filebeat test output error
1,048 views
Skip to first unread message
el mehdi boudi
Feb 9, 2023, 5:34:49 AM2/9/23
to Wazuh mailing list
Hello, I've got this error when tried filebeat test output : 
And also I get this one :
I don't have elasticsearch user and password since I've installed a wazuh-indexer cluster directly. Any clue about how to resolve this issue ?
Thank you for your collaboration,
Raul Del Pozo Moreno
Feb 9, 2023, 9:29:58 AM2/9/23
to el mehdi boudi, Wazuh mailing list
Hello
First, I would need you to share the following information with us, since depending on the deployment/version, the problem may be due to various causes.
The template error can be due to several causes, but to help you better, I would need to know the information requested at the beginning of the comment, for now, please make sure that the file /etc/filebeat/wazuh-template.json exists, in case it does not exist, it may not have been downloaded, either because of a firewall configuration or because the following commands corresponding to a Wazuh server step-by-step installation have not been executed: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
First, I would need you to share the following information with us, since depending on the deployment/version, the problem may be due to various causes.
- What version of Wazuh are you trying to deploy?
- What deployment method are you using (Step-by-step, Wazuh installation assistant, Docker deployment, Kubernetes deployment, etc)
- Operating system used (and if you have any firewall configured)
The template error can be due to several causes, but to help you better, I would need to know the information requested at the beginning of the comment, for now, please make sure that the file /etc/filebeat/wazuh-template.json exists, in case it does not exist, it may not have been downloaded, either because of a firewall configuration or because the following commands corresponding to a Wazuh server step-by-step installation have not been executed: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
- curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.3/extensions/elasticsearch/7.x/wazuh-template.json
- chmod go+r /etc/filebeat/wazuh-template.json
 | Raúl Del Pozo Moreno IT Security Engineer - CICD |
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9a7b62aa-d60a-4e6d-ba34-255c4f6ee1edn%40googlegroups.com.
el mehdi boudi
Feb 9, 2023, 9:43:55 AM2/9/23
to Wazuh mailing list
Hello,
Thank your for your response,
Wazuh is already deployed for me, I've deployed a manager cluster, indexer cluster and dashboard v 4.3.10.
And it was with the step by step deployment.
It was working well until I found out that my indexer was not working in cluster but was working as one node instead, so I've loaded new certificates : "/usr/share/wazuh-indexer/bin/indexer-security-init.sh" and initialized the cluster, the cluster is now initialized and connected, but I got this issue. I thought that it could be a certificate issue, so I've also changed the certificates on opensearch.yml and filebeat.yml to my own certificates and CA. and I now I can't even access with admin:admin user to web interface and i got this issue instead : 
I'm using the ubuntu 22.04 for my deployment.
and the file /etc/filebeat/wazuh-template.json does exist
Thank you in advance !
Raul Del Pozo Moreno
Feb 9, 2023, 11:42:38 AM2/9/23
to el mehdi boudi, Wazuh mailing list
Have you modified the /etc/wazuh-indexer/opensearch.yml file of each Wazuh indexer node and the Filebeat node to add the necessary configuration of the new node in addition to changing what is necessary about the new certificates? Note that the Filebeat configuration must point to all Wazuh indexer nodes.
Please run the following commands and show us the output:
Please run the following commands and show us the output:
- /usr/share/wazuh-indexer/bin/indexer-security-init.sh
- curl -k -u admin:admin https://10.54.0.7:9200
- curl -k -u admin:admin https://10.54.0.7:9200/_cat/nodes?v
I have managed to reproduce the error shown by Filebeat on a node with Wazuh indexer and Filebeat installed, but whose cluster has not been initialized. This can be caused, for example, because the command has not been executed or it has not been initialized due to some error, if you have added your own certificates, this is probably the second case. It would be necessary to know the output of the three previous commands. Additionally, please, attach the output of the following commands in a text file:
- grep -R -i -E "error|critical|fatal|warning" /var/log/wazuh-indexer/ > output1.log
- journalctl -r -u wazuh-indexer | grep -i -E "error|critical|fatal|warning" > output2.log
Note that the output of the journalctl command may display WARNING messages that we are already aware of and are in the process of fixing it.
| Raúl Del Pozo Moreno IT Security Engineer - CICD |
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2e004e3a-89db-4fe9-905d-4193d6242601n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages