statistics and monitoring index not created.

German DiCasas

unread,

Apr 26, 2024, 12:45:01 PM4/26/24

to Wazuh | Mailing List

Hi team, hope you can help!!!

Over a installed wazuh verison 4.7.3 I donot have any index of statistics or monitoring. Some days ago yes but now not. I ejecuted the follow commands and the first one indicate that wazuh-statitics exist but no permissions.

cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

{"data":{"message":"Could not check if the index wazuh-statistics-2024.15w exists due to no permissions for create, delete or check","stack":"ResponseError: Could not check if the index wazuh-statistics-2024.15w exists due to no permissions for create, delete or check\n at onBody (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Transport.js:374:23)\n at IncomingMessage.onEnd (/usr/share/wazuh-dashboard/node_modules/@opensearch-project/opensearch/lib/Transport.js:293:11)\n at IncomingMessage.emit (node:events:525:35)\n at IncomingMessage.emit (node:domain:489:12)\n at endReadableNT (node:internal/streams/readable:1358:12)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)"},"date":"2024-04-11T22:15:00.365Z","level":"info","location":"Cron-scheduler"}
{"date":"2024-04-11T22:15:00.419Z","level":"error","location":"monitoring:insertMonitoringDataElasticsearch","message":"Could not check if the index wazuh-monitoring-2024.15w exists due to no permissions for create, delete or check"}

with cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

2024/04/11 18:49:50 wazuh-modulesd: WARNING: The 'hotfixes' option is only available on Windows systems. Ignoring it.
2024/04/11 18:49:50 wazuh-modulesd: WARNING: 'update_from_year' option cannot be used for 'nvd' provider.
2024/04/11 18:49:50 wazuh-modulesd: WARNING: Couldn't connect to download module socket 'queue/sockets/download'
2024/04/11 18:49:50 wazuh-modulesd: WARNING: Couldn't connect to download module socket 'queue/sockets/download'
2024/04/11 18:52:01 wazuh-logcollector: WARNING: Target 'agent' message queue is full (1024). Log lines may be lost.
2024/04/11 18:53:32 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2024/04/11 18:58:32 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.

filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE 'WARN|ERR'

[2024-04-11T18:48:44,939][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-04-11T18:48:44,941][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin)
[2024-04-11T18:48:48,409][ERROR][o.o.s.a.BackendRegistry ] [node-1] Cannot retrieve roles for User [name=kibanaserver, backend_roles=[], requestedTenant=null] from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user kibanaserver found]]; nested: OpenSearchSecurityException[No user kibanaserver found];
[2024-04-11T18:49:19,505][WARN ][o.o.s.a.BackendRegistry ] [node-1] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-04-11T18:49:19,506][WARN ][o.o.s.a.BackendRegistry ] [node-1] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-04-11T18:49:19,516][WARN ][o.o.s.a.BackendRegistry ] [node-1] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-04-11T18:49:19,898][ERROR][o.o.s.a.BackendRegistry ] [node-1] Cannot retrieve roles for User [name=admin, backend_roles=[admin], requestedTenant=null] from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user admin found]]; nested: OpenSearchSecurityException[No user admin found];
[2024-04-11T18:49:32,616][ERROR][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Failed to migrate destination data
[2024-04-11T18:49:43,370][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro-ism-managed-index-history-2024.03.24-000467/O1errKIYQy-l1Mn7PtuMGA]
[2024-04-11T18:50:32,586][ERROR][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Failed to migrate destination data
[2024-04-11T18:51:07,570][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
[2024-04-11T18:51:27,659][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
[2024-04-11T18:51:30,413][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
[2024-04-11T18:51:32,584][ERROR][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Failed to migrate destination data
[2024-04-11T18:51:32,922][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
[2024-04-11T18:51:35,431][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
[2024-04-11T18:52:08,186][WARN ][r.suppressed ] [node-1] path: /.kibana/_count, params: {index=.kibana}
at org.opensearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:74) [opensearch-2.8.0.jar:2.8.0]
at org.opensearch.transport.TransportChannel.sendErrorResponse(TransportChannel.java:71) [opensearch-2.8.0.jar:2.8.0]
[2024-04-11T18:52:10,842][WARN ][o.o.i.s.IndexShard ] [node-1] [.opendistro-ism-config][0] no index mapper found for field: [_type] returning default postings format

Also at the moment to refresh the index patterns wazuh-monitoring-* or wazuh-statistics-* give this error:

Thanks

German

index error 1.png

Aditya Sharma

unread,

Apr 29, 2024, 3:25:48 AM4/29/24

to Wazuh | Mailing List

Hi German,

Please follow the below steps to resolve it:

Stop filebeat
Delete index template wazuh
Delete index template wazuh-agent
Delete index pattern wazuh-alerts-*
Delete index pattern wazuh-monitoring-*
Delete index pattern wazuh-statistics-*
Follow the upgrade kibana instructions at this link except instead of step 3 to update Kibana via apt I just stopped the service.
https://documentation.wazuh.com/4.0/upgrade-guide/elasticsearch-kibana-filebeat/upgrading-elastic-stack.html
Start back up filebeat
Login to Kibana
Verify the index templates and index patterns were recreated.
Verify the wazuh plugin in Kibana works
Check if the wazuh-monitoring index is getting docs added
Restart kibana
Check again if the wazuh-monitoring index is getting docs added (wait 15 minutes)

