There are no results for selected time range. Try another one.

[Juan Ferdinan]

Hello everyone

wazuh my dashboard can't display security events, please help

[Henadence Anyam]

Hello Juan!

Thank you for using Wazuh.

Could you check your Wazuh Manager to see that your time zone is properly configured. If not, set it to your correct time zone and refresh the dashboard so that it can pick the events.

Otherwise, check to see that filebeat is properly configured to forward the generated events to the dashboard using this command: filebeat test output
as specified in the documentation.

Let me know if that was helpful.

Best regards.

[Juan Ferdinan]

where can i see the time zone configuration in wazuh manager?and here are the results of filebeat test output

# filebeat test output

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

[Henadence Anyam]

Hello Juan,

Your Filebeat  configuration looks good.

You can follow this guide to see and set your time zone configurations.

Then view the events for the last 24 hours just so you can see older events incase new ones have not been generated.

Hope this helps.

[Juan Ferdinan]

the timezone is right

timedatectl
      Local time: Tue 2022-08-09 14:32:48 WIB
  Universal time: Tue 2022-08-09 07:32:48 UTC
        RTC time: Tue 2022-08-09 07:32:48
       Time zone: Asia/Jakarta (WIB, +0700)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a

[Henadence Anyam]

So far your time zone settings is okay and Filebeat is running successfully.

• Perhaps alerts are not generated. Check the logs to see if alerts are generated with this command: tail -n5 /var/ossec/logs/alerts/alerts.json
• If they are generated, also check the indices in the Index Management section of OpenSearch Plugins in your dashboard to see if the total size is greater than zero. This is to ensure that the alerts are reaching the dashboard.

Kindly send me the ouputs so that I can verify too.

[Juan Ferdinan]

here is the result of tail -n5 /var/ossec/logs/alerts/alerts.json and indices

[Henadence Anyam]

Sorry for the late reply.

From the alerts.json logs, we can see that the logs are not indexed as depicted by this message:  Cannot index event publisher.Event.

Could you enable Filebeat logging to /var/log/filebeat following this documentation.

Restart Filebeat and Elasticsearch, then share the Filebeat and Elasticsearch logs here so we could analyse the entire message.

Equally share your  /var/log/messages logs.

[Juan Ferdinan]

my wazuh dashboard is working again and I use the following method

To get all index:

GET /_cat/indices?v

To delete a specific index:

DELETE /INDEX_NAME_TO_DELETE

The question now is, is there any effect on the availability of logs when I delete the index? If not, where does it affect when I delete the index?

[Henadence Anyam]

Hello Juan!

Glad your dashboard is now showing the security events.

So here is the thing, Wazuh generates and stores indices daily. When you delete an index you can not recover it again unless you have a backup of it.

Deleting indices does not delete the alerts.log | json files but you won't be able to see it on the dashboard again.

Hope that answers your question.

[Juan Ferdinan]

can this index be backed up or is there another way without deleting it?