Wazuh syslog alerts not showing in Discover

[Fernando Torrijos]

Hello, 
I am having issues visualizing alerts from custom decorders+alerts in the discover page of Wazuh:

My Wazuh version is:

The syslog configuration is enabled in ossec.conf and logs are being received:

The decoders and rules configured are working correctly:

The results aren´t showing in the discovery page...

I read in another post to execute the following command to check rule generation but no luck:


Can anyone help me?

Thank you!

[Rafael Bailon Robles]

I’ve reviewed your case. It seems the decoder and rule are working correctly. First, check the log files for any errors:

• Wazuh indexer:
  cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

• Wazuh manager:
  cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
  cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

• Wazuh dashboard:
  journalctl -u wazuh-dashboard | grep -i -E "error|warn"

You may find an error in these logs that is causing your problem. Do alerts appear in /var/ossec/logs/alerts/alerts.json? To appear in the dashboard, they must also appear there. This error is usually caused by filebeat. If you don’t see any errors, make sure you enable logging.metrics.enabled in /etc/filebeat/filebeat.yml. You can also use filebeat test output to see if filebeat is working correctly.

• Indexer integration

​

[Rafael Bailon Robles]

I received information privately. The conversation should continue in the public chat. Below is the information received and, below, my response.

---------------------------------

• cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

• cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
  

• cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
  

The last error show, I don´t quite understand, as far as I known, the file mentioned "/var/ossec/logs/archives/logs" isn´t part of the usual strucutre of this directory:

I understand this folder stores the logs received by SYSLOG when the options "logall" or "logall_json" are enabled in ossec.conf.

• journalctl -u wazuh-dashboard | grep -i -E "error|warn"
  

The errors shown appear to be related to SSL, which i understand doesn´t influence in the problems I am facing.

I made the changes to FileBeat that you mentioned " enable logging.metrics.enabled" restart the filebeat service and executed the following command:

filebeat test output

---------------------------------

The first thing I see is that you have a problem with the indexer. Did you initialize the cluster correctly? You need to use the command `/usr/share/wazuh-indexer/bin/indexer-security-init.sh` on all your indexers. I leave you the documentation about this: Cluster initialization. You can also check the cluster status using `curl -k -u <WAZUH_INDEXER_USERNAME>:<WAZUH_INDEXER_PASSWORD> https://localhost:9200/_cluster/health?pretty`. You can find more information in the documentation: Using the Wazuh indexer API via the command line. Once you've resolved this issue, you can check if the other errors continue to appear. The error `INFO: IndexerConnector initialized successfully for index: ...` is also related to the Indexer, and your problem with not seeing alerts is likely related to it.

Regarding the `ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN` error, it seems to be a certificate error. This message usually means you're using an untrusted certificate. How did you generate and deploy the certificates? You may need to regenerate and redeploy them. But this will happen after fixing the issue with Indexer. Do not attempt to redeploy certificates until the Indexer issue is resolved as this could cause further problems.

• Certificate creation
  
• Deploying certificates (Indexer)
  
• Deploying certificates (Server)
  
• Deploying certificates (Dashboard)