Filebeat registry files accidentally deleted in Wazuh 4.14
24 views
Skip to first unread message
Mr VR
Jun 2, 2026, 12:35:05 PM (5 days ago) Jun 2
to Wazuh | Mailing List
Hi Team,
The filebeat files accidentally deleted when recovering logs in wazuh 4.14-5.
rm -rf /var/lib/filebeat/registry/*
Now filebeat showing status failed and not returning to active.
It's showing error like incorrect version. But filebeat test output config is OK.
I request you to provide a solution at the earliest.
Regards,
Vignesh
lucas....@wazuh.com
Jun 2, 2026, 12:53:43 PM (5 days ago) Jun 2
to Wazuh | Mailing List
Hi Vignesh, thanks for reaching out.
When the registry directory is cleared, Filebeat loses track of which files and offsets it has already read. The "incorrect version" error usually points to a registry state issue rather than a config problem, which lines up with your filebeat test output passing fine.
A few things to try, in order:
First, confirm the registry path is fully empty, and that ownership/permissions on /var/lib/filebeat/registry/ are correct for the Filebeat user. A leftover meta.json with an old version string is a common cause of the "incorrect version" message.
Second, backup the full directory, stop Filebeat, remove the registry directory entirely, then recreate it clean and restart so Filebeat rebuilds the registry from scratch:
systemctl stop filebeat
rm -rf /var/lib/filebeat/registry
systemctl start filebeat
(This reads from the beginning, so you could see a re-send of existing data depending on your ignore_older / clean_* settings.)
Third, verify the running Filebeat version matches the version Wazuh expects for 4.14.5. A mismatch between the installed Filebeat binary and the Wazuh module/config can surface as a version error. You can check the official module and version requirements here: https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html
Last, check the Filebeat logs for the full error context:
journalctl -u filebeat -n 100 --no-pager
I hope this works, let me know your thoughts.
Best regards,
Lucas
When the registry directory is cleared, Filebeat loses track of which files and offsets it has already read. The "incorrect version" error usually points to a registry state issue rather than a config problem, which lines up with your filebeat test output passing fine.
A few things to try, in order:
First, confirm the registry path is fully empty, and that ownership/permissions on /var/lib/filebeat/registry/ are correct for the Filebeat user. A leftover meta.json with an old version string is a common cause of the "incorrect version" message.
Second, backup the full directory, stop Filebeat, remove the registry directory entirely, then recreate it clean and restart so Filebeat rebuilds the registry from scratch:
systemctl stop filebeat
rm -rf /var/lib/filebeat/registry
systemctl start filebeat
(This reads from the beginning, so you could see a re-send of existing data depending on your ignore_older / clean_* settings.)
Third, verify the running Filebeat version matches the version Wazuh expects for 4.14.5. A mismatch between the installed Filebeat binary and the Wazuh module/config can surface as a version error. You can check the official module and version requirements here: https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html
Last, check the Filebeat logs for the full error context:
journalctl -u filebeat -n 100 --no-pager
I hope this works, let me know your thoughts.
Best regards,
Lucas
0 new messages