Elasticsearch Error - "No matching indices found: No indices match pattern 'wazuh-alerts-*'"

[Alejandro Castro]

Hello everyone,

I'm encountering an issue with Elasticsearch, and I'm hoping someone here can help me resolve it.

Recently, when attempting to perform a query in Elasticsearch, I'm getting the following error:

No matching indices found: No indices match pattern 'wazuh-alerts-*'

I understand that this means Elasticsearch is unable to find any indices matching the pattern 'wazuh-alerts-*'. This could be a configuration issue related to indices or perhaps an issue with the existence of data.

Has anyone come across this error before or have any insights on how to address it? I appreciate any guidance or advice on how to tackle this problem.

Thank you in advance!

[Alejandro Castro]

[Harshal Paliwal]

Hi Alejandro,
Hope you are doing well today and thank you for using wazuh.A possible cause of the error could be that Filebeat is not functioning correctly thus Elasticsearch is not receiving data. You could try checking the status of the Filebeat process and Elasticsearch and check if there are any error logs, share the output and filebeat.yml. You can do all these things with the following commands:

• filebeat test output
• systemctl status elasticsearch
• cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
• cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Can you please if there are alerts in the Wazuh indexer, run the command:
curl https://<ElasticsearchIp>:9200/_cat/indices/wazuh-alerts-* -u user:pass -k
Please share the output of ls -lrt /etc/filebeat/wazuh-template.jsonHope to hear from you soon.Regards,