Check Alerts index pattern error & Check metaFields setting

[Enekupe Lelevaga]

Hi Team 

Can someone help with this?

Thanks, regards

[Federico Gustavo Galland]

Hi There!

Getting a timeout on the Alerts index pattern could indicate problems within the Wazuh Indexer configuration.

In order to workaround the problem and get to further debug the issue, let's adjust the default timeout to something higher, to try and get the check to go through.

You can find that setting under "Settings" and then "Configuration" from the Wazuh dropdown menu:

For testing purposes, set it to 80000 and restart the manager.

Let me know if you get to login that way.

Regards,

Federico Galland

[Enekupe Lelevaga]

Hi Federico, 

Now I have this issue;

I checked Kibana status and its running

But Elasticsearch doesn't due No space left on the device. 

How can I clear space? 

Thanks regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/07045ada-8fff-4c66-82e2-1360b80082fbn%40googlegroups.com.

[Federico Gustavo Galland]

Hi Enekupe,

You need to check the cause of your disk being full. It could be non-related to elasticsearch.

Run these commands:

df -ha

du -ha -d1 / | sort -h

To try and pin point if any directory is unduly filling disk space up.

Regards,

Fede

--

Federico Galland IT Security Engineer The Open Source Security Platform

[Enekupe Lelevaga]

Hi Federico

Screenshot below;

[Federico Gustavo Galland]

Hi Enekupe,

The "df" output is telling you your disk is 100% full. You missed the "/" (forward slash) in the "du" command though, so I cannot know which directory is responsible for the issue.

The proper command is:

du -ha -d1 / | sort -h

While you are at it, you might as well share a copy of your ossec.conf file. Text copies are always preferred to screenshots, though, since they are easier to read/parse/quote/whatnot.

Looking forward to it!

[Enekupe Lelevaga]

screenshot attached

[Enekupe Lelevaga]

can I delete some logs to free up spaces?

[Federico Gustavo Galland]

Hi Enekupe,

You can, and you can automate the task with a cronjob doing the following:

• Edit cron job file : crontab -e
  
• Add the command : 45 0 * * * find /var/ossec/logs/ -name "*.gz" -type f -mtime +90 -exec rm -f {} \;  It will delete all compressed files under /var/ossec/logs that have not been modified in the last 90 days, every day at 00:45.

We also recommend that you use an index policy for managing older data within the Wazuh indexer:

https://wazuh.com/blog/index-backup-management/

Regards,

Federico Galland

[Enekupe Lelevaga]

I wanted to upgrade it to 4.3 version, but it gives me No space left on Devices, 

Wazuh indexer is not yet installed, can't do much because of this any space error. 

That's why I wanted to delete old logs and try upgrading wazuh server, and install wazuh indexer and dashboard. 

Appreciate your help

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAFJRfjQx9sD%2ByOw%3D5GOC6VM228b%2Bf%2BTHgojR0e96cAnGjdoyNw%40mail.gmail.com.

[Federico Gustavo Galland]

The data I shared earlier applies to Elasticsearch as well.

I recommend you check that out first, before trying to upgrade.

Also, make sure your <logall> and <logall_json> variables are set to "no" within ossec.conf in the manager (remember to restart after any changes to the file), and delete any files within /var/ossec/logs/archives/

Regards,