wazuh inoperative
Erick Quinto
Stuti Gupta
The Wazuh dashboard is not ready yet. This issue mainly happens when the wazuh-indexer is not working properly. Can you please follow these troubleshooting steps so we can identify the root cause and work accordingly:
Check the status of the Wazuh indexer to ensure it’s active:
systemctl status wazuh-indexer
Check the cluster health with:
curl -XGET -k -u user:pass "https://localhost:9200/_cluster/health"
Or on the web interface, go to Indexer management → Dev Tools and run this command:
GET _cluster/health
Check the number of shards, because if the total shards crosses the limit per node (default 1000 per indexer node), the indexer stops indexing. The solution for this is:
Depending on the number of nodes, you can change the primary and replica shards and re-index the old indices: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html#setting-the-number-of-replicas
Adding more indexer nodes: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/add-wazuh-indexer-nodes.html
Deleting old indices: Use the API or CLI to delete older wazuh-alerts indices:
DELETE <index_name>
Or via cURL:
curl -k -u admin:<Indexer_Password> -XDELETE "https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD"
Use ILM: https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html
If the issue still persists, share the logs from the indexer log files:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
In the cluster logs, you can find information like low disk. watermark, which indicates a low storage issue. If you see this, you need to increase the storage or delete some old logs to make space for new logs: https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/.
Erick Quinto
Stuti Gupta
Sorry for the delayed response:
Can you please share all the wazuh-indexer logs? You have only shared a few logs
/var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
Share the output of
filebeat test output.
I also believe if this fresh installation, you somehow missed running the following command:
Please run the command and share the output as well.
Erick Quinto
It is not a fresh setup.
filebeat test output.
Erick Quinto
After reviewing the current state of our Wazuh deployment, my team has determined that continuing to troubleshoot the existing environment is no longer viable due to the operational urgency of having the platform fully functional as soon as possible. The previous installation presents incompatibilities related to the operating system version, repository behavior, and Filebeat dependencies, which prevent us from stabilizing the service within the required timeframe.
To ensure a clean, fully supported, and production-ready deployment, we have decided to rebuild the server using Rocky Linux 9.4 (x86_64), one of the operating systems recommended in Wazuh’s official documentation. After reinstalling the OS, we will proceed with a fresh installation of Wazuh 4.7.4, which provides full compatibility and consistent paths for all components (Manager, Indexer, Dashboard).
This approach will allow us to restore the platform quickly, avoid further interruptions, and ensure that the configuration fully aligns with Wazuh’s supported environment and recommended best practices.
Thank you for your understanding and assistance. Once the new environment is deployed, we will continue following the official guidelines. Please proceed to close this case.