Wazuh Kibana plugin troubleshooting
This section collects common installation or usage issues on the Wazuh Kibana plugin, and some basic steps to solve them.
"Incorrect Kibana version in plugin [wazuh]" when installing the Wazuh Kibana plugin
To install the Wazuh Kibana plugin successfully, it needs to be compatible with the Kibana and Wazuh versions.
Kibana version can be checked by executing the following command:
# cat /usr/share/kibana/package.json | grep version
An example output of the command looks as follows:
"version": "7.10.2",
The Wazuh version can be checked by executing the following command:
# /var/ossec/bin/wazuh-control info | grep WAZUH_VERSION
An example output of the command looks as follows:
WAZUH_VERSION="v4.4.3"
Using the Kibana version and the Wazuh version, you can find the correct plugin in the compatibility matrix.
No template found for the selected index pattern
Elasticsearch needs a specific template to store Wazuh alerts, otherwise visualizations won't load properly. You can insert the correct template using the following command:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.4.3/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k
{"acknowledged":true}
If this error occurs after an upgrade from a 3.x version the solution is to remove the wazuh-alerts-3.x-*
index pattern. Since Wazuh 4.x, the index pattern is wazuh-alerts-*
, and you need to remove the old pattern for the new one to take its place.
# curl 'https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*' -X DELETE -H 'Content-Type: application/json' -H 'kbn-version: 7.10.2' -k -u <elasticsearch_user>:<elasticsearch_password>
If you have a custom index pattern, make sure to replace it accordingly.
Very important: Clean the browser’s cache and cookies.
"Index pattern was refreshed" toast keeps popping up
If "Index pattern was refreshed" message keeps popping up in a module dashboard, it means Wazuh alerts index-pattern doesn't have some of the fields some visualization needs. Therefore the visualization creates those fields it needs in the alerts index-pattern. In case the template that the index-pattern uses is not the latest version, this message can pop up because there are no alerts using these fields. To solve this, please update the index-pattern template using the following command:
# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.4.3/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k
{"acknowledged":true}
Wazuh API seems to be down
This issue means that your Wazuh API might be unavailable. Check the status of the Wazuh manager to check if the service is active:
# systemctl status wazuh-manager
# service wazuh-manager status
If the Wazuh API is running, try to fetch data using the CLI from the Kibana server:
# curl -k -X GET "https://<api_url>:55000/" -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 271 100 271 0 0 879 0 --:--:-- --:--:-- --:--:-- 882
{"data": {"title": "Wazuh API REST", "api_version": "4.1.1", "revision": 40110, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.1/LICENSE", "hostname": "localhost.localdomain", "timestamp": "2021-03-03T10:01:18+0000"}, "error": 0}
I do not see alerts in the Wazuh Kibana plugin
The first step is to check if there are alerts in Elasticsearch.
# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -k
green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb
If you do not see any Wazuh related index, it means you have no alerts stored in Elasticsearch.
To ensure that Filebeat is correctly configured, run the following command:
# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.10.2
Could not connect to API with id: default: 3003 - Missing param: API USERNAME
Starting Wazuh 4.0 the Wazuh API username variable changed from user
to username
. It's necessary to change the credentials (foo:bar are no longer accepted) as well as the name of the variable in the /usr/share/kibana/data/wazuh/config/wazuh.yml
configuration file. For example, the configuration can be:
hosts:
- production:
url: https://localhost
port: 55000
username: wazuh-wui
password: wazuh-wui
run_as: false
Wazuh Kibana plugin page goes blank
Sometimes, after an upgrade, the Wazuh Kibana plugin page goes blank. This is due to some issues with the cache memory of the browser.

To fix this you need to:
Open the web browser and press F12 to access the DevTools pane.
Click the Network tab and then check the Disable cache option.
![]()
Open your browser and press F12 to access the DevTools pane.
Click the Network tab and then check the Disable cache option.
![]()
To enable the Develop tools, follow these steps:
Go to the Safari settings gear icon and click Preferences.
Click the Advanced tab to open the pane and check the Show Develop menu in menu bar option.
Close the Preferences window.
Check if the browser’s menu bar is enabled. If not, go to the Safari settings gear icon and click Show Menu Bar.
Click the Develop tab on the menu bar and click Show Web Inspector to open the web inspector pane.
Click the Network tab and then check the Ignore cache when loading resources option.
![]()
After following these steps, refresh the page and close the browser.
"Conflict with the Wazuh app version" error is displayed
Sometimes, after an upgrade, the Wazuh Kibana plugin displays the "Conflict with the Wazuh app version" error. This is due to some issues with the cache memory of the browser.

To fix this you need to:
Open the web browser and press F12 to access the DevTools pane.
Click the Network tab and then check the Disable cache option.
![]()
Open your browser and press F12 to access the DevTools pane.
Click the Network tab and then check the Disable cache option.
![]()
To enable the Develop tools, follow these steps:
Go to the Safari settings gear icon and click Preferences.
Click the Advanced tab to open the pane and check the Show Develop menu in menu bar option.
Close the Preferences window.
Check if the browser’s menu bar is enabled. If not, go to the Safari settings gear icon and click Show Menu Bar.
Click the Develop tab on the menu bar and click Show Web Inspector to open the web inspector pane.
Click the Network tab and then check the Ignore cache when loading resources option.
![]()
After following these steps, refresh the page and close the browser.
"Wazuh API and Wazuh app version mismatch" error is displayed
This error shows a mismatch between the Wazuh server and the Wazuh Kibana plugin versions.
The Wazuh server and the Wazuh Kibana plugin must run the same major and minor versions. For example:
Wazuh server 4.4.x
Wazuh Kibana plugin 4.4.y
Moreover, we recommend both server and plugin run the same full version, for example 4.4.3. Running the same full version ensures the correct operation and communication between these components.
Check out how to upgrade Wazuh in our upgrade guide.
None of the above solutions are fixing my problem
All the components we use have their own log files, you can check them and look for error and warning messages.
Check the Elastic Stack log files:
# cat /var/log/elasticsearch/<elasticsearch-cluster-name>.log | grep -i -E "error|warn" # cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
Note
The Elastic Stack uses the
/var/log
folder to store logs by default. This setting can be customized following the documentation for Elasticsearch or Filebeat.Warning
By default, Kibana doesn't store logs on a file. You can change this by configuring
logging.dest
setting in thekibana.yml
configuration file. Check the Kibana documentation for more details.Check the Wazuh Kibana plugin log file:
# cat /usr/share/kibana/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Check the Wazuh manager log file:
# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"