Erro indexer-connector: ERROR: HTTP response code said error, status code: 400.
14 views
Skip to first unread message
Vanderson Pereira da Silva
Nov 28, 2025, 1:14:32 PM (3 days ago) Nov 28
to Wazuh | Mailing List
Estou com esse erro na console
Alguém sabe o que pode ser ?
2025/11/28 15:13:10 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:11 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:12 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:15 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:17 indexer-connector: ERROR: HTTP response code said error, status code: 400.
Alguém sabe o que pode ser ?
2025/11/28 15:13:10 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:11 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:12 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:15 indexer-connector: ERROR: HTTP response code said error, status code: 400.
2025/11/28 15:13:17 indexer-connector: ERROR: HTTP response code said error, status code: 400.
Felix Bocco
Nov 28, 2025, 4:09:50 PM (3 days ago) Nov 28
to Wazuh | Mailing List
Hi Vanderson,
It's hard to tell by just seeing this error. But you can enable the debug mode and see if there's more information there. Go to the manager's backend and edit the /var/ossec/etc/internal_options.conf file. Go to the bottom and change the value from the wazuh_modules.debug from zero to 2. Then save the file and restart the manager to apply the changes:
systemctl restart wazuh-manager
After, you can run the next command to see if you have more information regarding this issue:
cat /var/ossec/logs/ossec.log | grep -i "indexer-connector" | grep -i debug
By running that, you can see more messages. Remember also to set the wazuh_modules.debug to zero, save the file and restart the manager to disable it after using it to avoid consuming unnecessary disk space.
You should also review the indexer block inside the /var/ossec/etc/ossec.conf file. First, check that this block it's not duplicated. If it is, remove the extra block. Then you should have it as follows:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://<IP>:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<enabled>yes</enabled>
<hosts>
<host>https://<IP>:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
You should check that the host (or hosts if more than one indexer node) is correct. Check that you have the correct IP address in the <IP> inside the host block. You should also check that the filebeat certificates are correct, too. More useful information here. If you have more than one indexer node, the previous hosts block should look like this:
<hosts>
<host>https://<IP_1>:9200</host>
<host>https://<IP_2>:9200</host>
<host>https://<IP_3>:9200</host>
</hosts>
<host>https://<IP_1>:9200</host>
<host>https://<IP_2>:9200</host>
<host>https://<IP_3>:9200</host>
</hosts>
It's important to consider that the indexer block serves for the Vulnerability Detection (VD) module. If you are using it, you shouldn't be able to access its default dashboard.
Hope that this information is useful to troubleshoot your issue.
Reply all
Reply to author
Forward
0 new messages