Alerts are not showing in dashboard

[360 ALLROUND]

Hi Team, 

Hope you are doing good. 

Since yesterday the alerts are not showing up on my wazuh dashboard. I deleted few of the wazuh indices and currently have only 3 months worth indices. My wazuh has been installed with single Node with the latest version, I 've also restarted everything please tell me how to resolve this. 

I have attached the indexer log and filebeat.yml file below

-Regards 

 Ruben 

[Chantal Belen Kelm]

Good afternoon, how are you? Are you using a Wazuh Dashboards or Elasticsearch / Kibana app installation and which is the Wazuh version?

I look forward to your response!

Regards!!!

[360 ALLROUND]

I am good thanks Mr. Chanta, 

I am using wazuh-dashboard and the version is 4.3.10

-thanks 

 Ruben

[Chantal Belen Kelm]

Could you send me the result of this command? filebeat test output

[360 ALLROUND]

I checked already it looks fine. 

I've attached the log below 

-regards

 Ruben

[Chantal Belen Kelm]

Could you share with me the indexer logs?

Do the following command: journalctl -u open --no-pager | grep -E 'ERROR|WARN'.

[360 ALLROUND]

Hi chanta, 

As there are no errors the command doesn't show me any output.

Yesterday afternoon I restarted everything like indexer, dashboard, filebeat, manager, somehow it worked and showed the alerts. 

But again it's not showing the alerts. 

I 've also attached the screen shot below

Regards 

Ruben 

[Chantal Belen Kelm]

Try this command: journalctl -u opensearch --no-pager | grep -E 'ERROR|WARN'

[360 ALLROUND]

Hi chanta, 

I tried this too same results and nothings different. 

 

I have attached the logs for your reference. 

-Regards 

  Ruben 

[360 ALLROUND]

Hi, 

I cannot restart my manager and indexer now. The error shows no space left on device and I beleive that's what causing the issue. 

Please correct me if I am wrong. Also I 've attached the storage logs please tell me how I can free up some stuff. 

-Regards 

 Ruben

[Chantal Belen Kelm]

Hello, how are you?

I recommend doing a few checks to find out what is taking up so much disk space.

First of all, please run du -sh /var/ossec to see how much disk space Wazuh is taking up.

Then, if the problem of disk space is caused by Wazuh, you should check which file is taking up disk space. Usually, those files are logs files, which are located at /var/ossec/logs. You can run the same command as before, but with the specified directory you want to check, for example, du -sh /var/ossec/logs. Old files are rotated into folders sorted by date:

/var/ossec/logs/alerts/year/month/day /var/ossec/logs/archives/year/month/day

You can delete or move files that no longer interest you. Furthermore, when your alerts are sent to Elastic, it is not necessary to keep your logs in your manager. You can also, apply a data retention policy to remove old logs and use Opendistro IML for the elasticsearch indices, it is up to you. Here you can learn more about it: https://wazuh.com/blog/wazuh-index-management/

If the alerts file is taking up much disk space, you could run cat /var/ossec/logs/alerts/alerts.log | grep Alert | sort | cut -d '.' -f 1 | uniq -c , so you can check which alerts are repeated.

Finally, I would recommend you check Wazuh configuration in /var/ossec/etc/ossec.conf and disable options like logall and logall_json because, by default, alerts will be generated on important events or of security relevance, so with logall option enabled, you are storing all events even if they do not match a rule.

<logall>no</logall> <logall_json>no</logall_json>

Best regards.

[360 ALLROUND]

Hi, 

I checked the disk space on /var/ossec the space consumed is 149gb, however I deleted logs on July month, which is of 15gb.

But still the alerts aren't showing and manager & other services doesn't produce anymore errors. 

My overall size of the disk is 400gb and added another 100gb which had to be moved to the partition. 

Please check the images attached and suggest a solution. 

Thanks

 Ruben