Dashboard just show alerts from a few minutes

Pedro Quintanilha

unread,

Jun 10, 2024, 3:10:57 PM6/10/24

to Wazuh | Mailing List

Hi there.

I'm using Wazuh v4.7.4 Docker single-node. Events are generated on the agents, detected by the rules, recorded in /var/ossec/logs/alerts/alerts.json, and I can see the alerts in Dashboard but just for a few minutes (about 10). After that my Dashboard doesn't show that alerts (nor Events) anymore, even if I change de time range to last 24hs or more.

Some information:

Cluster health:

"cluster_name" : "opensearch",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 67,
"active_shards" : 67,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 24,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 73.62637362637363

Alerts on indexer:

green open wazuh-alerts-4.x-2024.05.17 xUOpdCwWRoWeXbcGNliACQ 3 0 215 0 624.8kb 624.8kb
green open wazuh-alerts-4.x-2024.05.28 p86VpXgFRLStF6l8_oYyCA 3 0 29350 0 26.8mb 26.8mb
green open wazuh-alerts-4.x-2024.05.26 BbyuD3p8Tw-SDZkGJSzw-A 3 0 18251 0 13.9mb 13.9mb
green open wazuh-alerts-4.x-2024.05.27 Ljm0OFirSISE2qDxEVvW8A 3 0 34535 0 19.3mb 19.3mb
green open wazuh-alerts-4.x-2024.05.24 y3J6LRqqTxSgLz4kGKkNaQ 3 0 20072 0 16.9mb 16.9mb
green open wazuh-alerts-4.x-2024.05.25 _etCQ1yuSaSkMUBzsQaDKA 3 0 18331 0 13.5mb 13.5mb
green open wazuh-alerts-4.x-2024.05.22 TCIe0TvOTmq1P2IO7vgR4Q 3 0 14316 0 12.6mb 12.6mb
green open wazuh-alerts-4.x-2024.05.23 LRv_GLnDSISqZBFzFx6yjw 3 0 32635 0 19.9mb 19.9mb
green open wazuh-alerts-4.x-2024.05.20 6EpuUVxVR7eBbN8gAUiYbA 3 0 5050 0 12.3mb 12.3mb
green open wazuh-alerts-4.x-2024.06.10 ujZITB9SQ3qAd0VgVw1mAg 3 0 4 0 100.4kb 100.4kb

Alert retention policy: delete after 7 days

Any clue?

Thanks!

Jose Camargo

unread,

Jun 10, 2024, 7:24:23 PM6/10/24

to Wazuh | Mailing List

Hello Pedro,

Please send me the output of the following commands:

Wazuh indexer:

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Wazuh manager:

cat /var/log/filebeat/filebeat* | grep -i -E "error|warn" cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

Wazuh dashboard:

journalctl -xeu wazuh-dashboard --no-pager | grep -iE "error|warn" cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

Wazuh-Indexer API:

GET _cat/shards?v=true&h=index,shard,prirep,state,node,unassigned.reason&s=state
GET _cluster/settings?flat_settings=true&include_defaults=true
GET _cat/allocation?v=true&h=node,shards,disk.*
GET /_cat/nodes?v&h=name,master,node.role,disk.used_percent,disk.used,disk.avail,disk.total
GET _plugins/_ism/policies
GET /_cat/indices/wazuh*?v&h=index,docs.count,store.size&s=index

I'll be awaiting your comments.

Regards,

Jose

Pedro Quintanilha

unread,

Jun 12, 2024, 9:27:09 AM6/12/24

to Wazuh | Mailing List

Thanks, Jose.

This are the results:

cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

There's no such file on this directory in the indexer container

cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"

No results

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

No results

journalctl -xeu wazuh-dashboard --no-pager | grep -iE "error|warn"

No journal files were found.

cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

{"data":{"detail":"Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`","error":3013,"remediation":"Please, visit the official documentation (https://documentation.wazuh.com/4.7/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster","title":"Bad Request"},"date":"2024-05-20T14:01:16.151Z","level":"error","location":"wazuh-api:makeRequest"}
{"date":"2024-05-22T20:22:47.981Z","level":"error","location":"update-configuration:updateLine","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"date":"2024-05-22T20:22:47.981Z","level":"error","location":"update-configuration:updateConfiguration","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"date":"2024-05-22T20:23:17.214Z","level":"error","location":"update-configuration:updateLine","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"date":"2024-05-22T20:23:17.214Z","level":"error","location":"update-configuration:updateConfiguration","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"date":"2024-05-24T16:48:30.311Z","level":"error","location":"queue:delayApiRequest","message":"An error ocurred in the delayed request: \"DELETE /security/user/authenticate\": Request failed with status code 401"}
{"date":"2024-05-27T11:39:54.411Z","level":"error","location":"APIUserAllowRunAs:check","message":"connect ECONNREFUSED 172.22.0.2:55000"}
{"date":"2024-05-27T11:39:54.416Z","level":"error","location":"monitoring:getApiInfo","message":"connect ECONNREFUSED 172.22.0.2:55000"}
{"date":"2024-05-27T11:40:00.431Z","level":"error","location":"APIUserAllowRunAs:check","message":"Request failed with status code 400"}
{"date":"2024-05-27T11:40:00.440Z","level":"error","location":"APIUserAllowRunAs:check","message":"Request failed with status code 400"}
{"date":"2024-05-27T11:40:00.443Z","level":"error","location":"APIUserAllowRunAs:check","message":"Request failed with status code 400"}
{"date":"2024-05-27T11:40:00.445Z","level":"error","location":"APIUserAllowRunAs:check","message":"Request failed with status code 400"}
{"data":{"config":{"method":"post","url":"https://wazuh.manager:55000/security/user/authenticate"},"message":"Request failed with status code 400","stack":"AxiosError: Request failed with status code 400\n at settle (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/settle.js:19:12)\n at IncomingMessage.handleStreamEnd (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:570:11)\n at IncomingMessage.emit (node:events:525:35)\n at IncomingMessage.emit (node:domain:489:12)\n at endReadableNT (node:internal/streams/readable:1358:12)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)"},"date":"2024-05-27T11:40:00.531Z","level":"info","location":"Cron-scheduler"}
{"data":{"config":{"method":"post","url":"https://wazuh.manager:55000/security/user/authenticate"},"message":"Request failed with status code 400","stack":"AxiosError: Request failed with status code 400\n at settle (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/settle.js:19:12)\n at IncomingMessage.handleStreamEnd (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:570:11)\n at IncomingMessage.emit (node:events:525:35)\n at IncomingMessage.emit (node:domain:489:12)\n at endReadableNT (node:internal/streams/readable:1358:12)\n at processTicksAndRejections (node:internal/process/task_queues:83:21)"},"date":"2024-05-27T11:40:00.539Z","level":"info","location":"Cron-scheduler"}
{"data":{"dapi_errors":{"unknown-node":{"error":"Permission denied: Resource type: *:*"}},"detail":"Permission denied: Resource type: *:*","error":4000,"remediation":"Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/4.7/user-manual/api/rbac/configuration.html","title":"Permission Denied"},"date":"2024-05-27T12:27:08.178Z","level":"error","location":"wazuh-api:makeRequest"}
{"data":{"dapi_errors":{"unknown-node":{"error":"Permission denied: Resource type: *:*"}},"detail":"Permission denied: Resource type: *:*","error":4000,"remediation":"Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/4.7/user-manual/api/rbac/configuration.html","title":"Permission Denied"},"date":"2024-05-27T12:29:12.597Z","level":"error","location":"wazuh-api:makeRequest"}
{"data":{"detail":"Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`","error":3013,"remediation":"Please, visit the official documentation (https://documentation.wazuh.com/4.7/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster","title":"Bad Request"},"date":"2024-05-28T13:18:39.124Z","level":"error","location":"wazuh-api:makeRequest"}
{"date":"2024-05-28T13:19:56.598Z","level":"error","location":"update-configuration:updateLine","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"date":"2024-05-28T13:19:56.598Z","level":"error","location":"update-configuration:updateConfiguration","message":"EACCES: permission denied, open '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'"}
{"data":{"detail":"Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`","error":3013,"remediation":"Please, visit the official documentation (https://documentation.wazuh.com/4.7/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster","title":"Bad Request"},"date":"2024-05-29T13:11:40.929Z","level":"error","location":"wazuh-api:makeRequest"}
{"date":"2024-05-31T13:31:00.803Z","level":"error","location":"queue:delayApiRequest","message":"An error ocurred in the delayed request: \"DELETE /security/user/authenticate\": Request failed with status code 401"}
{"data":{"detail":"Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`","error":3013,"remediation":"Please, visit the official documentation (https://documentation.wazuh.com/4.7/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster","title":"Bad Request"},"date":"2024-06-05T12:46:19.469Z","level":"error","location":"wazuh-api:makeRequest"}
{"data":{"detail":"Cluster is not running, it might be disabled in `WAZUH_HOME/etc/ossec.conf`","error":3013,"remediation":"Please, visit the official documentation (https://documentation.wazuh.com/4.7/user-manual/configuring-cluster/index.html) to get more information about how to configure a cluster","title":"Bad Request"},"date":"2024-06-05T13:34:03.202Z","level":"error","location":"wazuh-api:makeRequest"}