Also, you can check out this issue also: https://github.com/wazuh/wazuh-dashboard-plugins/issues/2670

Regards

German DiCasas

unread,

Apr 29, 2024, 11:42:00 AM4/29/24

to Wazuh | Mailing List

Thanks Aditya for the reply... not sure how to do the first items 2 to 6. I can see the Index patterm over Stack Managements -> Index Patterns . I can see Index alert, monitoring and statistics. I deleted from there? Also I cant find the related to item 2 and 3.

Iam working over wazuh 4.7.3. I deleted those indexes but they were not automatically recreated after restarting the service. so I went back to the backup I had.

Regards

German DiCasas

unread,

Apr 29, 2024, 12:39:42 PM4/29/24

to Wazuh | Mailing List

Sorry, after a while the indexes that I deleted were recreated. the log the error is still there. but I didn't do steps 2 and 3, so tell me how to delete those so I can try again. Thanks

Greetings

German DiCasas

unread,

Apr 29, 2024, 4:13:39 PM4/29/24

to Wazuh | Mailing List

Also.....At the moment to refresh the field list of monitoring this is the error... hope help to fix this error

error index.png

Aditya Sharma

unread,

May 2, 2024, 3:59:52 AM5/2/24

to Wazuh | Mailing List

Hi Team,

Can you please share with me the output of this command: GET _template/wazuh-agent & GET _template/wazuh

dev tools output.jpg

German DiCasas

unread,

May 2, 2024, 10:22:03 AM5/2/24

to Wazuh | Mailing List

Aditya ,

This is the output:

GET _template/wazuh-agent

{
"wazuh-agent": {
"order": 0,
"index_patterns": [
"wazuh-monitoring-*"
],
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"properties": {
"cluster": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"timestamp": {
"format": "dateOptionalTime",
"type": "date"
},
"status": {
"type": "keyword"
}
}
},
"aliases": {}
}
}

and the GET _template/wazuh:

