wazuh-alerts is generating "No results found"
740 views
Skip to first unread message
Marc Baker
May 10, 2017, 1:38:00 PM5/10/17
to Wazuh mailing list
Up until yesterday our system worked without issue. Now the following results when attempting to access alerts via the Discover tab:
We have 139 active agents and alerts are populating in alerts.json. No changes have been made to the system so any suggestions would be greatly appreciated.
Jose Luis Ruiz
May 10, 2017, 3:31:55 PM5/10/17
to Marc Baker, Wazuh mailing list
Hi Marc
Can you give us a little more information about your environment?
Have you a standalone environment? (wazuh-manager + Logstash + Elastic + Kibana) in one server?
Or you have Wazuh-manager + filebeat and in the other server ELK?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/abd56d73-1d0c-4388-a5e9-4279c789d53f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Marc Baker
May 10, 2017, 3:59:01 PM5/10/17
to Wazuh mailing list, marcjb...@gmail.com
It is a single server installation. There are currently 159 active agents and I can see alerts being generated in alerts.json.
On Wednesday, May 10, 2017 at 3:31:55 PM UTC-4, Jose Luis Ruiz wrote:
Hi MarcCan you give us a little more information about your environment?Have you a standalone environment? (wazuh-manager + Logstash + Elastic + Kibana) in one server?Or you have Wazuh-manager + filebeat and in the other server ELK?
On May 10, 2017 at 1:38:01 PM, Marc Baker (marcjb...@gmail.com) wrote:
Up until yesterday our system worked without issue. Now the following results when attempting to access alerts via the Discover tab:--
We have 139 active agents and alerts are populating in alerts.json. No changes have been made to the system so any suggestions would be greatly appreciated.
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Jose Luis Ruiz
May 10, 2017, 4:10:54 PM5/10/17
to Marc Baker, Wazuh mailing list
You have three pieces in your environment to test (because you are saying the /var/ossec/logs/alerts/alerts.json is populating)
1 - Kibana : As you show in your screenshot is working
2 - Elasticsearch: try this two commands
curl -XGET localhost:9200
You should have something like
{
"name": "node1",
"cluster_name": "ossec",
"version": {
"number": "2.1.1",
"build_hash": "40e2c53a6b6c2972b3d13846e450e66f4375bd71",
"build_timestamp": "2015-12-15T13:05:55Z",
"build_snapshot": false,
"lucene_version": "5.3.1"
},
"tagline": "You Know, for Search"
}
and the next command
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
And you should have something like:
{
"cluster_name": "ossec",
"status": "green",
"timed_out": false,
"number_of_nodes": 2,
"number_of_data_nodes": 2,
"active_primary_shards": 281,
"active_shards": 562,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 0,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 100
}
3- Logstash
Verify the service with ps axu | grep logstash, also search for errors in the log file in /var/logs/logstash/logstash-plain.log
Try as well to restart the service, the best way is stop the service, run again a ps axu | grep logstash to verify the service is stopped (some time is hard to restart), and then run again.
i hope it helps!
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/156ca886-9d3d-4826-8dd2-df79f0efbcbe%40googlegroups.com.
Sumesh MS
May 11, 2017, 6:34:46 AM5/11/17
to Jose Luis Ruiz, Wazuh mailing list, Marc Baker
Any updates on this? I recommend if all the suggestions are cross checked, you must check the alert.json permissions too.
Regards
Sumesh
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/156ca886-9d3d-4826-8dd2-df79f0efbcbe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAORR07ZXxa5UeC6f6Mub8NdSAChqMc0WztmZEgsS_Sk1Knv3Rg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages