Subject: Azure AD Logs Disappearing from Wazuh Dashboard After Refresh
Dex Perry
Hi Team,
I hope you’re doing well.
I’m writing to ask for help regarding an issue I’m facing with the Azure integration in Wazuh.
I followed the integration steps (PDF attached for reference). The logs are successfully reaching the system, and I can see both new and old logs when I run:
sudo grep "azure-ad-signin" /var/ossec/logs/alerts/alerts.json
However, in the Wazuh Dashboard, the behaviour is different.
The logs appear initially, but when I refresh the index or refresh the UI, the previous logs disappear from the dashboard view. Only the very latest logs (sometimes none) are shown.
The issue:
Logs exist on disk in alerts.json (old + new)
Logs disappear from the Wazuh Dashboard after UI refresh
Unable to view historical Azure AD logs in the dashboard
Could you please help me understand why this is happening and what could be done to resolve it?
Is this related to:
Indexer retention settings?
Template mapping issues?
Incorrect tags or fields in the incoming Azure events?
Dashboard filters overwriting older data?
Any guidance or troubleshooting steps would be greatly appreciated.
Thank you in advance.
Best regards,
Kasim Mustapha
Indexer Health: Confirm your Wazuh Indexer has no disk space or cluster health issues, as these can sometimes impact log ingestion and retention.
Retention and Lifecycle: While unusual retention settings can also lead to disappearing logs, your description fits the mapping issue more closely. Review your index lifecycle management settings to ensure data isn’t being purged early as a fallback check.
Dashboard Filters: Check that dashboard filters or saved searches aren’t limiting your log view window (for example, "last 15 minutes" instead of "all time"), though this rarely removes old logs after refresh unless explicitly set.