Events not showing on Wazuh Dashboard
1,538 views
Skip to first unread message
Chouaib Khiari
Dec 1, 2022, 9:52:09 PM12/1/22
to Wazuh mailing list
Hello,
I just installed the 4.3.10 Version of Wazuh and i have all agents active but i don't see any events in the "Security Events" section except from the events related to the server that is hosting the wazuh itself. I did check the alerts.json internally and i see that the server is receiving the agents alerts under /var/ossec/logs/alerts/alerts.json.
I just installed the 4.3.10 Version of Wazuh and i have all agents active but i don't see any events in the "Security Events" section except from the events related to the server that is hosting the wazuh itself. I did check the alerts.json internally and i see that the server is receiving the agents alerts under /var/ossec/logs/alerts/alerts.json.
Can you please help me figure out why they are not showing in the dashboard?
Thank you,
Chouaib
Thank you,
Chouaib
Mateo Cervilla
Dec 2, 2022, 12:32:57 PM12/2/22
to Wazuh mailing list
Hello,
To give you some context, the flow of events is like this:
Agent -> Manager (Server)-> Filebeat -> Indexer -> Dashboard
If you can see the alerts under /var/ossec/logs/alerts/alerts.json we can rule out that the problem is between the Agent and the Manager.
If you can also see the Manager alerts on the Dashboard then we can also rule out that the problem is between the Manager and the Dashboard.
Regards,
To give you some context, the flow of events is like this:
Agent -> Manager (Server)-> Filebeat -> Indexer -> Dashboard
Somewhere in this sequence there must be some misconfiguration or error.
If you can see the alerts under /var/ossec/logs/alerts/alerts.json we can rule out that the problem is between the Agent and the Manager.
If you can also see the Manager alerts on the Dashboard then we can also rule out that the problem is between the Manager and the Dashboard.
You can re-check the settings and make sure everything is well configured.
We can help you a bit more if you provide us with more information, like logs from the differents modules (Manager, Filebeat, Indexer, Dashboard) and then maybe we can find an error that is causing the problem.
Here is some information about Log data collection
Another thing to consider is if you have a Wazuh Cluster, it is possible that a bad configuration is allowing the entry of alerts from a manager but not from others.
Regards,
Mateo
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Mateo Cervilla
Dec 5, 2022, 11:11:22 AM12/5/22
to Wazuh mailing list
Hello Chouaib, I brought the message you sent me privately here so it continues in this thread:
Here's some of the different log output:
Log file located at /usr/share/kibana/data/wazuh/logs/wazuhapp.log
Dec 2, 2022 @ 00:57:09 INFO Kibana index: .kibana
Dec 2, 2022 @ 00:57:09 INFO App revision: 4203-1
Dec 2, 2022 @ 00:57:09 INFO Total RAM: 16009MB
Dec 2, 2022 @ 00:57:10 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 00:57:25 INFO Kibana index: .kibana
Dec 2, 2022 @ 00:57:25 INFO App revision: 4203-1
Dec 2, 2022 @ 00:57:25 INFO Total RAM: 16009MB
Dec 2, 2022 @ 00:57:25 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:15:06 INFO Kibana index: .kibana
Dec 2, 2022 @ 01:15:06 INFO App revision: 4203-1
Dec 2, 2022 @ 01:15:06 INFO Total RAM: 16009MB
Dec 2, 2022 @ 01:15:07 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:17:13 INFO Kibana index: .kibana
Dec 2, 2022 @ 01:17:13 INFO App revision: 4203-1
Dec 2, 2022 @ 01:17:13 INFO Total RAM: 16009MB
Dec 2, 2022 @ 01:17:14 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:25:01 ERROR resource_already_exists_exception
Indexer
green open wazuh-alerts-4.x-2022.12.02 ww7vP6M1S8KCLFCJOVoXVQ 3 0 21 0 122.2kb 122.2kb
green open wazuh-alerts-4.x-2022.12.01 iIAAPKh4SNGyPvUN-IOXmg 3 0 667 0 853.2kb 853.2kb
Filebeat test output:
elasticsearch:
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Here's some of the different log output:
Log file located at /usr/share/kibana/data/wazuh/logs/wazuhapp.log
Dec 2, 2022 @ 00:57:09 INFO Kibana index: .kibana
Dec 2, 2022 @ 00:57:09 INFO App revision: 4203-1
Dec 2, 2022 @ 00:57:09 INFO Total RAM: 16009MB
Dec 2, 2022 @ 00:57:10 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 00:57:25 INFO Kibana index: .kibana
Dec 2, 2022 @ 00:57:25 INFO App revision: 4203-1
Dec 2, 2022 @ 00:57:25 INFO Total RAM: 16009MB
Dec 2, 2022 @ 00:57:25 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:15:06 INFO Kibana index: .kibana
Dec 2, 2022 @ 01:15:06 INFO App revision: 4203-1
Dec 2, 2022 @ 01:15:06 INFO Total RAM: 16009MB
Dec 2, 2022 @ 01:15:07 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:17:13 INFO Kibana index: .kibana
Dec 2, 2022 @ 01:17:13 INFO App revision: 4203-1
Dec 2, 2022 @ 01:17:13 INFO Total RAM: 16009MB
Dec 2, 2022 @ 01:17:14 ERROR Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:25:01 ERROR resource_already_exists_exception
Indexer
green open wazuh-alerts-4.x-2022.12.02 ww7vP6M1S8KCLFCJOVoXVQ 3 0 21 0 122.2kb 122.2kb
green open wazuh-alerts-4.x-2022.12.01 iIAAPKh4SNGyPvUN-IOXmg 3 0 667 0 853.2kb 853.2kb
Filebeat test output:
elasticsearch:
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
I'll reply as soon as I can.
Regards,
Mateo
Mateo Cervilla
Dec 5, 2022, 11:42:38 AM12/5/22
to Wazuh mailing list
Hi,
I think the reason that the message got deleted is because of the elastichsearch address you included (https and localhost in numbers), I removed it and it worked.
About your issue:
Do you have a Wazuh Cluster?, as I mention before: it is possible that a bad configuration is allowing the entry of alerts from a manager but not from others.
In that case, can you tell me if you have agents connected to all the nodes or just one of them.
One thing you can do is to try to generate alerts over all the cluster's managers and check if all of them reach to the dashboard.
Regards,
Mateo
I think the reason that the message got deleted is because of the elastichsearch address you included (https and localhost in numbers), I removed it and it worked.
About your issue:
Do you have a Wazuh Cluster?, as I mention before: it is possible that a bad configuration is allowing the entry of alerts from a manager but not from others.
In that case, can you tell me if you have agents connected to all the nodes or just one of them.
One thing you can do is to try to generate alerts over all the cluster's managers and check if all of them reach to the dashboard.
Regards,
Mateo
Chouaib Khiari
Dec 5, 2022, 12:05:30 PM12/5/22
to Mateo Cervilla, Wazuh mailing list
Mateo,
I don't believe that i have a Wazuh cluster as i'm using a pre-built Wazuh version on Linode VPS.
Thank you,
Chouaib
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/cOY0RKUmh_Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a3ea55b7-1a5e-4beb-9c44-a54f530ac177n%40googlegroups.com.
Mateo Cervilla
Dec 7, 2022, 2:53:43 PM12/7/22
to Wazuh mailing list
Hi Chouaib, sorry for the late answer.
I'm going to need some more information so we can help you solve the problem.
You can provide us with:
You can also try to generate one alert on the Manager and another on the Agent so we can see the difference, like where are they appearing and where they don't.
The more information you give us, the easier it will be to help you.
Have a nice day. Regards,
Mateo
You can provide us with:
- Agents states and logs (ossec.log)
- Manager logs (ossec.log)
- Filebeat, Indexer and Dashboard logs (located in /var/log)
You can also try to generate one alert on the Manager and another on the Agent so we can see the difference, like where are they appearing and where they don't.
The more information you give us, the easier it will be to help you.
Have a nice day. Regards,
Mateo
Reply all
Reply to author
Forward
0 new messages