{
"wazuh": {
"order": 0,
"version": 1,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s",
"number_of_shards": "3",
"auto_expand_replicas": "0-1",
"number_of_replicas": "0",
"query": {
"default_field": [
"GeoLocation.city_name",
"GeoLocation.continent_code",
"GeoLocation.country_code2",
"GeoLocation.country_code3",
"GeoLocation.country_name",
"GeoLocation.ip",
"GeoLocation.postal_code",
"GeoLocation.real_region_name",
"GeoLocation.region_name",
"GeoLocation.timezone",
"agent.id",
"agent.ip",
"agent.name",
"cluster.name",
"cluster.node",
"command",
"data",
"data.action",
"data.audit",
"data.audit.acct",
"data.audit.arch",
"data.audit.auid",
"data.audit.command",
"data.audit.cwd",
"data.audit.dev",
"data.audit.directory.inode",
"data.audit.directory.mode",
"data.audit.directory.name",
"data.audit.egid",
"data.audit.enforcing",
"data.audit.euid",
"data.audit.exe",
"data.audit.execve.a0",
"data.audit.execve.a1",
"data.audit.execve.a2",
"data.audit.execve.a3",
"data.audit.exit",
"data.audit.file.inode",
"data.audit.file.mode",
"data.audit.file.name",
"data.audit.fsgid",
"data.audit.fsuid",
"data.audit.gid",
"data.audit.id",
"data.audit.key",
"data.audit.list",
"data.audit.old-auid",
"data.audit.old-ses",
"data.audit.old_enforcing",
"data.audit.old_prom",
"data.audit.op",
"data.audit.pid",
"data.audit.ppid",
"data.audit.prom",
"data.audit.res",
"data.audit.session",
"data.audit.sgid",
"data.audit.srcip",
"data.audit.subj",
"data.audit.success",
"data.audit.suid",
"data.audit.syscall",
"data.audit.tty",
"data.audit.uid",
"data.aws.accountId",
"data.aws.account_id",
"data.aws.action",
"data.aws.actor",
"data.aws.aws_account_id",
"data.aws.description",
"data.aws.dstport",
"data.aws.errorCode",
"data.aws.errorMessage",
"data.aws.eventID",
"data.aws.eventName",
"data.aws.eventSource",
"data.aws.eventType",
"data.aws.id",
"data.aws.name",
"data.aws.requestParameters.accessKeyId",
"data.aws.requestParameters.bucketName",
"data.aws.requestParameters.gatewayId",
"data.aws.requestParameters.groupDescription",
"data.aws.requestParameters.groupId",
"data.aws.requestParameters.groupName",
"data.aws.requestParameters.host",
"data.aws.requestParameters.hostedZoneId",
"data.aws.requestParameters.instanceId",
"data.aws.requestParameters.instanceProfileName",
"data.aws.requestParameters.loadBalancerName",
"data.aws.requestParameters.loadBalancerPorts",
"data.aws.requestParameters.masterUserPassword",
"data.aws.requestParameters.masterUsername",
"data.aws.requestParameters.name",
"data.aws.requestParameters.natGatewayId",
"data.aws.requestParameters.networkAclId",
"data.aws.requestParameters.path",
"data.aws.requestParameters.policyName",
"data.aws.requestParameters.port",
"data.aws.requestParameters.stackId",
"data.aws.requestParameters.stackName",
"data.aws.requestParameters.subnetId",
"data.aws.requestParameters.subnetIds",
"data.aws.requestParameters.volumeId",
"data.aws.requestParameters.vpcId",
"data.aws.resource.accessKeyDetails.accessKeyId",
"data.aws.resource.accessKeyDetails.principalId",
"data.aws.resource.accessKeyDetails.userName",
"data.aws.resource.instanceDetails.instanceId",
"data.aws.resource.instanceDetails.instanceState",
"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.subnetId",
"data.aws.resource.instanceDetails.networkInterfaces.vpcId",
"data.aws.resource.instanceDetails.tags.value",
"data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId",
"data.aws.responseElements.description",
"data.aws.responseElements.instanceId",
"data.aws.responseElements.instances.instanceId",
"data.aws.responseElements.instancesSet.items.instanceId",
"data.aws.responseElements.listeners.port",
"data.aws.responseElements.loadBalancerName",
"data.aws.responseElements.loadBalancers.vpcId",
"data.aws.responseElements.loginProfile.userName",
"data.aws.responseElements.networkAcl.vpcId",
"data.aws.responseElements.ownerId",
"data.aws.responseElements.publicIp",
"data.aws.responseElements.user.userId",
"data.aws.responseElements.user.userName",
"data.aws.responseElements.volumeId",
"data.aws.service.serviceName",
"data.aws.severity",
"data.aws.source",
"data.aws.sourceIPAddress",
"data.aws.srcport",
"data.aws.userIdentity.accessKeyId",
"data.aws.userIdentity.accountId",
"data.aws.userIdentity.userName",
"data.aws.vpcEndpointId",
"data.command",
"data.cis.group",
"data.cis.rule_title",
"data.data",
"data.docker.Actor.Attributes.container",
"data.docker.Actor.Attributes.image",
"data.docker.Actor.Attributes.name",
"data.docker.Actor.ID",
"data.docker.id",
"data.docker.message",
"data.docker.status",
"data.dstip",
"data.dstport",
"data.dstuser",
"data.extra_data",
"data.gcp.jsonPayload.queryName",
"data.gcp.jsonPayload.vmInstanceName",
"data.gcp.resource.labels.location",
"data.gcp.resource.labels.project_id",
"data.gcp.resource.labels.source_type",
"data.gcp.resource.type",
"data.github.org",
"data.github.actor",
"data.github.action",
"data.github.repo",
"data.hardware.serial",
"data.id",
"data.integration",
"data.netinfo.iface.adapter",
"data.netinfo.iface.ipv4.address",
"data.netinfo.iface.ipv6.address",
"data.netinfo.iface.mac",
"data.netinfo.iface.name",
"data.office365.Actor.ID",
"data.office365.UserId",
"data.office365.Operation",
"data.office365.ClientIP",
"data.os.architecture",
"data.os.build",
"data.os.codename",
"data.os.hostname",
"data.os.major",
"data.os.minor",
"data.os.patch",
"data.os.name",
"data.os.platform",
"data.os.release",
"data.os.release_version",
"data.os.display_version",
"data.os.sysname",
"data.os.version",
"data.oscap.check.description",
"data.oscap.check.id",
"data.oscap.check.identifiers",
"data.oscap.check.oval.id",
"data.oscap.check.rationale",
"data.oscap.check.references",
"data.oscap.check.result",
"data.oscap.check.severity",
"data.oscap.check.title",
"data.oscap.scan.benchmark.id",
"data.oscap.scan.content",
"data.oscap.scan.id",
"data.oscap.scan.profile.id",
"data.oscap.scan.profile.title",
"data.osquery.columns.address",
"data.osquery.columns.command",
"data.osquery.columns.description",
"data.osquery.columns.dst_ip",
"data.osquery.columns.gid",
"data.osquery.columns.hostname",
"data.osquery.columns.md5",
"data.osquery.columns.path",
"data.osquery.columns.sha1",
"data.osquery.columns.sha256",
"data.osquery.columns.src_ip",
"data.osquery.columns.user",
"data.osquery.columns.username",
"data.osquery.name",
"data.osquery.pack",
"data.port.process",
"data.port.protocol",
"data.port.state",
"data.process.args",
"data.process.cmd",
"data.process.egroup",
"data.process.euser",
"data.process.fgroup",
"data.process.name",
"data.process.rgroup",
"data.process.ruser",
"data.process.sgroup",
"data.process.state",
"data.process.suser",
"data.program.architecture",
"data.program.description",
"data.program.format",
"data.program.location",
"data.program.multiarch",
"data.program.name",
"data.program.priority",
"data.program.section",
"data.program.source",
"data.program.vendor",
"data.program.version",
"data.protocol",
"data.pwd",
"data.sca",
"data.sca.check.compliance.cis",
"data.sca.check.compliance.cis_csc",
"data.sca.check.compliance.pci_dss",
"data.sca.check.compliance.hipaa",
"data.sca.check.compliance.nist_800_53",
"data.sca.check.description",
"data.sca.check.directory",
"data.sca.check.file",
"data.sca.check.id",
"data.sca.check.previous_result",
"data.sca.check.process",
"data.sca.check.rationale",
"data.sca.check.reason",
"data.sca.check.references",
"data.sca.check.registry",
"data.sca.check.remediation",
"data.sca.check.result",
"data.sca.check.status",
"data.sca.check.title",
"data.sca.description",
"data.sca.file",
"data.sca.invalid",
"data.sca.name",
"data.sca.policy",
"data.sca.policy_id",
"data.sca.scan_id",
"data.sca.total_checks",
"data.script",
"data.src_ip",
"data.src_port",
"data.srcip",
"data.srcport",
"data.srcuser",
"data.status",
"data.system_name",
"data.title",
"data.tty",
"data.uid",
"data.url",
"data.virustotal.description",
"data.virustotal.error",
"data.virustotal.found",
"data.virustotal.permalink",
"data.virustotal.scan_date",
"data.virustotal.sha1",
"data.virustotal.source.alert_id",
"data.virustotal.source.file",
"data.virustotal.source.md5",
"data.virustotal.source.sha1",
"data.vulnerability.cve",
"data.vulnerability.cvss.cvss2.base_score",
"data.vulnerability.cvss.cvss2.exploitability_score",
"data.vulnerability.cvss.cvss2.impact_score",
"data.vulnerability.cvss.cvss2.vector.access_complexity",
"data.vulnerability.cvss.cvss2.vector.attack_vector",
"data.vulnerability.cvss.cvss2.vector.authentication",
"data.vulnerability.cvss.cvss2.vector.availability",
"data.vulnerability.cvss.cvss2.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss2.vector.integrity_impact",
"data.vulnerability.cvss.cvss2.vector.privileges_required",
"data.vulnerability.cvss.cvss2.vector.scope",
"data.vulnerability.cvss.cvss2.vector.user_interaction",
"data.vulnerability.cvss.cvss3.base_score",
"data.vulnerability.cvss.cvss3.exploitability_score",
"data.vulnerability.cvss.cvss3.impact_score",
"data.vulnerability.cvss.cvss3.vector.access_complexity",
"data.vulnerability.cvss.cvss3.vector.attack_vector",
"data.vulnerability.cvss.cvss3.vector.authentication",
"data.vulnerability.cvss.cvss3.vector.availability",
"data.vulnerability.cvss.cvss3.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss3.vector.integrity_impact",
"data.vulnerability.cvss.cvss3.vector.privileges_required",
"data.vulnerability.cvss.cvss3.vector.scope",
"data.vulnerability.cvss.cvss3.vector.user_interaction",
"data.vulnerability.cwe_reference",
"data.vulnerability.package.source",
"data.vulnerability.package.architecture",
"data.vulnerability.package.condition",
"data.vulnerability.package.generated_cpe",
"data.vulnerability.package.name",
"data.vulnerability.package.version",
"data.vulnerability.rationale",
"data.vulnerability.severity",
"data.vulnerability.title",
"data.vulnerability.assigner",
"data.vulnerability.cve_version",
"data.win.eventdata.auditPolicyChanges",
"data.win.eventdata.auditPolicyChangesId",
"data.win.eventdata.binary",
"data.win.eventdata.category",
"data.win.eventdata.categoryId",
"data.win.eventdata.data",
"data.win.eventdata.image",
"data.win.eventdata.ipAddress",
"data.win.eventdata.ipPort",
"data.win.eventdata.keyName",
"data.win.eventdata.logonGuid",
"data.win.eventdata.logonProcessName",
"data.win.eventdata.operation",
"data.win.eventdata.parentImage",
"data.win.eventdata.processId",
"data.win.eventdata.processName",
"data.win.eventdata.providerName",
"data.win.eventdata.returnCode",
"data.win.eventdata.service",
"data.win.eventdata.status",
"data.win.eventdata.subcategory",
"data.win.eventdata.subcategoryGuid",
"data.win.eventdata.subcategoryId",
"data.win.eventdata.subjectDomainName",
"data.win.eventdata.subjectLogonId",
"data.win.eventdata.subjectUserName",
"data.win.eventdata.subjectUserSid",
"data.win.eventdata.targetDomainName",
"data.win.eventdata.targetLinkedLogonId",
"data.win.eventdata.targetLogonId",
"data.win.eventdata.targetUserName",
"data.win.eventdata.targetUserSid",
"data.win.eventdata.workstationName",
"data.win.system.channel",
"data.win.system.computer",
"data.win.system.eventID",
"data.win.system.eventRecordID",
"data.win.system.eventSourceName",
"data.win.system.keywords",
"data.win.system.level",
"data.win.system.message",
"data.win.system.opcode",
"data.win.system.processID",
"data.win.system.providerGuid",
"data.win.system.providerName",
"data.win.system.securityUserID",
"data.win.system.severityValue",
"data.win.system.userID",
"decoder.ftscomment",
"decoder.name",
"decoder.parent",
"full_log",
"host",
"id",
"input",
"location",
"manager.name",
"message",
"offset",
"predecoder.hostname",
"predecoder.program_name",
"previous_log",
"previous_output",
"program_name",
"rule.cis",
"rule.cve",
"rule.description",
"rule.gdpr",
"rule.gpg13",
"rule.groups",
"rule.id",
"rule.info",
"rule.mitre.id",
"rule.mitre.tactic",
"rule.mitre.technique",
"rule.pci_dss",
"rule.hipaa",
"rule.nist_800_53",
"syscheck.audit.effective_user.id",
"syscheck.audit.effective_user.name",
"syscheck.audit.group.id",
"syscheck.audit.group.name",
"syscheck.audit.login_user.id",
"syscheck.audit.login_user.name",
"syscheck.audit.process.id",
"syscheck.audit.process.name",
"syscheck.audit.process.ppid",
"syscheck.audit.user.id",
"syscheck.audit.user.name",
"syscheck.diff",
"syscheck.event",
"syscheck.gid_after",
"syscheck.gid_before",
"syscheck.gname_after",
"syscheck.gname_before",
"syscheck.inode_after",
"syscheck.inode_before",
"syscheck.md5_after",
"syscheck.md5_before",
"syscheck.path",
"syscheck.mode",
"syscheck.perm_after",
"syscheck.perm_before",
"syscheck.sha1_after",
"syscheck.sha1_before",
"syscheck.sha256_after",
"syscheck.sha256_before",
"syscheck.tags",
"syscheck.uid_after",
"syscheck.uid_before",
"syscheck.uname_after",
"syscheck.uname_before",
"syscheck.arch",
"syscheck.value_name",
"syscheck.value_type",
"syscheck.changed_attributes",
"title",
"type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"string_as_keyword": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"syscheck": {
"properties": {
"size_before": {
"type": "long"
},
"mtime_after": {
"format": "date_optional_time",
"type": "date"
},
"uname_after": {
"type": "keyword"
},
"size_after": {
"type": "long"
},
"sha256_before": {
"type": "keyword"
},
"uid_before": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"path": {
"type": "keyword"
},
"audit": {
"properties": {
"process": {
"properties": {
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
}
}
},
"login_user": {
"properties": {
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"effective_user": {
"properties": {
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"user": {
"properties": {
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"group": {
"properties": {
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
},
"gname_after": {
"type": "keyword"
},
"uid_after": {
"type": "keyword"
},
"gname_before": {
"type": "keyword"
},
"perm_after": {
"type": "keyword"
},
"event": {
"type": "keyword"
},
"hard_links": {
"type": "keyword"
},
"gid_before": {
"type": "keyword"
},
"perm_before": {
"type": "keyword"
},
"inode_before": {
"type": "keyword"
},
"gid_after": {
"type": "keyword"
},
"md5_before": {
"type": "keyword"
},
"diff": {
"type": "keyword"
},
"mtime_before": {
"format": "date_optional_time",
"type": "date"
},
"tags": {
"type": "keyword"
},
"sha1_after": {
"type": "keyword"
},
"uname_before": {
"type": "keyword"
},
"sha1_before": {
"type": "keyword"
},
"md5_after": {
"type": "keyword"
},
"sha256_after": {
"type": "keyword"
},
"inode_after": {
"type": "keyword"
}
}
},
"cluster": {
"properties": {
"node": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"agent": {
"properties": {
"ip": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"data": {
"properties": {
"srcip": {
"type": "keyword"
},
"data": {
"type": "keyword"
},
"dstport": {
"type": "keyword"
},
"5mins_loadAverage": {
"type": "double"
},
"program": {
"properties": {
"install_time": {
"type": "keyword"
},
"format": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"section": {
"type": "keyword"
},
"source": {
"type": "keyword"
},
"priority": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"size": {
"type": "long"
},
"vendor": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"multiarch": {
"type": "keyword"
},
"location": {
"type": "keyword"
},
"architecture": {
"type": "keyword"
}
}
},
"type": {
"type": "keyword"
},
"15mins_loadAverage": {
"type": "double"
},
"sca": {
"properties": {
"total_checks": {
"type": "keyword"
},
"policy_id": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"failed": {
"type": "integer"
},
"check": {
"properties": {
"reason": {
"type": "keyword"
},
"registry": {
"type": "keyword"
},
"process": {
"type": "keyword"
},
"previous_result": {
"type": "keyword"
},
"references": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"rationale": {
"type": "keyword"
},
"directory": {
"type": "keyword"
},
"result": {
"type": "keyword"
},
"remediation": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"compliance": {
"properties": {
"pci_dss": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"cis_csc": {
"type": "keyword"
},
"cis": {
"type": "keyword"
},
"nist_800_53": {
"type": "keyword"
}
}
},
"id": {
"type": "keyword"
},
"status": {
"type": "keyword"
}
}
},
"type": {
"type": "keyword"
},
"score": {
"type": "long"
},
"file": {
"type": "keyword"
},
"invalid": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"passed": {
"type": "integer"
},
"scan_id": {
"type": "keyword"
},
"policy": {
"type": "keyword"
}
}
},
"netinfo": {
"properties": {
"iface": {
"properties": {
"tx_packets": {
"type": "long"
},
"adapter": {
"type": "keyword"
},
"rx_dropped": {
"type": "long"
},
"type": {
"type": "keyword"
},
"mac": {
"type": "keyword"
},
"mtu": {
"type": "long"
},
"rx_errors": {
"type": "long"
},
"rx_packets": {
"type": "long"
},
"tx_errors": {
"type": "long"
},
"ipv4": {
"properties": {
"broadcast": {
"type": "keyword"
},
"address": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
}
}
},
"tx_dropped": {
"type": "long"
},
"ipv6": {
"properties": {
"broadcast": {
"type": "keyword"
},
"address": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
}
}
},
"name": {
"type": "keyword"
},
"rx_bytes": {
"type": "long"
},
"state": {
"type": "keyword"
},
"tx_bytes": {
"type": "long"
}
}
}
}
},
"protocol": {
"type": "keyword"
},
"memory_used_bytes": {
"type": "double"
},
"gcp": {
"properties": {
"severity": {
"type": "keyword"
},
"resource": {
"properties": {
"type": {
"type": "keyword"
},
"labels": {
"properties": {
"project_id": {
"type": "keyword"
},
"location": {
"type": "keyword"
},
"source_type": {
"type": "keyword"
}
}
}
}
},
"jsonPayload": {
"properties": {
"vmInstanceId": {
"type": "keyword"
},
"vmInstanceName": {
"type": "keyword"
},
"queryName": {
"type": "keyword"
},
"authAnswer": {
"type": "keyword"
},
"responseCode": {
"type": "keyword"
}
}
}
}
},
"cpu_usage_%": {
"type": "double"
},
"office365": {
"properties": {
"ResultStatus": {
"type": "keyword"
},
"UserId": {
"type": "keyword"
},
"Actor": {
"properties": {
"ID": {
"type": "keyword"
}
}
},
"Operation": {
"type": "keyword"
},
"Subscription": {
"type": "keyword"
},
"ClientIP": {
"type": "keyword"
}
}
},
"action": {
"type": "keyword"
},
"dstip": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"hardware": {
"properties": {
"ram_free": {
"type": "long"
},
"cpu_name": {
"type": "keyword"
},
"ram_usage": {
"type": "long"
},
"serial": {
"type": "keyword"
},
"ram_total": {
"type": "long"
},
"cpu_cores": {
"type": "long"
},
"cpu_mhz": {
"type": "double"
}
}
},
"github": {
"properties": {
"actor": {
"type": "keyword"
},
"org": {
"type": "keyword"
},
"repo": {
"type": "keyword"
},
"actor_location": {
"properties": {
"country_code": {
"type": "keyword"
}
}
},
"action": {
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"severity": {
"type": "keyword"
},
"cve": {
"type": "keyword"
},
"package": {
"properties": {
"condition": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"generated_cpe": {
"type": "keyword"
},
"source": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"architecture": {
"type": "keyword"
}
}
},
"cve_version": {
"type": "keyword"
},
"assigner": {
"type": "keyword"
},
"cwe_reference": {
"type": "keyword"
},
"published": {
"type": "date"
},
"title": {
"type": "keyword"
},
"updated": {
"type": "date"
},
"cvss": {
"properties": {
"cvss2": {
"properties": {
"base_score": {
"type": "keyword"
},
"vector": {
"properties": {
"user_interaction": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"access_complexity": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
}
}
},
"impact_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
}
}
},
"cvss3": {
"properties": {
"base_score": {
"type": "keyword"
},
"vector": {
"properties": {
"user_interaction": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"access_complexity": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