_cat/shards?v=true&h=index,shard,prirep,state,node,unassigned.reason&s=state

index shard prirep state node unassigned.reason
.opendistro-ism-managed-index-history-2024.05.30-000002 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-monitoring-2024.23w 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-monitoring-2024.06.08 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.05.31-000003 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.06.01-000004 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-statistics-2024.06.10 0 r UNASSIGNED INDEX_CREATED
wazuh-monitoring-2024.06.07 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.05-000008 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.06.10-000013 0 r UNASSIGNED INDEX_CREATED
wazuh-statistics-2024.06.08 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.04-000007 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.06.11-000014 0 r UNASSIGNED INDEX_CREATED
wazuh-monitoring-2024.06.11 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.02-000005 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.05.29-1 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-ism-managed-index-history-2024.06.07-000010 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.09-000012 0 r UNASSIGNED INDEX_CREATED
wazuh-monitoring-2024.06.12 0 r UNASSIGNED INDEX_CREATED
wazuh-monitoring-2024.06.09 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.03-000006 0 r UNASSIGNED CLUSTER_RECOVERED
.opendistro-job-scheduler-lock 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-statistics-2024.06.06 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-statistics-2024.06.12 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.06-000009 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-statistics-2024.06.07 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-monitoring-2024.06.10 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.06.08-000011 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-config 0 r UNASSIGNED CLUSTER_RECOVERED
wazuh-statistics-2024.06.09 0 r UNASSIGNED INDEX_CREATED
wazuh-statistics-2024.06.11 0 r UNASSIGNED INDEX_CREATED
.opendistro-ism-managed-index-history-2024.05.30-000002 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.23w 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.22w 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.28 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.28 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.28 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.27 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.27 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.27 0 p STARTED wazuh.indexer
.opensearch-notifications-config 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.08 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.05.31-000003 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.23 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.23 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.23 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.01-000004 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.25 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.25 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.25 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.10 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.05 0 p STARTED wazuh.indexer
wazuh-statistics-2024.23w 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.24 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.24 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.24 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.07 0 p STARTED wazuh.indexer
wazuh-statistics-2024.20w 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.05-000008 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.17 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.17 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.17 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.22 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.22 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.22 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.10-000013 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.08 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.06.12 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.06.12 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.06.12 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.04-000007 0 p STARTED wazuh.indexer
.opensearch-observability 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.11-000014 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.11 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.21w 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.02-000005 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.05.29-1 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.20 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.20 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.20 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.07-000010 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.09-000012 0 p STARTED wazuh.indexer
wazuh-statistics-2024.22w 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.12 0 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.26 1 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.26 2 p STARTED wazuh.indexer
wazuh-alerts-4.x-2024.05.26 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.09 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.03-000006 0 p STARTED wazuh.indexer
.opendistro-job-scheduler-lock 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.06 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.12 0 p STARTED wazuh.indexer
.opendistro_security 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.06-000009 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.07 0 p STARTED wazuh.indexer
wazuh-statistics-2024.21w 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.10 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.06.05 0 p STARTED wazuh.indexer
.opendistro-ism-managed-index-history-2024.06.08-000011 0 p STARTED wazuh.indexer
.opendistro-ism-config 0 p STARTED wazuh.indexer
.kibana_1 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.09 0 p STARTED wazuh.indexer
wazuh-monitoring-2024.20w 0 p STARTED wazuh.indexer
wazuh-statistics-2024.06.11 0 p STARTED wazuh.indexer

_cluster/settings?flat_settings=true&include_defaults=true

{"persistent":{"plugins.index_state_management.metadata_migration.status":"1","plugins.index_state_management.template_migration.control":"-1"},"transient":{},"defaults":{"action.auto_create_index":"true","action.destructive_requires_name":"false","action.search.shard_count.limit":"9223372036854775807","bootstrap.ctrlhandler":"true","bootstrap.memory_lock":"false","bootstrap.system_call_filter":"true","cache.recycler.page.limit.heap":"10%","cache.recycler.page.type":"CONCURRENT","cache.recycler.page.weight.bytes":"1.0","cache.recycler.page.weight.ints":"1.0","cache.recycler.page.weight.longs":"1.0","cache.recycler.page.weight.objects":"0.1","client.type":"node","cluster.auto_shrink_voting_configuration":"true","cluster.blocks.create_index":"false","cluster.blocks.create_index.auto_release":"true","cluster.blocks.read_only":"false","cluster.blocks.read_only_allow_delete":"false","cluster.default_number_of_replicas":"1","cluster.election.back_off_time":"100ms","cluster.election.duration":"500ms","cluster.election.initial_timeout":"100ms","cluster.election.max_timeout":"10s","cluster.election.strategy":"default","cluster.fault_detection.follower_check.interval":"1000ms","cluster.fault_detection.follower_check.retry_count":"3","cluster.fault_detection.follower_check.timeout":"10000ms","cluster.fault_detection.leader_check.interval":"1000ms","cluster.fault_detection.leader_check.retry_count":"3","cluster.fault_detection.leader_check.timeout":"10000ms","cluster.follower_lag.timeout":"90000ms","cluster.ignore_dot_indexes":"false","cluster.indices.close.enable":"true","cluster.indices.replication.strategy":"DOCUMENT","cluster.indices.tombstones.size":"500","cluster.info.update.interval":"30s","cluster.info.update.timeout":"15s","cluster.initial_cluster_manager_nodes":[],"cluster.initial_master_nodes":[],"cluster.join.timeout":"60000ms","cluster.max_shards_per_node":"1000","cluster.max_voting_config_exclusions":"10","cluster.metadata.perf_analyzer.config.overrides":"","cluster.metadata.perf_analyzer.pa_node_stats_setting":"1","cluster.metadata.perf_analyzer.state":"0","cluster.name":"opensearch","cluster.no_cluster_manager_block":"metadata_write","cluster.no_master_block":"metadata_write","cluster.nodes.reconnect_interval":"10s","cluster.persistent_tasks.allocation.enable":"all","cluster.persistent_tasks.allocation.recheck_interval":"30s","cluster.publish.info_timeout":"10000ms","cluster.publish.timeout":"30000ms","cluster.remote.connect":"true","cluster.remote.connections_per_cluster":"3","cluster.remote.initial_connect_timeout":"30s","cluster.remote.node.attr":"","cluster.routing.allocation.allow_rebalance":"indices_all_active","cluster.routing.allocation.awareness.attributes":[],"cluster.routing.allocation.awareness.balance":"false","cluster.routing.allocation.balance.index":"0.55","cluster.routing.allocation.balance.prefer_primary":"false","cluster.routing.allocation.balance.shard":"0.45","cluster.routing.allocation.balance.threshold":"1.0","cluster.routing.allocation.cluster_concurrent_rebalance":"2","cluster.routing.allocation.cluster_concurrent_recoveries":"-1","cluster.routing.allocation.disk.include_relocations":"true","cluster.routing.allocation.disk.reroute_interval":"60s","cluster.routing.allocation.disk.threshold_enabled":"false","cluster.routing.allocation.disk.watermark.enable_for_single_data_node":"false","cluster.routing.allocation.disk.watermark.flood_stage":"95%","cluster.routing.allocation.disk.watermark.high":"90%","cluster.routing.allocation.disk.watermark.low":"85%","cluster.routing.allocation.enable":"all","cluster.routing.allocation.load_awareness.allow_unassigned_primaries":"true","cluster.routing.allocation.load_awareness.flat_skew":"2","cluster.routing.allocation.load_awareness.provisioned_capacity":"-1","cluster.routing.allocation.load_awareness.skew_factor":"50.0","cluster.routing.allocation.move.primary_first":"false","cluster.routing.allocation.node_concurrent_incoming_recoveries":"2","cluster.routing.allocation.node_concurrent_outgoing_recoveries":"2","cluster.routing.allocation.node_concurrent_recoveries":"2","cluster.routing.allocation.node_initial_primaries_recoveries":"4","cluster.routing.allocation.node_initial_replicas_recoveries":"4","cluster.routing.allocation.same_shard.host":"false","cluster.routing.allocation.shard_state.reroute.priority":"NORMAL","cluster.routing.allocation.total_shards_limit":"-1","cluster.routing.allocation.total_shards_per_node":"-1","cluster.routing.allocation.type":"balanced","cluster.routing.ignore_weighted_routing":"false","cluster.routing.rebalance.enable":"all","cluster.routing.use_adaptive_replica_selection":"true","cluster.routing.weighted.default_weight":"1.0","cluster.routing.weighted.fail_open":"true","cluster.routing.weighted.strict":"true","cluster.search.ignore_awareness_attributes":"true","cluster.service.slow_cluster_manager_task_logging_threshold":"10s","cluster.service.slow_master_task_logging_threshold":"10s","cluster.service.slow_task_logging_threshold":"30s","cluster.snapshot.info.max_concurrent_fetches":"5","cluster.task.consumers.top_n.frequency":"60s","cluster.task.consumers.top_n.size":"10","cluster_manager.throttling.retry.base.delay":"5s","cluster_manager.throttling.retry.max.delay":"30s","compatibility.override_main_response_version":"true","discovery.cluster_formation_warning_timeout":"10000ms","discovery.find_peers_interval":"1000ms","discovery.find_peers_interval_during_decommission":"120s","discovery.initial_state_timeout":"30s","discovery.probe.connect_timeout":"3000ms","discovery.probe.handshake_timeout":"1000ms","discovery.request_peers_timeout":"3000ms","discovery.seed_hosts":[],"discovery.seed_providers":[],"discovery.seed_resolver.max_concurrent_resolvers":"10","discovery.seed_resolver.timeout":"5s","discovery.type":"single-node","discovery.unconfigured_bootstrap_timeout":"3s","discovery.zen.hosts_provider":[],"discovery.zen.ping.unicast.concurrent_connects":"10","discovery.zen.ping.unicast.hosts":[],"discovery.zen.ping.unicast.hosts.resolve_timeout":"5s","gateway.auto_import_dangling_indices":"false","gateway.expected_data_nodes":"-1","gateway.expected_master_nodes":"-1","gateway.expected_nodes":"-1","gateway.recover_after_data_nodes":"-1","gateway.recover_after_master_nodes":"0","gateway.recover_after_nodes":"-1","gateway.recover_after_time":"0ms","gateway.slow_write_logging_threshold":"10s","gateway.write_dangling_indices_info":"true","http.bind_host":[],"http.compression":"false","http.compression_level":"3","http.content_type.required":"true","http.cors.allow-credentials":"false","http.cors.allow-headers":"X-Requested-With,Content-Type,Content-Length","http.cors.allow-methods":"OPTIONS,HEAD,GET,POST,PUT,DELETE","http.cors.allow-origin":"","http.cors.enabled":"false","http.cors.max-age":"1728000","http.detailed_errors.enabled":"true","http.host":[],"http.max_chunk_size":"8kb","http.max_content_length":"100mb","http.max_header_size":"8kb","http.max_initial_line_length":"4kb","http.max_warning_header_count":"-1","http.max_warning_header_size":"-1b","http.netty.max_composite_buffer_components":"69905","http.netty.receive_predictor_size":"64kb","http.netty.worker_count":"0","http.pipelining.max_events":"10000","http.port":"9200-9299","http.publish_host":[],"http.publish_port":"-1","http.read_timeout":"0ms","http.reset_cookies":"false","http.tcp.keep_alive":"true","http.tcp.keep_count":"-1","http.tcp.keep_idle":"-1","http.tcp.keep_interval":"-1","http.tcp.no_delay":"true","http.tcp.receive_buffer_size":"-1b","http.tcp.reuse_address":"true","http.tcp.send_buffer_size":"-1b","http.tcp_no_delay":"true","http.tracer.exclude":[],"http.tracer.include":[],"http.type":"org.opensearch.security.http.SecurityHttpServerTransport","http.type.default":"netty4","index.codec":"default","index.recovery.type":"","index.store.fs.fs_lock":"native","index.store.hybrid.mmap.extensions":["nvd","dvd","tim","tip","dim","kdd","kdi","cfs","doc","vec","vex"],"index.store.preload":[],"index.store.type":"","indexing_pressure.memory.limit":"10%","indices.analysis.hunspell.dictionary.ignore_case":"false","indices.analysis.hunspell.dictionary.lazy":"false","indices.breaker.fielddata.limit":"40%","indices.breaker.fielddata.overhead":"1.03","indices.breaker.fielddata.type":"memory","indices.breaker.request.limit":"60%","indices.breaker.request.overhead":"1.0","indices.breaker.request.type":"memory","indices.breaker.total.limit":"95%","indices.breaker.total.use_real_memory":"true","indices.breaker.type":"hierarchy","indices.cache.cleanup_interval":"1m","indices.fielddata.cache.size":"-1b","indices.id_field_data.enabled":"true","indices.mapping.dynamic_timeout":"30s","indices.mapping.max_in_flight_updates":"10","indices.memory.index_buffer_size":"10%","indices.memory.interval":"5s","indices.memory.max_index_buffer_size":"-1","indices.memory.min_index_buffer_size":"48mb","indices.memory.shard_inactive_time":"5m","indices.queries.cache.all_segments":"false","indices.queries.cache.count":"10000","indices.queries.cache.size":"10%","indices.query.bool.max_clause_count":"1024","indices.query.query_string.allowLeadingWildcard":"true","indices.query.query_string.analyze_wildcard":"false","indices.recovery.internal_action_long_timeout":"1800000ms","indices.recovery.internal_action_timeout":"15m","indices.recovery.max_bytes_per_sec":"40mb","indices.recovery.max_concurrent_file_chunks":"2","indices.recovery.max_concurrent_operations":"1","indices.recovery.recovery_activity_timeout":"1800000ms","indices.recovery.retry_delay_network":"5s","indices.recovery.retry_delay_state_sync":"500ms","indices.replication.initial_retry_backoff_bound":"50ms","indices.replication.retry_timeout":"60s","indices.requests.cache.expire":"0ms","indices.requests.cache.size":"1%","indices.store.delete.shard.timeout":"30s","ingest.geoip.cache_size":"1000","ingest.grok.watchdog.interval":"1s","ingest.grok.watchdog.max_execution_time":"1s","ingest.user_agent.cache_size":"1000","knn.algo_param.index_thread_qty":"1","knn.cache.item.expiry.enabled":"false","knn.cache.item.expiry.minutes":"3h","knn.circuit_breaker.triggered":"false","knn.circuit_breaker.unset.percentage":"75.0","knn.memory.circuit_breaker.enabled":"true","knn.memory.circuit_breaker.limit":"50%","knn.model.cache.size.limit":"10%","knn.model.index.number_of_replicas":"1","knn.model.index.number_of_shards":"1","knn.plugin.enabled":"true","knn.queue_size":"1","knn.size":"1","logger.level":"INFO","monitor.fs.health.enabled":"true","monitor.fs.health.healthy_timeout_threshold":"60s","monitor.fs.health.refresh_interval":"60s","monitor.fs.health.slow_path_logging_threshold":"5s","monitor.fs.refresh_interval":"1s","monitor.jvm.gc.enabled":"true","monitor.jvm.gc.overhead.debug":"10","monitor.jvm.gc.overhead.info":"25","monitor.jvm.gc.overhead.warn":"50","monitor.jvm.gc.refresh_interval":"1s","monitor.jvm.refresh_interval":"1s","monitor.os.refresh_interval":"1s","monitor.process.refresh_interval":"1s","network.bind_host":["0.0.0.0"],"network.breaker.inflight_requests.limit":"100%","network.breaker.inflight_requests.overhead":"2.0","network.host":["0.0.0.0"],"network.publish_host":["0.0.0.0"],"network.server":"true","network.tcp.connect_timeout":"30s","network.tcp.keep_alive":"true","network.tcp.keep_count":"-1","network.tcp.keep_idle":"-1","network.tcp.keep_interval":"-1","network.tcp.no_delay":"true","network.tcp.receive_buffer_size":"-1b","network.tcp.reuse_address":"true","network.tcp.send_buffer_size":"-1b","node.attr.shard_indexing_pressure_enabled":"true","node.data":"true","node.enable_lucene_segment_infos_trace":"false","node.id.seed":"0","node.ingest":"true","node.local_storage":"true","node.master":"true","node.max_local_storage_nodes":"1","node.name":"wazuh.indexer","node.pidfile":"","node.portsfile":"false","node.processors":"4","node.remote_cluster_client":"true","node.roles":["ingest","remote_cluster_client","data","cluster_manager"],"node.search.cache.size":"0b","node.store.allow_mmap":"true","null.queue_size":"1000","null.size":"4","opendistro.alerting.action_throttle_max_value":"24h","opendistro.alerting.alert_backoff_count":"2","opendistro.alerting.alert_backoff_millis":"50ms","opendistro.alerting.alert_history_enabled":"true","opendistro.alerting.alert_history_max_age":"30d","opendistro.alerting.alert_history_max_docs":"1000","opendistro.alerting.alert_history_retention_period":"60d","opendistro.alerting.alert_history_rollover_period":"12h","opendistro.alerting.bulk_timeout":"120s","opendistro.alerting.destination.allow_list":["chime","slack","custom_webhook","email","test_action"],"opendistro.alerting.filter_by_backend_roles":"false","opendistro.alerting.index_timeout":"60s","opendistro.alerting.input_timeout":"30s","opendistro.alerting.monitor.max_monitors":"1000","opendistro.alerting.move_alerts_backoff_count":"3","opendistro.alerting.move_alerts_backoff_millis":"250ms","opendistro.alerting.request_timeout":"10s","opendistro.anomaly_detection.ad_result_history_max_docs":"250000000","opendistro.anomaly_detection.ad_result_history_retention_period":"30d","opendistro.anomaly_detection.ad_result_history_rollover_period":"12h","opendistro.anomaly_detection.backoff_initial_delay":"1000ms","opendistro.anomaly_detection.backoff_minutes":"15m","opendistro.anomaly_detection.batch_task_piece_interval_seconds":"5","opendistro.anomaly_detection.batch_task_piece_size":"1000","opendistro.anomaly_detection.breaker.enabled":"true","opendistro.anomaly_detection.cooldown_minutes":"5m","opendistro.anomaly_detection.detection_interval":"10m","opendistro.anomaly_detection.detection_window_delay":"0m","opendistro.anomaly_detection.enabled":"true","opendistro.anomaly_detection.filter_by_backend_roles":"false","opendistro.anomaly_detection.index_pressure_soft_limit":"0.8","opendistro.anomaly_detection.max_anomaly_detectors":"1000","opendistro.anomaly_detection.max_anomaly_features":"5","opendistro.anomaly_detection.max_batch_task_per_node":"10","opendistro.anomaly_detection.max_cache_miss_handling_per_second":"100","opendistro.anomaly_detection.max_entities_for_preview":"30","opendistro.anomaly_detection.max_entities_per_query":"1000","opendistro.anomaly_detection.max_multi_entity_anomaly_detectors":"10","opendistro.anomaly_detection.max_old_ad_task_docs_per_detector":"1","opendistro.anomaly_detection.max_primary_shards":"10","opendistro.anomaly_detection.max_retry_for_backoff":"3","opendistro.anomaly_detection.max_retry_for_unresponsive_node":"5","opendistro.anomaly_detection.model_max_size_percent":"0.1","opendistro.anomaly_detection.request_timeout":"10s","opendistro.asynchronous_search.active.context.reaper_interval":"5m","opendistro.asynchronous_search.expired.persisted_response.cleanup_interval":"30m","opendistro.asynchronous_search.max_keep_alive":"5d","opendistro.asynchronous_search.max_search_running_time":"12h","opendistro.asynchronous_search.max_wait_for_completion_timeout":"1m","opendistro.asynchronous_search.node_concurrent_running_searches":"20","opendistro.asynchronous_search.persist_search_failures":"false","opendistro.destination.host.deny_list":[],"opendistro.index_state_management.allow_list":["alias","allocation","close","delete","force_merge","index_priority","notification","open","read_only","read_write","replica_count","rollup","rollover","shrink","snapshot"],"opendistro.index_state_management.coordinator.backoff_count":"2","opendistro.index_state_management.coordinator.backoff_millis":"50ms","opendistro.index_state_management.coordinator.sweep_period":"10m","opendistro.index_state_management.enabled":"true","opendistro.index_state_management.history.enabled":"true","opendistro.index_state_management.history.max_age":"24h","opendistro.index_state_management.history.max_docs":"2500000","opendistro.index_state_management.history.number_of_replicas":"1","opendistro.index_state_management.history.number_of_shards":"1","opendistro.index_state_management.history.rollover_check_period":"8h","opendistro.index_state_management.history.rollover_retention_period":"30d","opendistro.index_state_management.job_interval":"5","opendistro.index_state_management.metadata_migration.status":"0","opendistro.index_state_management.metadata_service.enabled":"true","opendistro.index_state_management.restricted_index_pattern":"\\.opendistro_security|\\.kibana.