index-pattern-field automatically deleted?

[joh nte]

Hi,

i'm using two separate instances of wazuh  v4.0.4, with  Elasticsearch 7.9.1 and Opendistro 1.11.0, with identical configuration but different manager name, different agents and different IP.

The two Wazuh's manager where installed onto two identical machines (two Oracle OS) the same day with the unattended installation scripts and they even share the same dashboards and visualizations imported from a third Wazuh..

Everithing works fine, and worked flawlessy for a couple of months, however, one of this two, every day, have some problems onto one visualization; basically, it seems like the Wazuh-Alerts lost the "data.win.eventdata.TargetUserName" field..

The error says:
Could not locate that index-pattern-field (id: data.win.eventdata.targetUserName)

and, in the index management section, i can't find this field.

Being the same as the other wazuh, basically i export the index for the flawless wazuh and import into the defected one to regain this field, and it work fine... but only for some hours... after half a day, the same error reappear.

Houw could it be possible?

Sorry for my bad english.

[Rafael Antonio Rodriguez Otero]

Hi friend.

When these errors appear it is possible that the template you are using is creating the fields but that has a problem due to the type of log it generates in windows. You have to refresh the fields from the kibana administrator. This error may depend on the server you are monitoring. If possible delete and create the template again that is created in wazuh and delete the kibana template.

uhmmm, for this process to be successful you must do the following.

1.) You stop the filebeat process that you connect with elastic
2.) Delete the wazuh template "delete _template / wazuh"
3.) Delete the kibana template "delete _templeate / .kibaba"
4.) Restart elasticsearc
5.) Restart filebeat.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0bdf5ebd-4219-4fec-9700-193f4241955fn%40googlegroups.com.

[Rafael Antonio Rodriguez Otero]

the wazuh and kibana templates are generated automatically. You shouldn't have a problem.

[Yana Zaeva]

Hi Joh,

Rafael is right, we will probably have to refresh the template as these fields are not being correctly parsed. But previous to this, please, send me this file: /etc/filebeat/wazuh-template.json, (for both machines). Also, in the one that is failing, go to Stack management -> Index Patterns -> wazuh-alerts-* and look for data.win.eventdata.TargetUserName and send me a screenshot of the output. 

Waiting for your reply,

Yana.

[Rafael Antonio Rodriguez Otero]

Hello

I don't need to send it. When you install wazuh, filebeat uses the template to launch elasticsearch in its configuration, if you are using 4.x it should be in the installation guide.

In this link:

https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html


Look at the filebeat section. Depending on how you install it, it should be similar:

# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.1/extensions/elasticsearch/7.x/wazuh-template.json
# chmod go + r /etc/filebeat/wazuh-template.json

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0dda4f41-fe63-4994-9157-ed1fd49cd208n%40googlegroups.com.