Issue After Upgrading Wazuh from Version 4.10.1 to 4.12

[Le Sok]

Dear Wazuh Support Team,

I recently upgraded Wazuh from version 4.10.1 to 4.12 as per the instructions in the official documentation.

After completing the upgrade, I started encountering the following issue in Wazuh Dashboards: Jun 05 09:49:16 wazuh-server opensearch-dashboards[4694]: {"type":"log","@timestamp":"2025-06-05T02:49:16Z","tags":["info","savedobjects-service"],"pid":4694,"message":"Detected mapping change in \"properties.query\""}

It appears that after the upgrade, Wazuh Dashboards detected a mapping change in the "properties.query" field, which is causing issues with the dashboards loading properly. The error message indicates that the OpenSearch Dashboards is attempting to apply an invalid change in the mapping configuration.

Additional Details:

• I have not made any manual changes to the index mappings or OpenSearch configurations.

• This issue started occurring immediately after upgrading from version 4.10.1 to 4.12.

• Wazuh Dashboards is failing to initialize, and I cannot access the dashboards to perform further troubleshooting.

Could you please assist me with the following?

1. Confirm if this is a known issue after upgrading to version 4.12 and whether there are any specific steps to resolve it.

2. Provide guidance on how to fix the mapping change issue, or if restoring the previous configuration is necessary.

3. If applicable, are there any specific patches or updates available for version 4.12 to prevent this issue from affecting the system in the future?

I would greatly appreciate your assistance in resolving this matter as soon as possible.

Thank you for your time and support.

[Bony V John]

Hi,

When upgrading, Kibana creates a new version of the .kibana_N index and sets an alias to .kibana. In some cases, this migration process can become corrupted, which may be why your Wazuh Dashboard failed to start. You can read more about Kibana upgrade migrations in the official documentation:

https://www.elastic.co/guide/en/kibana/current/upgrade-migrations.html

To resolve this issue, you can follow the below steps:

Check Wazuh Dashboard Logs, run the following command to check for relevant errors:

journalctl -u wazuh-dashboard | grep -iE "kibana|error|warn|crit|fatal"

If you see a message similar to the one below: 

"message":"[resource_already_exists_exception]: index [.kibana_N/**********] already exists"

It means Kibana attempted to create an index that already exists.  

Verify .kibana Aliases in the Indexer, run this command to list Kibana-related indices:

curl -k -u admin:<admin-passwd> -XGET "https://<wazuh-indexer-ip>:9200/_cat/indices?v" | grep '.kibana'

Look for multiple .kibana_N indices that may be causing the conflict.

  

Delete the problematic index mentioned in the error log:

curl -k -u admin:<admin-passwd> -XDELETE "https://<wazuh-indexer-ip>:9200/.kibana_N"

Replace .kibana_N with the actual index name shown in your error logs.  

Once the index is deleted, restart the Wazuh Dashboard:  

systemctl restart wazuh-dashboard

This is not a common issue, and currently, no patch has been released for it.  

You may also refer to this Wazuh community discussions where a similar issue was resolved, it might provide further insight.  

• https://www.reddit.com/r/Wazuh/comments/1ks5fic/wazuh_docker_4110_to_4120_detected_mapping_change/
• https://groups.google.com/g/wazuh/c/XyQVlbVDV44