*|\\.opendistro-ism-config","opendistro.index_state_management.snapshot.deny_list":[],"opendistro.index_state_management.template_migration.control":"0","opendistro.jobscheduler.jitter_limit":"0.6","opendistro.jobscheduler.request_timeout":"10s","opendistro.jobscheduler.retry_count":"3","opendistro.jobscheduler.sweeper.backoff_millis":"50ms","opendistro.jobscheduler.sweeper.page_size":"100","opendistro.jobscheduler.sweeper.period":"5m","opendistro.jobscheduler.threadpool.queue_size":"200","opendistro.jobscheduler.threadpool.size":"4","opendistro.ppl.enabled":"true","opendistro.ppl.query.memory_limit":"85%","opendistro.query.size_limit":"200","opendistro.rollup.dashboards.enabled":"true","opendistro.rollup.enabled":"true","opendistro.rollup.ingest.backoff_count":"5","opendistro.rollup.ingest.backoff_millis":"1000ms","opendistro.rollup.search.backoff_count":"5","opendistro.rollup.search.backoff_millis":"1000ms","opendistro.rollup.search.enabled":"true","opendistro.scheduled_jobs.enabled":"true","opendistro.scheduled_jobs.request_timeout":"10s","opendistro.scheduled_jobs.retry_count":"3","opendistro.scheduled_jobs.sweeper.backoff_millis":"50ms","opendistro.scheduled_jobs.sweeper.page_size":"100","opendistro.scheduled_jobs.sweeper.period":"5m","opendistro.sql.cursor.enabled":"true","opendistro.sql.cursor.fetch_size":"1000","opendistro.sql.cursor.keep_alive":"1m","opendistro.sql.enabled":"true","opendistro.sql.engine.new.enabled":"true","opendistro.sql.metrics.rollinginterval":"60","opendistro.sql.metrics.rollingwindow":"3600","opendistro.sql.query.analysis.enabled":"false","opendistro.sql.query.analysis.semantic.suggestion":"false","opendistro.sql.query.analysis.semantic.threshold":"200","opendistro.sql.query.response.format":"jdbc","opendistro.sql.query.slowlog":"2","opendistro_security_config.ssl_dual_mode_enabled":"false","opensearch.ad.ad-batch-task-threadpool.core":"1","opensearch.ad.ad-batch-task-threadpool.keep_alive":"10m","opensearch.ad.ad-batch-task-threadpool.max":"1","opensearch.ad.ad-threadpool.core":"1","opensearch.ad.ad-threadpool.keep_alive":"10m","opensearch.ad.ad-threadpool.max":"2","opensearch.experimental.feature.concurrent_segment_search.enabled":"false","opensearch.experimental.feature.extensions.enabled":"false","opensearch.experimental.feature.identity.enabled":"false","opensearch.experimental.feature.remote_store.enabled":"false","opensearch.experimental.feature.search_pipeline.enabled":"false","opensearch.experimental.feature.segment_replication_experimental.enabled":"false","opensearch.notifications.core.allowed_config_types":["slack","chime","webhook","email","sns","ses_account","smtp_account","email_group"],"opensearch.notifications.core.email.minimum_header_length":"160","opensearch.notifications.core.email.size_limit":"10000000","opensearch.notifications.core.http.connection_timeout":"5000","opensearch.notifications.core.http.host_deny_list":[],"opensearch.notifications.core.http.max_connection_per_route":"20","opensearch.notifications.core.http.max_connections":"60","opensearch.notifications.core.http.socket_timeout":"50000","opensearch.notifications.core.tooltip_support":"true","opensearch.notifications.general.default_items_query_count":"100","opensearch.notifications.general.filter_by_backend_roles":"false","opensearch.notifications.general.operation_timeout_ms":"60000","opensearch.observability.access.adminAccess":"AllObservabilityObjects","opensearch.observability.access.filterBy":"NoFilter","opensearch.observability.access.ignoreRoles":["own_index","opensearch_dashboards_user","notebooks_full_access","notebooks_read_access"],"opensearch.observability.general.defaultItemsQueryCount":"1000","opensearch.observability.general.operationTimeoutMs":"60000","opensearch.observability.polling.jobLockDurationSeconds":"300","opensearch.observability.polling.maxLockRetries":"4","opensearch.observability.polling.maxPollingDurationSeconds":"900","opensearch.observability.polling.minPollingDurationSeconds":"300","opensearch.reports.general.defaultItemsQueryCount":"100","opensearch.reports.general.operationTimeoutMs":"60000","opensearch_dashboards.system_indices":[".opensearch_dashboards",".opensearch_dashboards_*",".reporting-*",".apm-agent-configuration",".apm-custom-link"],"path.data":["/var/lib/wazuh-indexer"],"path.home":"/usr/share/wazuh-indexer","path.logs":"/var/log/wazuh-indexer","path.repo":[],"path.shared_data":"","pidfile":"","plugin.mandatory":[],"plugins.alerting.action_throttle_max_value":"24h","plugins.alerting.alert_backoff_count":"2","plugins.alerting.alert_backoff_millis":"50ms","plugins.alerting.alert_finding_enabled":"true","plugins.alerting.alert_finding_max_docs":"1000","plugins.alerting.alert_finding_rollover_period":"12h","plugins.alerting.alert_history_enabled":"true","plugins.alerting.alert_history_max_age":"30d","plugins.alerting.alert_history_max_docs":"1000","plugins.alerting.alert_history_retention_period":"60d","plugins.alerting.alert_history_rollover_period":"12h","plugins.alerting.bulk_timeout":"120s","plugins.alerting.destination.allow_list":["chime","slack","custom_webhook","email","test_action"],"plugins.alerting.filter_by_backend_roles":"false","plugins.alerting.finding_history_max_age":"30d","plugins.alerting.finding_history_retention_period":"60d","plugins.alerting.index_timeout":"60s","plugins.alerting.input_timeout":"30s","plugins.alerting.max_actionable_alert_count":"50","plugins.alerting.monitor.max_monitors":"1000","plugins.alerting.move_alerts_backoff_count":"3","plugins.alerting.move_alerts_backoff_millis":"250ms","plugins.alerting.request_timeout":"10s","plugins.anomaly_detection.ad_result_history_max_docs_per_shard":"1350000000","plugins.anomaly_detection.ad_result_history_retention_period":"30d","plugins.anomaly_detection.ad_result_history_rollover_period":"12h","plugins.anomaly_detection.backoff_initial_delay":"1000ms","plugins.anomaly_detection.backoff_minutes":"15m","plugins.anomaly_detection.batch_task_piece_interval_seconds":"5","plugins.anomaly_detection.batch_task_piece_size":"1000","plugins.anomaly_detection.breaker.enabled":"true","plugins.anomaly_detection.category_field_limit":"2","plugins.anomaly_detection.checkpoint_maintain_queue_max_heap_percent":"0.001","plugins.anomaly_detection.checkpoint_read_queue_batch_size":"25","plugins.anomaly_detection.checkpoint_read_queue_concurrency":"1","plugins.anomaly_detection.checkpoint_read_queue_max_heap_percent":"0.001","plugins.anomaly_detection.checkpoint_saving_freq":"12h","plugins.anomaly_detection.checkpoint_ttl":"7d","plugins.anomaly_detection.checkpoint_write_queue_batch_size":"25","plugins.anomaly_detection.checkpoint_write_queue_concurrency":"2","plugins.anomaly_detection.checkpoint_write_queue_max_heap_percent":"0.01","plugins.anomaly_detection.cold_entity_queue_max_heap_percent":"0.001","plugins.anomaly_detection.cooldown_minutes":"5m","plugins.anomaly_detection.dedicated_cache_size":"10","plugins.anomaly_detection.delete_anomaly_result_when_delete_detector":"false","plugins.anomaly_detection.detection_interval":"10m","plugins.anomaly_detection.detection_window_delay":"0m","plugins.anomaly_detection.door_keeper_in_cache.enabled":"false","plugins.anomaly_detection.enabled":"true","plugins.anomaly_detection.entity_cold_start_queue_concurrency":"1","plugins.anomaly_detection.entity_cold_start_queue_max_heap_percent":"0.001","plugins.anomaly_detection.expected_checkpoint_maintain_time_in_millisecs":"1000","plugins.anomaly_detection.expected_cold_entity_execution_time_in_millisecs":"3000","plugins.anomaly_detection.filter_by_backend_roles":"false","plugins.anomaly_detection.hcad_cold_start_interpolation.enabled":"false","plugins.anomaly_detection.index_pressure_hard_limit":"0.9","plugins.anomaly_detection.index_pressure_soft_limit":"0.6","plugins.anomaly_detection.max_anomaly_detectors":"1000","plugins.anomaly_detection.max_anomaly_features":"5","plugins.anomaly_detection.max_batch_task_per_node":"10","plugins.anomaly_detection.max_cached_deleted_tasks":"1000","plugins.anomaly_detection.max_concurrent_preview":"2","plugins.anomaly_detection.max_entities_for_preview":"5","plugins.anomaly_detection.max_entities_per_query":"1000000","plugins.anomaly_detection.max_model_size_per_node":"100","plugins.anomaly_detection.max_multi_entity_anomaly_detectors":"10","plugins.anomaly_detection.max_old_ad_task_docs_per_detector":"1","plugins.anomaly_detection.max_primary_shards":"10","plugins.anomaly_detection.max_retry_for_backoff":"3","plugins.anomaly_detection.max_retry_for_unresponsive_node":"5","plugins.anomaly_detection.max_running_entities_per_detector_for_historical_analysis":"10","plugins.anomaly_detection.max_top_entities_for_historical_analysis":"1000","plugins.anomaly_detection.model_max_size_percent":"0.1","plugins.anomaly_detection.page_size":"1000","plugins.anomaly_detection.request_timeout":"10s","plugins.anomaly_detection.result_write_queue_batch_size":"5000","plugins.anomaly_detection.result_write_queue_concurrency":"2","plugins.anomaly_detection.result_write_queue_max_heap_percent":"0.01","plugins.asynchronous_search.active.context.reaper_interval":"5m","plugins.asynchronous_search.expired.persisted_response.cleanup_interval":"30m","plugins.asynchronous_search.max_keep_alive":"5d","plugins.asynchronous_search.max_search_running_time":"12h","plugins.asynchronous_search.max_wait_for_completion_timeout":"1m","plugins.asynchronous_search.node_concurrent_running_searches":"20","plugins.asynchronous_search.persist_search_failures":"false","plugins.destination.host.deny_list":[],"plugins.index_management.filter_by_backend_roles":"false","plugins.index_state_management.action_validation.enabled":"false","plugins.index_state_management.allow_list":["alias","allocation","close","delete","force_merge","index_priority","notification","open","read_only","read_write","replica_count","rollup","rollover","shrink","snapshot"],"plugins.index_state_management.coordinator.backoff_count":"2","plugins.index_state_management.coordinator.backoff_millis":"50ms","plugins.index_state_management.coordinator.sweep_period":"10m","plugins.index_state_management.coordinator.sweep_skip_period":"5m","plugins.index_state_management.enabled":"true","plugins.index_state_management.history.enabled":"true","plugins.index_state_management.history.max_age":"24h","plugins.index_state_management.history.max_docs":"2500000","plugins.index_state_management.history.number_of_replicas":"1","plugins.index_state_management.history.number_of_shards":"1","plugins.index_state_management.history.rollover_check_period":"8h","plugins.index_state_management.history.rollover_retention_period":"30d","plugins.index_state_management.jitter":"0.6","plugins.index_state_management.job_interval":"5","plugins.index_state_management.metadata_service.enabled":"true","plugins.index_state_management.restricted_index_pattern":"\\.opendistro_security|\\.kibana.*|\\.opendistro-ism-config","plugins.index_state_management.snapshot.deny_list":[],"plugins.jobscheduler.jitter_limit":"0.6","plugins.jobscheduler.request_timeout":"10s","plugins.jobscheduler.retry_count":"3","plugins.jobscheduler.sweeper.backoff_millis":"50ms","plugins.jobscheduler.sweeper.page_size":"100","plugins.jobscheduler.sweeper.period":"5m","plugins.ml_commons.allow_custom_deployment_plan":"false","plugins.ml_commons.allow_registering_model_via_local_file":"false","plugins.ml_commons.allow_registering_model_via_url":"false","plugins.ml_commons.enable_inhouse_python_model":"false","plugins.ml_commons.exclude_nodes._name":"","plugins.ml_commons.max_deploy_model_tasks_per_node":"10","plugins.ml_commons.max_ml_task_per_node":"10","plugins.ml_commons.max_model_on_node":"10","plugins.ml_commons.max_register_model_tasks_per_node":"10","plugins.ml_commons.ml_task_timeout_in_seconds":"600","plugins.ml_commons.model_access_control_enabled":"false","plugins.ml_commons.model_auto_redeploy.enable":"false","plugins.ml_commons.model_auto_redeploy.lifetime_retry_times":"3","plugins.ml_commons.monitoring_request_count":"100","plugins.ml_commons.native_memory_threshold":"90","plugins.ml_commons.only_run_on_ml_node":"true","plugins.ml_commons.sync_up_job_interval_in_seconds":"3","plugins.ml_commons.task_dispatch_policy":"round_robin","plugins.ml_commons.trusted_url_regex":"^(https?|ftp|file)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]","plugins.ppl.enabled":"true","plugins.query.datasources.encryption.masterkey":"0000000000000000","plugins.query.memory_limit":"85%","plugins.query.metrics.rolling_interval":"60","plugins.query.metrics.rolling_window":"3600","plugins.query.size_limit":"200","plugins.replication.autofollow.concurrent_replication_jobs_trigger_size":"3","plugins.replication.autofollow.fetch_poll_interval":"30s","plugins.replication.autofollow.retry_poll_interval":"1h","plugins.replication.follower.block.start":"false","plugins.replication.follower.concurrent_readers_per_shard":"2","plugins.replication.follower.index.ops_batch_size":"50000","plugins.replication.follower.index.recovery.chunk_size":"10mb","plugins.replication.follower.index.recovery.max_concurrent_file_chunks":"5","plugins.replication.follower.metadata_sync_interval":"60s","plugins.replication.follower.poll_interval":"50ms","plugins.replication.follower.retention_lease_max_failure_duration":"1h","plugins.replication.leader.thread_pool.queue_size":"1000","plugins.replication.leader.thread_pool.size":"0","plugins.rollup.dashboards.enabled":"true","plugins.rollup.enabled":"true","plugins.rollup.ingest.backoff_count":"5","plugins.rollup.ingest.backoff_millis":"1000ms","plugins.rollup.search.backoff_count":"5","plugins.rollup.search.backoff_millis":"1000ms","plugins.rollup.search.enabled":"true","plugins.rollup.search.search_all_jobs":"false","plugins.scheduled_jobs.enabled":"true","plugins.scheduled_jobs.request_timeout":"10s","plugins.scheduled_jobs.retry_count":"3","plugins.scheduled_jobs.sweeper.backoff_millis":"50ms","plugins.scheduled_jobs.sweeper.page_size":"100","plugins.scheduled_jobs.sweeper.period":"5m","plugins.security_analytics.action_throttle_max_value":"24h","plugins.security_analytics.alert_finding_enabled":"true","plugins.security_analytics.alert_finding_max_docs":"1000","plugins.security_analytics.alert_finding_rollover_period":"12h","plugins.security_analytics.alert_history_enabled":"true","plugins.security_analytics.alert_history_max_age":"30d","plugins.security_analytics.alert_history_max_docs":"1000","plugins.security_analytics.alert_history_retention_period":"60d","plugins.security_analytics.alert_history_rollover_period":"12h","plugins.security_analytics.correlation_time_window":"5m","plugins.security_analytics.filter_by_backend_roles":"false","plugins.security_analytics.finding_history_max_age":"30d","plugins.security_analytics.finding_history_retention_period":"60d","plugins.security_analytics.index_timeout":"60s","plugins.security_analytics.request_timeout":"10s","plugins.security_config.ssl_dual_mode_enabled":"false","plugins.snapshot_management.filter_by_backend_roles":"false","plugins.sql.cursor.keep_alive":"1m","plugins.sql.delete.enabled":"false","plugins.sql.enabled":"true","plugins.sql.slowlog":"2","plugins.transform.circuit_breaker.enabled":"true","plugins.transform.circuit_breaker.jvm.threshold":"85","plugins.transform.internal.index.backoff_count":"5","plugins.transform.internal.index.backoff_millis":"1000ms","plugins.transform.internal.search.backoff_count":"5","plugins.transform.internal.search.backoff_millis":"1000ms","point_in_time.init.keep_alive":"30s","point_in_time.max_keep_alive":"24h","processors":"4","reindex.remote.allowlist":[],"reindex.remote.whitelist":[],"remote_store.segment.pressure.bytes_lag.variance_factor":"10.0","remote_store.segment.pressure.consecutive_failures.limit":"5","remote_store.segment.pressure.enabled":"false","remote_store.segment.pressure.time_lag.variance_factor":"10.0","remote_store.segment.pressure.upload_bytes_moving_average_window_size":"20","remote_store.segment.pressure.upload_bytes_per_sec_moving_average_window_size":"20","remote_store.segment.pressure.upload_time_moving_average_window_size":"20","replication_follower.core":"1","replication_follower.keep_alive":"1m","replication_follower.max":"10","replication_leader.queue_size":"1000","replication_leader.size":"7","repositories.fs.chunk_size":"9223372036854775807b","repositories.fs.compress":"false","repositories.fs.location":"","repositories.url.allowed_urls":[],"repositories.url.supported_protocols":["http","https","ftp","file","jar"],"repositories.url.url":"http:","resource.reload.enabled":"true","resource.reload.interval.high":"5s","resource.reload.interval.low":"60s","resource.reload.interval.medium":"30s","rest.action.multi.allow_explicit_index":"true","script.allowed_contexts":[],"script.allowed_types":[],"script.cache.expire":"0ms","script.cache.max_size":"100","script.disable_max_compilations_rate":"false","script.max_compilations_rate":"use-context","script.max_size_in_bytes":"65535","script.painless.regex.enabled":"limited","script.painless.regex.limit-factor":"6","search.allow_expensive_queries":"true","search.cancel_after_time_interval":"-1","search.default_allow_partial_results":"true","search.default_keep_alive":"5m","search.default_search_timeout":"-1","search.highlight.term_vector_multi_value":"true","search.keep_alive_interval":"1m","search.low_level_cancellation":"true","search.max_buckets":"65535","search.max_keep_alive":"24h","search.max_open_pit_context":"300","search.max_open_scroll_context":"500","search_backpressure.cancellation_burst":"10.0","search_backpressure.cancellation_rate":"0.003","search_backpressure.cancellation_ratio":"0.1","search_backpressure.mode":"monitor_only","search_backpressure.node_duress.cpu_threshold":"0.9","search_backpressure.node_duress.heap_threshold":"0.7","search_backpressure.node_duress.num_successive_breaches":"3","search_backpressure.search_shard_task.cancellation_burst":"10.0","search_backpressure.search_shard_task.cancellation_rate":"0.003","search_backpressure.search_shard_task.cancellation_ratio":"0.1","search_backpressure.search_shard_task.cpu_time_millis_threshold":"15000","search_backpressure.search_shard_task.elapsed_time_millis_threshold":"30000","search_backpressure.search_shard_task.heap_moving_average_window_size":"100","search_backpressure.search_shard_task.heap_percent_threshold":"0.005","search_backpressure.search_shard_task.heap_variance":"2.0","search_backpressure.search_shard_task.total_heap_percent_threshold":"0.05","search_backpressure.search_task.cancellation_burst":"5.0","search_backpressure.search_task.cancellation_rate":"0.003","search_backpressure.search_task.cancellation_ratio":"0.1","search_backpressure.search_task.cpu_time_millis_threshold":"30000","search_backpressure.search_task.elapsed_time_millis_threshold":"45000","search_backpressure.search_task.heap_moving_average_window_size":"100","search_backpressure.search_task.heap_percent_threshold":"0.02","search_backpressure.search_task.heap_variance":"2.0","search_backpressure.search_task.total_heap_percent_threshold":"0.05","security.manager.filter_bad_defaults":"true","segrep.pressure.checkpoint.limit":"4","segrep.pressure.enabled":"false","segrep.pressure.replica.stale.limit":"0.5","segrep.pressure.time.limit":"5m","shard_indexing_pressure.cache_store.max_size":"200","shard_indexing_pressure.enabled":"false","shard_indexing_pressure.enforced":"false","shard_indexing_pressure.operating_factor.lower":"0.75","shard_indexing_pressure.operating_factor.optimal":"0.85","shard_indexing_pressure.operating_factor.upper":"0.95","shard_indexing_pressure.primary_parameter.node.soft_limit":"0.7","shard_indexing_pressure.primary_parameter.shard.min_limit":"0.001","shard_indexing_pressure.secondary_parameter.successful_request.elapsed_timeout":"300000ms","shard_indexing_pressure.secondary_parameter.successful_request.max_outstanding_requests":"100","shard_indexing_pressure.secondary_parameter.throughput.degradation_factor":"5.0","shard_indexing_pressure.secondary_parameter.throughput.request_size_window":"2000","snapshot.max_concurrent_operations":"1000","task_resource_consumers.enabled":"false","task_resource_tracking.enabled":"true","thread_pool.analyze.queue_size":"16","thread_pool.analyze.size":"1","thread_pool.estimated_time_interval":"200ms","thread_pool.fetch_shard_started.core":"1","thread_pool.fetch_shard_started.keep_alive":"5m","thread_pool.fetch_shard_started.max":"8","thread_pool.fetch_shard_store.core":"1","thread_pool.fetch_shard_store.keep_alive":"5m","thread_pool.fetch_shard_store.max":"8","thread_pool.flush.core":"1","thread_pool.flush.keep_alive":"5m","thread_pool.flush.max":"2","thread_pool.force_merge.queue_size":"-1","thread_pool.force_merge.size":"1","thread_pool.generic.core":"4","thread_pool.generic.keep_alive":"30s","thread_pool.generic.max":"128","thread_pool.get.queue_size":"1000","thread_pool.get.size":"4","thread_pool.listener.queue_size":"-1","thread_pool.listener.size":"2","thread_pool.management.core":"1","thread_pool.management.keep_alive":"5m","thread_pool.management.max":"5","thread_pool.ml_commons.opensearch_ml_deploy.queue_size":"10","thread_pool.ml_commons.opensearch_ml_deploy.size":"4","thread_pool.ml_commons.opensearch_ml_execute.queue_size":"10","thread_pool.ml_commons.opensearch_ml_execute.size":"3","thread_pool.ml_commons.opensearch_ml_general.queue_size":"100","thread_pool.ml_commons.opensearch_ml_general.size":"3","thread_pool.ml_commons.opensearch_ml_predict.queue_size":"10000","thread_pool.ml_commons.opensearch_ml_predict.size":"8","thread_pool.ml_commons.opensearch_ml_register.queue_size":"10","thread_pool.ml_commons.opensearch_ml_register.size":"4","thread_pool.ml_commons.opensearch_ml_train.queue_size":"10","thread_pool.ml_commons.opensearch_ml_train.size":"3","thread_pool.opensearch_asynchronous_search_generic.core":"1","thread_pool.opensearch_asynchronous_search_generic.keep_alive":"30m","thread_pool.opensearch_asynchronous_search_generic.max":"8","thread_pool.refresh.core":"1","thread_pool.refresh.keep_alive":"5m","thread_pool.refresh.max":"2","thread_pool.remote_purge.core":"1","thread_pool.remote_purge.keep_alive":"5m","thread_pool.remote_purge.max":"2","thread_pool.remote_refresh.core":"1","thread_pool.remote_refresh.keep_alive":"5m","thread_pool.remote_refresh.max":"2","thread_pool.search.auto_queue_frame_size":"2000","thread_pool.search.max_queue_size":"1000","thread_pool.search.min_queue_size":"1000","thread_pool.search.queue_size":"1000","thread_pool.search.size":"7","thread_pool.search.target_response_time":"1s","thread_pool.search_throttled.auto_queue_frame_size":"200","thread_pool.search_throttled.max_queue_size":"100","thread_pool.search_throttled.min_queue_size":"100","thread_pool.search_throttled.queue_size":"100","thread_pool.search_throttled.size":"1","thread_pool.search_throttled.target_response_time":"1s","thread_pool.snapshot.core":"1","thread_pool.snapshot.keep_alive":"5m","thread_pool.snapshot.max":"2","thread_pool.system_read.queue_size":"2000","thread_pool.system_read.size":"2","thread_pool.system_write.queue_size":"1000","thread_pool.system_write.size":"2","thread_pool.translog_sync.queue_size":"10000","thread_pool.translog_sync.size":"16","thread_pool.translog_transfer.core":"1","thread_pool.translog_transfer.keep_alive":"5m","thread_pool.translog_transfer.max":"2","thread_pool.warmer.core":"1","thread_pool.warmer.keep_alive":"5m","thread_pool.warmer.max":"2","thread_pool.write.queue_size":"10000","thread_pool.write.size":"4","transport.bind_host":[],"transport.compress":"false","transport.connect_timeout":"30s","transport.connections_per_node.bulk":"3","transport.connections_per_node.ping":"1","transport.connections_per_node.recovery":"2","transport.connections_per_node.reg":"6","transport.connections_per_node.state":"1","transport.host":[],"transport.netty.boss_count":"1","transport.netty.receive_predictor_max":"64kb","transport.netty.receive_predictor_min":"64kb","transport.netty.receive_predictor_size":"64kb","transport.netty.worker_count":"4","transport.ping_schedule":"-1","transport.port":"9300-9400","transport.publish_host":[],"transport.publish_port":"-1","transport.slow_operation_logging_threshold":"5s","transport.tcp.compress":"false","transport.tcp.connect_timeout":"30s","transport.tcp.keep_alive":"true","transport.tcp.keep_count":"-1","transport.tcp.keep_idle":"-1","transport.tcp.keep_interval":"-1","transport.tcp.no_delay":"true","transport.tcp.port":"9300-9399","transport.tcp.receive_buffer_size":"-1b","transport.tcp.reuse_address":"true","transport.tcp.send_buffer_size":"-1b","transport.tcp_no_delay":"true","transport.tracer.exclude":["internal:coordination/fault_detection/*","cluster:monitor/nodes/liveness"],"transport.tracer.include":[],"transport.type":"org.opensearch.security.ssl.http.netty.SecuritySSLNettyTransport","transport.type.default":"netty4"}}

