Check WAZUH alert index pattern warning

[SaiRajan Puratchivel]

Hello,

We have installed the Wazuh 4.3 version.  While opening the browser version getting the attached error.  

Checked the Filbeat where elastic search is properly configured and working.

elasticsearch:

  parse url... OK

  connection...

    parse host... OK

    dns lookup... OK

    addresses: 

    dial up... OK

Thanks,

Sai

[Kasim Mustapha]

Hello Sairajan,

Thanks for reaching out.

Could you check the templates?
Using Kibana Dev Tools: GET _cat/templates

On the other hand, to remove old indices could you do with this guide or if you want to keep your old indices you could reindex them with this guide and I recommend using Dev Tools for safety.

Await your response.

Regards.

[SaiRajan Puratchivel]

Hi Kasim,

Thanks for responding back.

When I tried to run the GET _cat/templates I am getting 2 responses in the DEV Tools console.

I have attached the screenshot for your reference.

Thanks,

Sai

[Kasim Mustapha]

Hello Sairajan,

We noticed that the alert index pattern is not available. Elasticsearch needs a specific template to store Wazuh alerts, otherwise, visualizations won't load properly. 

use this guide to insert the correct template. https://documentation.wazuh.com/current/user-manual/elasticsearch/troubleshooting.html#no-template-found-for-the-selected-index-pattern

For more information check out the documentation here: https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html

Hope this helps. Let us know if you have further questions.

Regards,

[SaiRajan Puratchivel]

Hi Kasim,

I looked into this link https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html and fixed it.

FYI: In this document I see no.6 is optional but after doing that step only my issue got fixed.

Thank you for your assistance and prompt turnaround.

Regards,

Sai