ERROR: 4002 - Could not retrieve templates from Elasticsearch due to Response Error

[Renaud HACQUIN]

Hi everyone@wazuh,

I must have done a weird thing but I can't figure out what went wrong. I have this message in the home of wazuh :
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Getting list of valid index patterns...
INFO: Valid index patterns found: 1
INFO: Found default index pattern with title [wazuh-alerts-*]: yes
INFO: Checking the app default pattern exists: id [wazuh-alerts-*]...
INFO: Default pattern with id [wazuh-alerts-*] exists: yes
ACTION: Default pattern id [wazuh-alerts-*] set as default index pattern
INFO: Checking the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id exists [wazuh-alerts-*]: yes
INFO: Index pattern id in cookie: yes [wazuh-alerts-*]
INFO: Checking if the index pattern id [wazuh-alerts-*] exists...
INFO: Index pattern id [wazuh-alerts-*] found: yes title [wazuh-alerts-*]
INFO: Checking if exists a template compatible with the index pattern title [wazuh-alerts-*]
ERROR: 4002 - Could not retrieve templates from Elasticsearch due to Response Error
[14 h 48] I have nothing related in logs.
[14 h 49] and GET _cat/templates returns
wazuh-statistics [wazuh-statistics-*]                       0
wazuh            [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1
wazuh-agent      [wazuh-monitoring-*]                       0
[14 h 49] Which seems good.
[14 h 50] Any idea on how to debug this one ?

[Alexander Bohorquez]

Hello Renaud,

Thank you for using Wazuh!

In order to help you I need more information about your cluster/versions.

• Which version of Wazuh are you using? 
• Are you using Elasticsearch or Wazuh-indexer?
• Is your Elasticsearch service up and running?

Elasticsearch needs a specific template to store Wazuh alerts, otherwise visualizations won't load properly.

Based on our documentation, you can insert the correct template using the following command (But this will depend on the versions you are using):

Example:

curl https://raw.githubusercontent.com/wazuh/wazuh/v4.3.6/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k

The output should be:

{"acknowledged":true}

Reference: https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern

But, please let me know your versions first and I'll let you know the right command to use.

On the other hand, have you performed any changes in your environment recently? Which ones?

I hope this information helps. 

Regards!