2.5mb 192.168.246.148 node-1
.opendistro-ism-config 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-config 0 r UNASSIGNED
wazuh-statistics-2025.50w 0 p STARTED 6117 3.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 0 p STARTED 925389 875.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 1 p STARTED 923743 875.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 2 p STARTED 926142 876.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 0 p STARTED 927706 870.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 1 p STARTED 927915 872mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 2 p STARTED 928306 869.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 0 p STARTED 598508 640.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 1 p STARTED 597687 638mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 2 p STARTED 598020 640.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 0 p STARTED 589893 639.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 1 p STARTED 591206 638.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 2 p STARTED 589917 636.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 0 p STARTED 940351 870mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 1 p STARTED 940494 870.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 2 p STARTED 943354 868.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 0 p STARTED 910423 840.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 1 p STARTED 909393 842.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 2 p STARTED 907492 834mb 192.168.246.148 node-1
wazuh-statistics-2025.46w 0 p STARTED 11958 3.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 0 p STARTED 627183 671.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 1 p STARTED 626344 662.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 2 p STARTED 627878 671.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 0 p STARTED 651021 685mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 1 p STARTED 650280 685.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 2 p STARTED 648403 683.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 0 p STARTED 963583 906.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 1 p STARTED 963187 909.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 2 p STARTED 962480 903mb 192.168.246.148 node-1
wazuh-states-inventory-system-wazuh_cluster 0 p STARTED 88 285.4kb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.04-000002 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.04-000002 0 r UNASSIGNED
wazuh-alerts-4.x-2025.11.17 0 p STARTED 958139 897.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.17 1 p STARTED 959778 897.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.17 2 p STARTED 960267 901.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 0 p STARTED 943637 895mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 1 p STARTED 943903 897mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 2 p STARTED 942918 896.3mb 192.168.246.148 node-1
wazuh-states-inventory-packages-wazuh_cluster 0 p STARTED 10940 2mb 192.168.246.148 node-1
wazuh-monitoring-2025.48w 0 p STARTED 57251 11.1mb 192.168.246.148 node-1
wazuh-statistics-2025.47w 0 p STARTED 12025 4mb 192.168.246.148 node-1
wazuh-states-inventory-networks-wazuh_cluster 0 p STARTED 470 150.6kb 192.168.246.148 node-1
wazuh-states-inventory-processes-wazuh_cluster 0 p STARTED 14190 11.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 0 p STARTED 595490 655.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 1 p STARTED 596683 650.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 2 p STARTED 596270 655.8mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.09-000007 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.09-000007 0 r UNASSIGNED
.opendistro-ism-managed-index-history-2025.12.06-000004 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.06-000004 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.02 0 p STARTED 991028 914.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.02 1 p STARTED 990995 914.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.02 2 p STARTED 991333 914.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 0 p STARTED 943154 883.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 1 p STARTED 943925 881.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 2 p STARTED 943189 877.4mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.08-000006 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.08-000006 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.04 0 p STARTED 989719 902.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.04 1 p STARTED 991344 904.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.04 2 p STARTED 992191 902.3mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.07-000005 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.07-000005 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.03 0 p STARTED 1010973 927.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.03 1 p STARTED 1013271 930.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.03 2 p STARTED 1012807 924.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 0 p STARTED 934420 873.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 1 p STARTED 935096 877.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 2 p STARTED 935629 871.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 0 p STARTED 1029340 953.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 1 p STARTED 1029390 957.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 2 p STARTED 1029859 958.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 0 p STARTED 596793 651.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 1 p STARTED 596806 651mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 2 p STARTED 596765 653.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 0 p STARTED 839768 810mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 1 p STARTED 838995 814.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 2 p STARTED 838902 811.3mb 192.168.246.148 node-1