_cat/allocation?v=true&h=node,shards,disk.*

node shards disk.indices disk.used disk.avail disk.total disk.percent
wazuh.indexer 73 155.4mb 13gb 42.8gb 55.8gb 23
UNASSIGNED 30

/_cat/nodes?v&h=name,master,node.role,disk.used_percent,disk.used,disk.avail,disk.total

name master node.role disk.used_percent disk.used disk.avail disk.total
wazuh.indexer * dimr 23.35 13gb 42.8gb 55.8gb

_plugins/_ism/policies

{"policies":[{"_id":"wazuh-alert-retention-policy","_seq_no":41417,"_primary_term":9,"policy":{"policy_id":"wazuh-alert-retention-policy","description":"Retensao 7 dias","last_updated_time":1717704292565,"schema_version":18,"error_notification":null,"default_state":"delete_alerts","states":[{"name":"initial","actions":[],"transitions":[{"state_name":"delete_alerts","conditions":{"min_index_age":"7d"}}]},{"name":"delete_alerts","actions":[{"retry":{"count":3,"backoff":"exponential","delay":"1m"},"delete":{}}],"transitions":[]}],"ism_template":[{"index_patterns":["wazuh-alerts-*"],"priority":1,"last_updated_time":1716899891307}]}}],"total_policies":1}

/_cat/indices/wazuh*?v&h=index,docs.count,store.size&s=index

index docs.count store.size
wazuh-alerts-4.x-2024.05.17 215 624.8kb
wazuh-alerts-4.x-2024.05.20 5050 12.3mb
wazuh-alerts-4.x-2024.05.22 14316 12.6mb
wazuh-alerts-4.x-2024.05.23 32635 19.9mb
wazuh-alerts-4.x-2024.05.24 20072 16.9mb
wazuh-alerts-4.x-2024.05.25 18331 13.5mb
wazuh-alerts-4.x-2024.05.26 18251 13.9mb
wazuh-alerts-4.x-2024.05.27 34535 19.3mb
wazuh-alerts-4.x-2024.05.28 29350 26.8mb
wazuh-alerts-4.x-2024.06.12 9 150.2kb
wazuh-monitoring-2024.06.05 48 90kb
wazuh-monitoring-2024.06.07 136 231.3kb
wazuh-monitoring-2024.06.08 384 388.3kb
wazuh-monitoring-2024.06.09 384 388.3kb
wazuh-monitoring-2024.06.10 384 387.2kb
wazuh-monitoring-2024.06.11 384 386.4kb
wazuh-monitoring-2024.06.12 212 305.3kb
wazuh-monitoring-2024.20w 0 208b
wazuh-monitoring-2024.21w 1662 1.2mb
wazuh-monitoring-2024.22w 2720 1.1mb
wazuh-monitoring-2024.23w 1748 1.2mb
wazuh-statistics-2024.06.05 266 246.7kb
wazuh-statistics-2024.06.06 575 520.9kb
wazuh-statistics-2024.06.07 574 568.2kb
wazuh-statistics-2024.06.08 574 530.9kb
wazuh-statistics-2024.06.09 575 473kb
wazuh-statistics-2024.06.10 576 451.9kb
wazuh-statistics-2024.06.11 574 567.8kb
wazuh-statistics-2024.06.12 318 564kb
wazuh-statistics-2024.20w 1236 867kb
wazuh-statistics-2024.21w 4019 1.6mb
wazuh-statistics-2024.22w 4025 1.7mb
wazuh-statistics-2024.23w 1453 1mb

Best regards

Jose Camargo

unread,

Jun 12, 2024, 2:46:27 PM6/12/24

to Wazuh | Mailing List

Hello Pedro,

This seems to be an issue with the retention policy. Please try changing the one you have with the following:

{
  "policy": {
      "description": "Wazuh index state management deletes indices after 7 days",
      "default_state": "hot",
      "states": [
          {
              "name": "hot",
              "actions": [
                  {
                      "replica_count": {
                          "number_of_replicas": 0
                      }
                  }
              ],
              "transitions": [
                  {
                      "state_name": "delete",
                      "conditions": {
                          "min_index_age": "7d"
                      }
                  }
              ]
          },
          {
              "name": "delete",
              "actions": [
                  {

                      "delete": {}
                  }
              ],
              "transitions": []
          }
      ],
     "ism_template": {

         "index_patterns": ["wazuh-alerts*", "wazuh-monitoring*", "wazuh-statistics*"],
         "priority": 100
     }
  }
}

I'll be waiting for your comments.

Regards,

Jose

{ "policy": { "description": "Wazuh index state management for OpenDistro to move indices into a cold state after 30 days and delete them after a year.", "default_state": "hot", "states": [ { "name": "hot", "actions": [ { "replica_count": { "number_of_replicas": 1 } } ], "transitions": [ { "state_name": "cold", "conditions": { "min_index_age": "30d" } } ] }, { "name": "cold", "actions": [ { "read_only": {} } ], "transitions": [ { "state_name": "delete", "conditions": { "min_index_age": "365d" } } ] }, { "name": "delete", "actions": [ { "delete": {} } ], "transitions": [] } ], "ism_template": { "index_patterns": ["wazuh-alerts*"], "priority": 100 } } }

Reply all

Reply to author

Forward