Data not fetching from wazuh in splunk wazuh app

Saurabh Pathak

unread,

Feb 21, 2022, 2:47:04 AM2/21/22

to Wazuh mailing list

Hello Team,

Actually we try to install wazuh into the splunk. we successfully integrate that. but still we are not able to fetch any data in security events/integrity monitoring from wazuh client into the splunk-wazuh interface. We also done with splunk forwarder configuration as mention in blog but still not able to fetch the data. Can you please help me in this

Capture 1.PNG

Capture 2.PNG

Alejandro Ruiz Becerra

unread,

Feb 21, 2022, 11:28:53 AM2/21/22

to Wazuh mailing list

Hello

Thanks for usign Wazuh.

Can you please check if the required indices are created and have events in them? Check it out on Settings > Indexes, as seen in the image below.

The indices wazuh and wazuh-monitoring should exist.
The indices should not be empty (Event Count column).

Saurabh Pathak

unread,

Feb 21, 2022, 12:35:03 PM2/21/22

to Wazuh mailing list

Hello, Thank you for response. I check my side it already added in my indexers but event count value is zero. In my scenario i am facing splunk forwarder error. i am attaching that screenshot with you. please look into this.

Capture 4.PNG

Capture 5.PNG

Capture 6.PNG

Saurabh Pathak

unread,

Feb 22, 2022, 11:50:46 AM2/22/22

to Wazuh mailing list

Hello team, Actually i check what you suggest me to check. That indexes is already present in my splunk. I am getting error in splunk forwarder kindly check my previous mail and please provide solution.

Alejandro Ruiz Becerra

unread,

Feb 23, 2022, 11:38:41 AM2/23/22

to Wazuh mailing list

Hello again.

Sorry for the delay.

If the indexes are present and they are empty everything points to an error on the forwarder, as you already pointed out.

I'd like you to check a few things in order to have a better context of your environment. The more information the better.

Please, kindly provide the following information:

Wazuh's version and App's version (this is shown on the Settings < About section).
A link to the installation / configuration guide you have followed.
Check if there are alerts on the alerts.json file. By default, this is on the manager's machine, at /var/ossec/logs/alerts.json.
Check for errors on the Splnuk's forwarder. Logs are stored at /opt/splunkforwarder/var/log/splunk/splunkd.log, but the path might differ between versions.
Check if there is any configured forwarder. On the Splunk UI, go to Settings < Forwarding and receiving < Receive data < Configure Receiving. Check that the port 9997 is open and its status is 'Enabled'.
Any other information you may think that would be useful.

Also, I advice you to open a thread on the Splunk's community as this is more likely a configuration / connection problem within Splunk's components (events forwarding). I'm sure that we together will provide you a faster solution.