wazuh-states-inventory-ports-wazuh_cluster 0 p STARTED 55546 28.9mb 192.168.246.148 node-1
wazuh-monitoring-2025.45w 0 p STARTED 14535 3mb 192.168.246.148 node-1
wazuh-states-inventory-groups-wazuh_cluster 0 p STARTED 4420 1mb 192.168.246.148 node-1
wazuh-monitoring-2025.49w 0 p STARTED 57792 11.1mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.03-1 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.03-1 0 r UNASSIGNED
wazuh-statistics-2025.48w 0 p STARTED 11489 3.4mb 192.168.246.148 node-1
wazuh-states-inventory-protocols-wazuh_cluster 0 p STARTED 459 126.4kb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.10-000008 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.10-000008 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.11 0 p STARTED 542389 632.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.11 1 p STARTED 543070 570.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.11 2 p STARTED 544414 772.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 0 p STARTED 963554 898.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 1 p STARTED 962185 900.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 2 p STARTED 963679 900.5mb 192.168.246.148 node-1
wazuh-states-inventory-interfaces-wazuh_cluster 0 p STARTED 241 846.1kb 192.168.246.148 node-1
.kibana_1 0 p STARTED 39 238.8kb 192.168.246.148 node-1
wazuh-states-inventory-browser-extensions-wazuh_cluster 0 p STARTED 6167 1.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 0 p STARTED 634593 668mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 1 p STARTED 634466 670.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 2 p STARTED 634389 670.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 0 p STARTED 1024290 940.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 1 p STARTED 1023005 937.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 2 p STARTED 1025502 937.6mb 192.168.246.148 node-1
.plugins-ml-config 0 p STARTED 1 4kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 0 p STARTED 914601 851.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 1 p STARTED 914990 852mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 2 p STARTED 912469 846.4mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.05-000003 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.05-000003 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.07 0 p STARTED 588587 624.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.07 1 p STARTED 588841 631.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.07 2 p STARTED 588690 629.5mb 192.168.246.148 node-1
wazuh-monitoring-2025.50w 0 p STARTED 30059 5.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 0 p STARTED 990490 917.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 1 p STARTED 989091 912.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 2 p STARTED 990132 912.9mb 192.168.246.148 node-1
.opendistro-job-scheduler-lock 0 p STARTED 9 460.4kb 192.168.246.148 node-1
.opendistro-job-scheduler-lock 0 r UNASSIGNED
wazuh-monitoring-2025.46w 0 p STARTED 48745 9.1mb 192.168.246.148 node-1
.opensearch-notifications-config 0 p STARTED 192.168.246.148 node-1
rwazuh-statistics-2025.49w 0 p STARTED 12048 4mb 192.168.246.148 node-1
.ql-datasources 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-states-inventory-hardware-wazuh_cluster 0 p STARTED 88 918.6kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 0 p STARTED 233654 192.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 1 p STARTED 233965 193.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.10 2 p STARTED 232606 193.1mb 192.168.246.148 node-1
.opendistro-reports-definitions 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 0 p STARTED 268441 183.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 1 p STARTED 269087 183.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.12 2 p STARTED 268021 182.2mb 192.168.246.148 node-1
.opendistro-reports-instances 0 p STARTED 1 26.3kb 192.168.246.148 node-1
.opendistro_security 0 p STARTED 10 80kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 0 p STARTED 108639 113.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 1 p STARTED 107899 112.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.11 2 p STARTED 108395 112.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 0 p STARTED 904263 869.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 1 p STARTED 904656 865.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.14 2 p STARTED 906774 868.5mb 192.168.246.148 node-1
wazuh-statistics-2025.45w 0 p STARTED 7671 2.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 0 p STARTED 473560 455.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 1 p STARTED 474296 458mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.13 2 p STARTED 474398 453.4mb 192.168.246.148 node-1
wazuh-states-inventory-services-wazuh_cluster 0 p STARTED 52567 29.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 0 p STARTED 359 770.5kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 1 p STARTED 333 942.3kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.05 2 p STARTED 328 673kb 192.168.246.148 node-1
.opensearch-observability 0 p STARTED 0 208b 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 0 p STARTED 173655 121mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 1 p STARTED 174576 125.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.07 2 p STARTED 173325 123.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 0 p STARTED 73 242.1kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 1 p STARTED 97 217.8kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.06 2 p STARTED 77 304.3kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 0 p STARTED 220194 222.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 1 p STARTED 219688 222.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.09 2 p STARTED 219413 218.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 0 p STARTED 216626 214.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 1 p STARTED 216756 217.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.08 2 p STARTED 216745 220.3mb 192.168.246.148 node-1