}
}
},
"impact_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
}
}
}
}
},
"rationale": {
"type": "keyword"
}
}
},
"srcuser": {
"type": "keyword"
},
"disk_usage_%": {
"type": "double"
},
"port": {
"properties": {
"inode": {
"type": "long"
},
"local_ip": {
"type": "ip"
},
"process": {
"type": "keyword"
},
"protocol": {
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"rx_queue": {
"type": "long"
},
"local_port": {
"type": "long"
},
"remote_port": {
"type": "long"
},
"tx_queue": {
"type": "long"
},
"pid": {
"type": "long"
},
"state": {
"type": "keyword"
}
}
},
"integration": {
"type": "keyword"
},
"disk_used_bytes": {
"type": "double"
},
"status": {
"type": "keyword"
},
"oscap": {
"properties": {
"scan": {
"properties": {
"score": {
"type": "double"
},
"profile": {
"properties": {
"id": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"id": {
"type": "keyword"
},
"return_code": {
"type": "long"
},
"benchmark": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"content": {
"type": "keyword"
}
}
},
"check": {
"properties": {
"severity": {
"type": "keyword"
},
"result": {
"type": "keyword"
},
"references": {
"type": "text"
},
"oval": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"identifiers": {
"type": "text"
},
"description": {
"type": "text"
},
"id": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"rationale": {
"type": "text"
}
}
}
}
},
"title": {
"type": "keyword"
},
"1min_loadAverage": {
"type": "double"
},
"cis": {
"properties": {
"result": {
"type": "keyword"
},
"score": {
"type": "long"
},
"fail": {
"type": "long"
},
"notchecked": {
"type": "long"
},
"pass": {
"type": "long"
},
"rule_title": {
"type": "keyword"
},
"error": {
"type": "long"
},
"benchmark": {
"type": "keyword"
},
"timestamp": {
"type": "keyword"
},
"unknown": {
"type": "long"
},
"group": {
"type": "keyword"
}
}
},
"memory_usage_%": {
"type": "double"
},
"docker": {
"properties": {
"Action": {
"type": "keyword"
},
"Type": {
"type": "keyword"
},
"Actor": {
"properties": {
"Attributes": {
"properties": {
"image": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
}
}
},
"uid": {
"type": "keyword"
},
"memory_available_bytes": {
"type": "double"
},
"audit": {
"properties": {
"syscall": {
"type": "keyword"
},
"srcip": {
"type": "keyword"
},
"gid": {
"type": "keyword"
},
"enforcing": {
"type": "keyword"
},
"session": {
"type": "keyword"
},
"fsgid": {
"type": "keyword"
},
"pid": {
"type": "keyword"
},
"suid": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"directory": {
"properties": {
"mode": {
"type": "keyword"
},
"inode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"old-ses": {
"type": "keyword"
},
"uid": {
"type": "keyword"
},
"egid": {
"type": "keyword"
},
"file": {
"properties": {
"inode": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"exe": {
"type": "keyword"
},
"prom": {
"type": "keyword"
},
"dev": {
"type": "keyword"
},
"sgid": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"subj": {
"type": "keyword"
},
"key": {
"type": "keyword"
},
"res": {
"type": "keyword"
},
"op": {
"type": "keyword"
},
"auid": {
"type": "keyword"
},
"execve": {
"properties": {
"a1": {
"type": "keyword"
},
"a2": {
"type": "keyword"
},
"a3": {
"type": "keyword"
},
"a0": {
"type": "keyword"
}
}
},
"euid": {
"type": "keyword"
},
"old-auid": {
"type": "keyword"
},
"list": {
"type": "keyword"
},
"command": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
},
"old_prom": {
"type": "keyword"
},
"fsuid": {
"type": "keyword"
},
"cwd": {
"type": "keyword"
},
"exit": {
"type": "keyword"
},
"old_enforcing": {
"type": "keyword"
},
"success": {
"type": "keyword"
},
"tty": {
"type": "keyword"
},
"arch": {
"type": "keyword"
},
"acct": {
"type": "keyword"
}
}
},
"dstuser": {
"type": "keyword"
},
"dias": {
"type": "double"
},
"virustotal": {
"properties": {
"sha1": {
"type": "keyword"
},
"malicious": {
"type": "keyword"
},
"total": {
"type": "keyword"
},
"found": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"positives": {
"type": "keyword"
},
"source": {
"properties": {
"sha1": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"alert_id": {
"type": "keyword"
},
"md5": {
"type": "keyword"
}
}
},
"error": {
"type": "keyword"
},
"permalink": {
"type": "keyword"
},
"scan_date": {
"type": "keyword"
}
}
},
"timestamp": {
"type": "date"
},
"process": {
"properties": {
"egroup": {
"type": "keyword"
},
"ruser": {
"type": "keyword"
},
"pgrp": {
"type": "long"
},
"session": {
"type": "long"
},
"stime": {
"type": "long"
},
"pid": {
"type": "long"
},
"vm_size": {
"type": "long"
},
"share": {
"type": "long"
},
"state": {
"type": "keyword"
},
"resident": {
"type": "long"
},
"rgroup": {
"type": "keyword"
},
"nlwp": {
"type": "long"
},
"utime": {
"type": "long"
},
"priority": {
"type": "long"
},
"processor": {
"type": "long"
},
"nice": {
"type": "long"
},
"ppid": {
"type": "long"
},
"args": {
"type": "keyword"
},
"start_time": {
"type": "long"
},
"sgroup": {
"type": "keyword"
},
"size": {
"type": "long"
},
