Wazuh Alerts not showing in the dashboard

359 views
Skip to first unread message

leon appel

unread,
Sep 18, 2024, 5:05:22 AM9/18/24
to Wazuh | Mailing List
Hi

I am hoping someone can shed some light on why these alerts are not appearing in the dashboard on my version 4.9

This is some of the log output
 WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1b2c2be18769b81, ext:154562571082333, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id"
 
 Private:file.State{Id:"native::2621596-64513", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00097c750), Source:"/var/ossec/logs/alerts/alerts.json", Offset:613025534, Timestamp:time.Time{wall:0xc1b2a05df909f35f, ext:119362117609534, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28009c, Device:0xfc01}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.status] of type [keyword] in document with id 'i9BQBJIB6xJ1x5_eEgtE'. Preview of field's value: '{failureReason=Other., errorCode=0, additionalDetails=null}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:4720"}}

"azure-ad-graph\",\"azure_aad_tag\":\"microsoft-entra_id\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::2621596-64513", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00097c750), Source:"/var/ossec/logs/alerts/alerts.json", Offset:612969746, Timestamp:time.Time{wall:0xc1b2a05df909f35f, ext:119362117609534, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28009c, Device:0xfc01}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.status] of type [keyword] in document with id 'M-VQBJIBV6LNgm7NDkRf'. Preview of field's value: '{failureReason=Other., errorCode=0, additionalDetails=null}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:4632"}}

Thanks in advance

Stuti Gupta

unread,
Sep 18, 2024, 6:18:16 AM9/18/24
to Wazuh | Mailing List
Hi  leon

This is the known issue and will resolved in 4.9.1 https://github.com/wazuh/wazuh/pull/20682

As a workaround, you can follow these steps:
First, modify the Wazuh template to add a new field corresponding to the status field from sign-in audit logs
The template wazuh can be found here : https://github.com/wazuh/wazuh/blob/master/extensions/elasticsearch/7.x/wazuh-template.json. We modify the template by adding a new JSON field, azureSignInStatus, which is again a JSON and has the correct format of Microsoft Entra ID audit sign-In logs. That is, the azureSignInStatus field has 3 three fields : additionalDetails, errorCode and failureReason.
Then, modify the ingest pipeline
Copy the content of the field data.status into the new field created above in the template, data.azureSignInStatus. Replace the JSON data within data.status by a dummy keyword (here, an empty string) so that it matches the template, only if the processed log has the field  data.status  and is a sign-In audit log. To verify, that we have a ME-ID sign-in audit log, we check that the processed log has the field appliedConditionalAccessPolicies which is unique to ME-ID sign-in audit log. The ingest pipeline ca be found here: https://github.com/wazuh/wazuh/blob/master/extensions/filebeat/7.x/wazuh-module/alerts/ingest/pipeline.json

In case this didn't solve the error the please share the log

Hope this helps 

leon appel

unread,
Sep 18, 2024, 7:53:28 AM9/18/24
to Wazuh | Mailing List
Hi Stuti

My scripting needs improvement, however  If I was to create these fields in the template:
data.azureSignInStatus.additionalDetails
data.azureSignInStatus.errorCode
data.azureSignInStatus.failureReason

The next step is asking about copying the content of data.status into data.azureSignInStatus
What would that look like in practice

{
   "copying": {
       "field": "data.status",
        "target_field": "data.azureSignInStatus"
        "ignore_missing": true,
        "ignore_failure": true
}
},          

Kind Regards
Leon

leon appel

unread,
Sep 18, 2024, 11:12:06 AM9/18/24
to Wazuh | Mailing List
Hi Stuti

This is what worked for me
added script highlighted in red to the pipeline
https://github.com/wazuh/wazuh/pull/22392/commits/58952d392f9e5467a8f193fb3c37a4af4236e508

and excluded the azure-logs.py msg_tmp entry

and also added the wazuh-template entries
https://github.com/wazuh/wazuh/pull/22392/commits/8149cd0b904b9b6e12bd066e2bf5806d4997bcd6

Kind Regards
Leon

Stuti Gupta

unread,
Sep 20, 2024, 6:08:17 AM9/20/24
to Wazuh | Mailing List
Glad that it resolved 

leon appel

unread,
Sep 20, 2024, 10:20:30 AM9/20/24
to Wazuh | Mailing List
Hi Stuti

I am still struggling with this error from the ossec log and for some reason my filebeat pipeline entry disappeared through the night, so I has to re-add it

2024/09/20 13:41:36 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-20T12:41:36","request-id":"0de7440e-3fa8-2818-abfa-77c3025091dc","client-request-id":"0de7440e-3fa8-2818-abfa-77c3025091dc"}}}'

    {
     "rename": {
       "if": "ctx?.microsoft.graph.riskDetection instanceof Map",
       "field": "createdDateTime",
       "target_field": "detectedDateTime",
       "ignore_missing": true
      }
    },

Thanks

leon appel

unread,
Sep 23, 2024, 7:24:19 AM9/23/24
to Wazuh | Mailing List
Hi

Do you have any thoughts on this

Regards

Reply all
Reply to author
Forward
0 new messages