wazuh-states-inventory-users-wazuh_cluster 0 p STARTED 7147 1.7mb 192.168.246.148 node-1
wazuh-monitoring-2025.47w 0 p STARTED 54653 10.8mb 192.168.246.148 node-1
wazuh-states-inventory-hotfixes-wazuh_cluster 0 p STARTED 3742 201.9kb 192.168.246.148 node-1
wazuh-states-vulnerabilities-wazuh_cluster 0 p STARTED 9632 2.5mb 192.168.246.148 node-1
.opendistro-ism-config 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-config 0 r UNASSIGNED
wazuh-statistics-2025.50w 0 p STARTED 6117 3.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 0 p STARTED 925389 875.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 1 p STARTED 923743 875.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.21 2 p STARTED 926142 876.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 0 p STARTED 927706 870.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 1 p STARTED 927915 872mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.20 2 p STARTED 928306 869.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 0 p STARTED 598508 640.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 1 p STARTED 597687 638mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.23 2 p STARTED 598020 640.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 0 p STARTED 589893 639.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 1 p STARTED 591206 638.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.22 2 p STARTED 589917 636.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 0 p STARTED 940351 870mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 1 p STARTED 940494 870.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.25 2 p STARTED 943354 868.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 0 p STARTED 910423 840.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 1 p STARTED 909393 842.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.24 2 p STARTED 907492 834mb 192.168.246.148 node-1
wazuh-statistics-2025.46w 0 p STARTED 11958 3.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 0 p STARTED 627183 671.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 1 p STARTED 626344 662.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.16 2 p STARTED 627878 671.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 0 p STARTED 651021 685mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 1 p STARTED 650280 685.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.15 2 p STARTED 648403 683.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 0 p STARTED 963583 906.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 1 p STARTED 963187 909.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.18 2 p STARTED 962480 903mb 192.168.246.148 node-1
wazuh-states-inventory-system-wazuh_cluster 0 p STARTED 88 285.4kb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.04-000002 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.04-000002 0 r UNASSIGNED
wazuh-alerts-4.x-2025.11.17 0 p STARTED 958139 897.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.17 1 p STARTED 959778 897.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.17 2 p STARTED 960267 901.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 0 p STARTED 943637 895mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 1 p STARTED 943903 897mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.19 2 p STARTED 942918 896.3mb 192.168.246.148 node-1
wazuh-states-inventory-packages-wazuh_cluster 0 p STARTED 10940 2mb 192.168.246.148 node-1
wazuh-monitoring-2025.48w 0 p STARTED 57251 11.1mb 192.168.246.148 node-1
wazuh-statistics-2025.47w 0 p STARTED 12025 4mb 192.168.246.148 node-1
wazuh-states-inventory-networks-wazuh_cluster 0 p STARTED 470 150.6kb 192.168.246.148 node-1
wazuh-states-inventory-processes-wazuh_cluster 0 p STARTED 14190 11.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 0 p STARTED 595490 655.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 1 p STARTED 596683 650.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.30 2 p STARTED 596270 655.8mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.09-000007 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.09-000007 0 r UNASSIGNED
.opendistro-ism-managed-index-history-2025.12.06-000004 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.06-000004 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.02 0 p STARTED 991028 914.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.02 1 p STARTED 990995 914.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.02 2 p STARTED 991333 914.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 0 p STARTED 943154 883.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 1 p STARTED 943925 881.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.01 2 p STARTED 943189 877.4mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.08-000006 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.08-000006 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.04 0 p STARTED 989719 902.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.04 1 p STARTED 991344 904.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.04 2 p STARTED 992191 902.3mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.07-000005 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.07-000005 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.03 0 p STARTED 1010973 927.2mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.03 1 p STARTED 1013271 930.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.03 2 p STARTED 1012807 924.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 0 p STARTED 934420 873.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 1 p STARTED 935096 877.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.27 2 p STARTED 935629 871.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 0 p STARTED 1029340 953.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 1 p STARTED 1029390 957.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.26 2 p STARTED 1029859 958.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 0 p STARTED 596793 651.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 1 p STARTED 596806 651mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.29 2 p STARTED 596765 653.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 0 p STARTED 839768 810mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 1 p STARTED 838995 814.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.11.28 2 p STARTED 838902 811.3mb 192.168.246.148 node-1