"suser": {
"type": "keyword"
},
"euser": {
"type": "keyword"
},
"fgroup": {
"type": "keyword"
},
"tgid": {
"type": "long"
},
"name": {
"type": "keyword"
},
"tty": {
"type": "long"
},
"cmd": {
"type": "keyword"
}
}
},
"osquery": {
"properties": {
"calendarTime": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"action": {
"type": "keyword"
},
"pack": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"minor": {
"type": "keyword"
},
"release": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"platform": {
"type": "keyword"
},
"patch": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
},
"major": {
"type": "keyword"
},
"build": {
"type": "keyword"
},
"display_version": {
"type": "keyword"
},
"codename": {
"type": "keyword"
},
"sysname": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"release_version": {
"type": "keyword"
},
"architecture": {
"type": "keyword"
}
}
},
"system_name": {
"type": "keyword"
},
"url": {
"type": "keyword"
},
"command": {
"type": "keyword"
},
"disk_free_bytes": {
"type": "double"
},
"extra_data": {
"type": "keyword"
},
"srcport": {
"type": "keyword"
},
"aws": {
"properties": {
"srcaddr": {
"type": "ip"
},
"start": {
"type": "date"
},
"log_info": {
"properties": {
"s3bucket": {
"type": "keyword"
}
}
},
"dstaddr": {
"type": "ip"
},
"source": {
"type": "keyword"
},
"source_ip_address": {
"type": "ip"
},
"accountId": {
"type": "keyword"
},
"createdAt": {
"type": "date"
},
"resource.instanceDetails": {
"properties": {
"launchTime": {
"type": "date"
},
"networkInterfaces": {
"properties": {
"publicIp": {
"type": "ip"
},
"privateIpAddress": {
"type": "ip"
}
}
}
}
},
"service": {
"properties": {
"eventFirstSeen": {
"type": "date"
},
"eventLastSeen": {
"type": "date"
},
"count": {
"type": "long"
},
"action.networkConnectionAction.remoteIpDetails": {
"properties": {
"geoLocation": {
"type": "geo_point"
},
"ipAddressV4": {
"type": "ip"
}
}
}
}
},
"bytes": {
"type": "long"
},
"end": {
"type": "date"
},
"region": {
"type": "keyword"
},
"updatedAt": {
"type": "date"
}
}
}
}
},
"program_name": {
"type": "keyword"
},
"rule": {
"properties": {
"mail": {
"type": "boolean"
},
"tsc": {
"type": "keyword"
},
"level": {
"type": "long"
},
"pci_dss": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"groups": {
"type": "keyword"
},
"cis": {
"type": "keyword"
},
"nist_800_53": {
"type": "keyword"
},
"frequency": {
"type": "long"
},
"gdpr": {
"type": "keyword"
},
"firedtimes": {
"type": "long"
},
"cve": {
"type": "keyword"
},
"mitre": {
"properties": {
"technique": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"tactic": {
"type": "keyword"
}
}
},
"id": {
"type": "keyword"
},
"gpg13": {
"type": "keyword"
},
"info": {
"type": "keyword"
}
}
},
"type": {
"type": "text"
},
"title": {
"type": "keyword"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"@version": {
"type": "text"
},
"host": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"timestamp": {
"format": "date_optional_time||epoch_millis",
"type": "date"
},
"predecoder": {
"properties": {
"hostname": {
"type": "keyword"
},
"program_name": {
"type": "keyword"
},
"timestamp": {
"type": "keyword"
}
}
},
"previous_output": {
"type": "keyword"
},
"manager": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"offset": {
"type": "keyword"
},
"decoder": {
"properties": {
"parent": {
"type": "keyword"
},
"fts": {
"type": "long"
},
"name": {
"type": "keyword"
},
"ftscomment": {
"type": "keyword"
},
"accumulate": {
"type": "long"
}
}
},
"message": {
"type": "text"
},
"command": {
"type": "keyword"
},
"input": {
"properties": {
"type": {
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"location": {
"type": "keyword"
},
"GeoLocation": {
"properties": {
"timezone": {
"type": "text"
},
"latitude": {
"type": "double"
},
"ip": {
"type": "keyword"
},
"area_code": {
"type": "long"
},
"coordinates": {
"type": "double"
},
"continent_code": {
"type": "text"
},
"city_name": {
"type": "keyword"
},
"country_code2": {
"type": "text"
},
"country_name": {
"type": "keyword"
},
"dma_code": {
"type": "long"
},
"country_code3": {
"type": "text"
},
"location": {
"type": "geo_point"
},
"region_name": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword"
},
"postal_code": {
"type": "keyword"
},
"longitude": {
"type": "double"
}
}
}
}
},
"aliases": {}
}
}

Thanks

German

German DiCasas

unread,

May 3, 2024, 2:37:06 PM5/3/24

to Wazuh | Mailing List

Aditya, do you have any update or fix for this problem? thanks

German

German DiCasas

unread,

May 6, 2024, 9:13:18 AM5/6/24

to Wazuh | Mailing List

Hi, do you need any other information? let me know.

German DiCasas

unread,

May 7, 2024, 8:36:59 PM5/7/24

to Wazuh | Mailing List

Hi, any update?

Regards,,

German DiCasas

unread,

May 20, 2024, 6:11:55 PM5/20/24

to Wazuh | Mailing List

HI,

I have reinstalled everything and now it works correctly. I would also like to know what happened if you can still respond with the information they asked for.

Regards

Reply all

Reply to author

Forward