Wazuh stopped sending logs

[Philip Jackson]

My Wazuh 4.3 with Wazuh Indexer just stopped sending logs to the UI. However, I still get emails for all my agents that are connected, as well as nightly reports of logs. Logs are still coming in at /var/ossec/logs/alerts.json

[Juan Carlos Tello]

Hello,

Wazuh uses Filebeat to ship its information to the Wazuh Indexer which is then queried by the Wazuh dashboards service to provide the UI.

Since you are seeing events in the alerts.json file then you may verify if filebeat is able to contact the Wazuh Indexer and if the service is running, for this please let us know the output of the following commands:

filebeat test output

systemctl status filebeat

 

If the output test is correct and the service is running then the issue may be that Elasticsearch is set to read_only_allow_delete . This occurs when disk space usage reaches a watermark level. Can you verify the current usage of disk space? df -h is good command to do so.

If disk space usage is above 90%  then disk must be increased or older indices must be deleted.

After there is enough disk space to resume writing into indices you may run the following API call:

PUT wazuh*/_settings 
{
  "index.blocks.read_only_allow_delete": false
}

Please let us know if the issue persists to provide further guidance.

Best Regards,

Juan C. Tello

On Fri, May 20, 2022 at 9:43 PM Philip Jackson <pjack...@gmail.com> wrote:

My Wazuh 4.3 with Wazuh Indexer just stopped sending logs to the UI. However, I still get emails for all my agents that are connected, as well as nightly reports of logs. Logs are still coming in at /var/ossec/logs/alerts.json

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94554e99-d718-47a4-932c-205a4f24ed0cn%40googlegroups.com.

[Philip Jackson]

It looks like my filebeat is the problem. It no longers starts.

--

Phil Jackson

[Juan Carlos Tello]

Hello Philip,

It may have only been necessary to verify the configuration of Filebeat or whether the service was enabled.

When Filebeat was uninstalled it is likely that the configuration and credentials were removed as well so I recommend following the steps explained here https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat to reconfigure filebeat.

It's important that the address, certificates and credentials that you use during the configuration process reflect those of your indexer installation.

Best Regards,

Juan C. Tello

On Mon, May 23, 2022 at 2:33 PM Philip Jackson <pjack...@gmail.com> wrote:

I uninstalled and reinstalled filebeat. This is what I get on the filebeat test output

[root@wazuh logs]# filebeat test output
elasticsearch: http://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ::1, 127.0.0.1
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... ERROR Get "http://localhost:9200": EOF
[root@wazuh logs]#

--

Phil Jackson

[Philip Jackson]

I saved a snapshot to go back. I don't see an /etc/filebeat directory anywhere on the install.

[Juan Carlos Tello]

Hi Phil,

When following a standard Wazuh installation Filebeat configuration files will be found in that folder in the servers running the Wazuh manager service.

To better help you can you please let me know:

• Which method was used to install Wazuh
• What is the output of which filebeat
• What is the output of systemctl status filebeat
• Does the /etc/init.d/filebeat exist

Best Regards,

Juan C. Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e71f1021-ab00-451a-a474-b5441c44402bn%40googlegroups.com.

[Philip Jackson]

• Which method was used to install Wazuh: Automated install
• What is the output of which filebeat: /usr/bin/filebeat
• What is the output of systemctl status filebeat: (code=exited, status=1/FAILURE)
• Does the /etc/init.d/filebeat exist: Yes

[Juan Carlos Tello]

Hi Phil,

An automated installation of Wazuh will have the /etc/filebeat folder once finished.

If this folder is missing that can mean that either it was removed after installation or that the installation did not complete.

I recommend uninstalling Filebeat and then following the step by step guide for reinstalling and configuring it: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#installing-filebeat

Bear in mind that for this you will need to provide filebeat with the certificates it needs to communicate with the indexer. If you don't have those anymore then new certificates must be created for all of the components and redeployed. For this we provide the following tool: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#installing-filebeat

Let us know if there's anything more we can assist with.

Best Regards,

Juan C. Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/23aa25c5-56f5-4290-8906-e7c1fd1d2660n%40googlegroups.com.

[Philip Jackson]

Both links are the same. I don't see the link for recreating the certificates

[Juan Carlos Tello]

Hello Philip,

I apologize for the oversight with the URL and having missed this message until now.

The correct URL would be: https://documentation.wazuh.com/current/user-manual/certificates.html

Please let us know if you have any more questions.

Best Regards,

Juan C. Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2e326fc4-8344-46c6-8cb3-988e0e48c627n%40googlegroups.com.