wazuh-states-inventory-ports-wazuh_cluster 0 p STARTED 55546 28.9mb 192.168.246.148 node-1
wazuh-monitoring-2025.45w 0 p STARTED 14535 3mb 192.168.246.148 node-1
wazuh-states-inventory-groups-wazuh_cluster 0 p STARTED 4420 1mb 192.168.246.148 node-1
wazuh-monitoring-2025.49w 0 p STARTED 57792 11.1mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.03-1 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.03-1 0 r UNASSIGNED
wazuh-statistics-2025.48w 0 p STARTED 11489 3.4mb 192.168.246.148 node-1
wazuh-states-inventory-protocols-wazuh_cluster 0 p STARTED 459 126.4kb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.10-000008 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.10-000008 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.11 0 p STARTED 542389 632.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.11 1 p STARTED 543070 570.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.11 2 p STARTED 544414 772.3mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 0 p STARTED 963554 898.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 1 p STARTED 962185 900.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.10 2 p STARTED 963679 900.5mb 192.168.246.148 node-1
wazuh-states-inventory-interfaces-wazuh_cluster 0 p STARTED 241 846.1kb 192.168.246.148 node-1
.kibana_1 0 p STARTED 39 238.8kb 192.168.246.148 node-1
wazuh-states-inventory-browser-extensions-wazuh_cluster 0 p STARTED 6167 1.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 0 p STARTED 634593 668mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 1 p STARTED 634466 670.6mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.06 2 p STARTED 634389 670.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 0 p STARTED 1024290 940.1mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 1 p STARTED 1023005 937.8mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.05 2 p STARTED 1025502 937.6mb 192.168.246.148 node-1
.plugins-ml-config 0 p STARTED 1 4kb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 0 p STARTED 914601 851.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 1 p STARTED 914990 852mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.08 2 p STARTED 912469 846.4mb 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.05-000003 0 p STARTED 192.168.246.148 node-1
.opendistro-ism-managed-index-history-2025.12.05-000003 0 r UNASSIGNED
wazuh-alerts-4.x-2025.12.07 0 p STARTED 588587 624.7mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.07 1 p STARTED 588841 631.5mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.07 2 p STARTED 588690 629.5mb 192.168.246.148 node-1
wazuh-monitoring-2025.50w 0 p STARTED 30059 5.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 0 p STARTED 990490 917.4mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 1 p STARTED 989091 912.9mb 192.168.246.148 node-1
wazuh-alerts-4.x-2025.12.09 2 p STARTED 990132 912.9mb 192.168.246.148 node-1
.opendistro-job-scheduler-lock 0 p STARTED 9 460.4kb 192.168.246.148 node-1
.opendistro-job-scheduler-lock 0 r UNASSIGNED
wazuh-monitoring-2025.46w 0 p STARTED 48745 9.1mb 192.168.246.148 node-1
.opensearch-notifications-config 0 p STARTED 192.168.246.148 node-1
Adrien Di Cristofaro
Dec 11, 2025, 9:14:36 AM (14 days ago) Dec 11
to Wazuh | Mailing List
I have managed to fix unassigned shard (most of them where unassigned because of "replica = 1" in index settings, and i'm only running 1 manager, not a cluster so replica -> 0).
Br,
Adrien
Stuti Gupta
Dec 12, 2025, 6:09:03 AM (13 days ago) Dec 12
to Wazuh | Mailing List
Hi Adrien,
Could you please confirm whether this issue is happening for a single agent or for all agents?
If this is happening for all agents, then the issue is likely related to the Wazuh manager not being able to communicate with the indexer connector.
Please check the IP address defined in the indexer configuration in /var/ossec/etc/ossec.conf. The IP should match the indexer IP specified in /etc/filebeat/filebeat.yml.
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
Share the indexer configuration with me. Also please share the output of
ll /etc/filebeat/certs/
Please also verify that the indexer is running properly and is active. Even if the cluster health shows yellow, you should still be able to see the vulnerabilities.
Additionally, make sure that the Wazuh indexer username and password are correctly stored in the manager’s keystore.
If this is happening for a specific agent only,
Please go to the Vulnerability Detection → Inventory section. Click on the event for which the vulnerability detection is working and check the value of vulnerability.detected_at. It should reflect today's date. This will help us confirm whether the vulnerability scan is working for other agents.
If the date is correct for other agents, that means for all the agents, it is working fine except for the rebooted one.
Then please restart the Wazuh agent on the affected endpoint, and also restart the Wazuh manager.
If you still face the same issue after these steps, please share the ossec.log from the affected agent and the Wazuh manager logs.
Adrien Di Cristofaro
Dec 23, 2025, 4:13:44 AM (2 days ago) Dec 23
to Wazuh | Mailing List
It seems that everything is back in order.
CVE's from december security update has been detected on problematic servers, so i guess everything is fine.
Thanks for the help,
Br,
Adrien
Reply all
Reply to author
Forward
0 new messages