Check Elasticsearch index pattern Error - Wazuh 4.1

421 views
Skip to first unread message

Caio Oliveira

unread,
Mar 4, 2021, 11:46:48 AM3/4/21
to Wazuh mailing list
 Hello everyone.

I need a help with a problem that I'm fighting for a week.
I upgraded my ELK from 6.8 to 7.10 and tried to install wazuh, but when I open the kibana wazuh app, got the "Check Elasticsearch index pattern - Error."
I have the xpack security enabled and kibana running with user "elastic". I tried  a lot things to fix that: wazuh kibana app create de index pattern automatically, I tried to create manually, with the correct custom index pattern id, Install another kibana in another node.
Is very strange, because I can see the events on wazuh-alerts-* at Discovery, but the error message stay in Wazuh Kibana App.
I have another cluster running with ELK 7 and wazuh 4.0 and everything is OK, but is the first time that I'm using wazuh 4.1
Someone had the same problem? Has any idea how to fix?

Screen Shot 2021-03-04 at 13.46.24.png
Screen Shot 2021-03-03 at 19.30.36.pngScreen Shot 2021-03-03 at 19.30.19.pngScreen Shot 2021-03-03 at 19.30.04.png

Screen Shot 2021-03-03 at 19.29.10.png

Federico Garcia Cruz

unread,
Mar 4, 2021, 1:45:16 PM3/4/21
to Wazuh mailing list
Hi,
thanks for contacting us. In order to help you troubleshoot the issue can you please detail the process did you follow to upgrade the components?
You can check the step by step process here and gather mor information checking the log files:
cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

Caio Oliveira

unread,
Mar 4, 2021, 7:19:22 PM3/4/21
to Wazuh mailing list
Hi Federico,

I followed the upgrade steps for ELK on Wazuh documentation.

Follow the output:
cat /var/log/elasticsearch/elasticsearch.log | grep -i -E "error|warn"

[2021-03-04T01:03:05,656][INFO ][o.e.n.Node               ] [ELKSIEMUTB01P] JVM arguments [-Xshare:auto, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms4g, -Xmx4g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/elasticsearch-10399369618701608320, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=2147483648, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch, -Des.distribution.flavor=default, -Des.distribution.type=rpm, -Des.bundled_jdk=true]

[2021-03-04T01:03:15,074][WARN ][o.e.g.DanglingIndicesState] [ELKSIEMUTB01P] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually

[2021-03-04T01:13:27,081][INFO ][o.e.n.Node               ] [ELKSIEMUTB01P] JVM arguments [-Xshare:auto, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms4g, -Xmx4g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/elasticsearch-10741700120020286559, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -XX:MaxDirectMemorySize=2147483648, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch, -Des.distribution.flavor=default, -Des.distribution.type=rpm, -Des.bundled_jdk=true]

[2021-03-04T01:13:34,955][WARN ][o.e.g.DanglingIndicesState] [ELKSIEMUTB01P] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually



cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

Nothing


On the Discovery I can access de index wazuh-alert-*, see the events, fields... Using the command line I can see the agents running... Everything is OK, except that the Kibana Wazuh App can't find the index patter wazuh-alerts-*.


Thanks for your time


Reply all
Reply to author
Forward
0 new messages