Events not showing on Wazuh Dashboard

114 views
Skip to first unread message

Chouaib Khiari

unread,
Dec 1, 2022, 9:52:09 PM12/1/22
to Wazuh mailing list
Hello, 

I just installed the 4.3.10 Version of Wazuh and i have all agents active but i don't see any events in the "Security Events" section except from the events related to the server that is hosting the wazuh itself. I did check the alerts.json internally and i see that the server is receiving the agents alerts under /var/ossec/logs/alerts/alerts.json.
Can you please help me figure out why they are not showing in the dashboard? 

Thank you,
Chouaib

Mateo Cervilla

unread,
Dec 2, 2022, 12:32:57 PM12/2/22
to Wazuh mailing list
Hello,

To give you some context, the flow of events is like this:

    Agent -> Manager (Server)-> Filebeat -> Indexer -> Dashboard

Somewhere in this sequence there must be some misconfiguration or error.

If you can see the alerts under /var/ossec/logs/alerts/alerts.json we can rule out that the problem is between the Agent and the Manager.
If you can also see the Manager alerts on the Dashboard then we can also rule out that the problem is between the Manager and the Dashboard.

You can re-check the settings and make sure everything is well configured. 
We can help you a bit more if you provide us with more information, like logs from the differents modules (Manager, Filebeat, Indexer, Dashboard) and then maybe we can find an error that is causing the problem.
Here is some information about Log data collection

Another thing to consider is if you have a Wazuh Cluster, it is possible that a bad configuration is allowing the entry of alerts from a manager but not from others.

Regards,

Mateo
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Mateo Cervilla

unread,
Dec 5, 2022, 11:11:22 AM12/5/22
to Wazuh mailing list
Hello Chouaib, I brought the message you sent me privately here so it continues in this thread:

Here's some of the different log output:
Log file located at /usr/share/kibana/data/wazuh/logs/wazuhapp.log

Dec 2, 2022 @ 00:57:09  INFO  Kibana index: .kibana
Dec 2, 2022 @ 00:57:09  INFO  App revision: 4203-1
Dec 2, 2022 @ 00:57:09  INFO  Total RAM: 16009MB
Dec 2, 2022 @ 00:57:10  ERROR  Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 00:57:25  INFO  Kibana index: .kibana
Dec 2, 2022 @ 00:57:25  INFO  App revision: 4203-1
Dec 2, 2022 @ 00:57:25  INFO  Total RAM: 16009MB
Dec 2, 2022 @ 00:57:25  ERROR  Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:15:06  INFO  Kibana index: .kibana
Dec 2, 2022 @ 01:15:06  INFO  App revision: 4203-1
Dec 2, 2022 @ 01:15:06  INFO  Total RAM: 16009MB
Dec 2, 2022 @ 01:15:07  ERROR  Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:17:13  INFO  Kibana index: .kibana
Dec 2, 2022 @ 01:17:13  INFO  App revision: 4203-1
Dec 2, 2022 @ 01:17:13  INFO  Total RAM: 16009MB
Dec 2, 2022 @ 01:17:14  ERROR  Could not check if the index .wazuh exists due to no permissions for create, delete or check
Dec 2, 2022 @ 01:25:01  ERROR  resource_already_exists_exception

Indexer
green open wazuh-alerts-4.x-2022.12.02 ww7vP6M1S8KCLFCJOVoXVQ 3 0  21 0 122.2kb 122.2kb
green open wazuh-alerts-4.x-2022.12.01 iIAAPKh4SNGyPvUN-IOXmg 3 0 667 0 853.2kb 853.2kb

Filebeat test output:
elasticsearch:
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

I'll reply as soon as I can.

Regards,
Mateo

Mateo Cervilla

unread,
Dec 5, 2022, 11:42:38 AM12/5/22
to Wazuh mailing list
Hi,

I think the reason that the message got deleted is because of the elastichsearch address you included (https and localhost in numbers), I removed it and it worked.

About your issue:

Do you have a Wazuh Cluster?, as I mention before: it is possible that a bad configuration is allowing the entry of alerts from a manager but not from others.
In that case, can you tell me if you have agents connected to all the nodes or just one of them.
One thing you can do is to try to generate alerts over all the cluster's managers and check if all of them reach to the dashboard.

Regards,

Mateo

Chouaib Khiari

unread,
Dec 5, 2022, 12:05:30 PM12/5/22
to Mateo Cervilla, Wazuh mailing list
Mateo, 

I don't believe that i have a Wazuh cluster as i'm using a pre-built Wazuh version on Linode VPS.

Thank you, 
Chouaib


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/cOY0RKUmh_Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a3ea55b7-1a5e-4beb-9c44-a54f530ac177n%40googlegroups.com.

Mateo Cervilla

unread,
Dec 7, 2022, 2:53:43 PM12/7/22
to Wazuh mailing list
Hi Chouaib, sorry for the late answer.

I'm going to need some more information so we can help you solve the problem.

You can provide us with:
  • Agents states and logs (ossec.log)
  • Manager logs (ossec.log)
  • Filebeat, Indexer and Dashboard logs (located in /var/log)

You can also try to generate one alert on the Manager and another on the Agent so we can see the difference, like where are they appearing and where they don't.

The more information you give us, the easier it will be to help you.

Have a nice day. Regards,

Mateo

Reply all
Reply to author
Forward
0 new messages