error "no results" and index pattern
Johan Jacquel
Hello,
Thank you for this group - it is a huge help. I apologize if this topic has been addressed previously, sometimes my search capabilities are lacking.
I had to build my Wazuh server recently. It's an all-in-one deployment because I'm only monitoring about 50 systems. At first, I tried to implement 5 devices, (4windows servers and one windows 10). However, although the data is coming in based on the tail -f on the alerts.log in /var/ossec/logs/alerts, when I try to look at the security events in the dashboard, it says "There are no results for the selected time range. Try another one". (see attached screengrab)
I also have a error “check alerts index pattern”
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
INFO: Template found for the selected index-pattern title [wazuh-alerts-*]: no
ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]
INFO: Index pattern id in cookie: [wazuh-alerts-*]
INFO: Getting index pattern data [wazuh-alerts-*]...
INFO: Index pattern data found: [yes]
INFO: Refreshing index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]...
ACTION: Refreshed index pattern fields: title [wazuh-alerts-*], id [wazuh-alerts-*]
I use CENTOS7
#systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since jeu. 2022-03-31 19:35:57 CEST; 7min ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 1243 (filebeat)
Tasks: 12
CGroup: /system.slice/filebeat.service
└─1243 /usr/share/filebeat/bin/filebeat --environment systemd -c /...
mars 31 19:42:14 localhost.localdomain filebeat[1243]: 2022-03-31T19:42:14.70...
mars 31 19:42:14 localhost.localdomain filebeat[1243]: 2022-03-31T19:42:14.70...
mars 31 19:42:14 localhost.localdomain filebeat[1243]: 2022-03-31T19:42:14.70...
mars 31 19:42:37 localhost.localdomain filebeat[1243]: 2022-03-31T19:42:37.67...
mars 31 19:43:07 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:07.67...
mars 31 19:43:11 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:11.04...
mars 31 19:43:11 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:11.04...
mars 31 19:43:11 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:11.04...
mars 31 19:43:11 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:11.04...
mars 31 19:43:37 localhost.localdomain filebeat[1243]: 2022-03-31T19:43:37.67...
Thank you in advance for your help - it's much appreciated.
Johan
Carlos Ezequiel Bordon
ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]
/etc/filebeat/wazuh-template.json
2) chmod go+r /etc/filebeat/wazuh-template.json
3) systemctl restart filebeat.service
4) systemctl restart elasticsearch.service
filebeat test output
Johan Jacquel
Indeed I did not have the file wazuh-template.json , so i followed your steps.however I still have the same problem " ERROR: No template found for the selected index-pattern title [wazuh-alerts-*]"
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused