Wazuh Alerts is not available in Dashboard
643 views
Skip to first unread message
Saiful Alam Shihab
Feb 16, 2023, 3:55:10 AM2/16/23
to Wazuh mailing list
Hi team
I am having a new problem withh wazuh alerts. there is no alerts shown in dashboard.
i check the following output and found ok.
i check the following output and found ok.
/var/ossec/logs/alerts/alerts.json - log available
filebeat test output - ok
curl -k -u <user>:<pass> https://localhost:9200/_cat/indices/wazuh-alerts*?s=index -ok
Please guide me to solve .
Ujunwa Okonkwo
Feb 16, 2023, 5:02:34 AM2/16/23
to Wazuh mailing list
Hello Saiful,
Thank you for using Wazuh.
If the indices are showing correctly, check if wazuh-indexer is taking too long indexing the data, this might be due to a high volume of alerts and not having enough resources.
Thank you for using Wazuh.
If the indices are showing correctly, check if wazuh-indexer is taking too long indexing the data, this might be due to a high volume of alerts and not having enough resources.
To confirm that the event is reaching the manager for correct decoding and correlation with the rule, activate <logall_json>yes</logall_json> in your manager. For this, go to the file /var/ossec/etc/ossec.conf and activate the option:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
. . .
</global>
Once enabled, restart the manager and check that you get this alert in your /var/ossec/logs/archives/archives.json file. This way we can confirm that this event has occurred in the agent and has reached the manager.
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
. . .
</global>
Once enabled, restart the manager and check that you get this alert in your /var/ossec/logs/archives/archives.json file. This way we can confirm that this event has occurred in the agent and has reached the manager.
Then check if the alerts are generated correctly from the events. If the alerts are not generated you should review the rules, you can test if an alert will be generated using wazuh-logtest
Finally, if everything else seems correct check if wazuh-dashboard cannot retrieve the information from the indexer due to a connection or authentication issue. Remember to disable the logall options after you are done cause they can use a lot of disk space.
I hope this is helpful.
Regards,
Finally, if everything else seems correct check if wazuh-dashboard cannot retrieve the information from the indexer due to a connection or authentication issue. Remember to disable the logall options after you are done cause they can use a lot of disk space.
I hope this is helpful.
Regards,
0 new messages