Wazuh Kibana plugin troubleshooting

This section collects common installation or usage issues on the Wazuh Kibana plugin, and some basic steps to solve them.

"Incorrect Kibana version in plugin [wazuh]" when installing the Wazuh Kibana plugin

To install the Wazuh Kibana plugin successfully, it needs to be compatible with the Kibana and Wazuh versions.

Kibana version can be checked by executing the following command:

# cat /usr/share/kibana/package.json | grep version

An example output of the command looks as follows:

"version": "7.10.2",

The Wazuh version can be checked by executing the following command:

# /var/ossec/bin/wazuh-control info | grep WAZUH_VERSION

An example output of the command looks as follows:

WAZUH_VERSION="v4.4.3"

Using the Kibana version and the Wazuh version, you can find the correct plugin in the compatibility matrix.

No template found for the selected index pattern

Elasticsearch needs a specific template to store Wazuh alerts, otherwise visualizations won't load properly. You can insert the correct template using the following command:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.4.3/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k

{"acknowledged":true}

If this error occurs after an upgrade from a 3.x version the solution is to remove the wazuh-alerts-3.x-* index pattern. Since Wazuh 4.x, the index pattern is wazuh-alerts-*, and you need to remove the old pattern for the new one to take its place.

# curl 'https://<kibana_ip>:<kibana_port>/api/saved_objects/index-pattern/wazuh-alerts-3.x-*' -X DELETE  -H 'Content-Type: application/json' -H 'kbn-version: 7.10.2' -k -u <elasticsearch_user>:<elasticsearch_password>

If you have a custom index pattern, make sure to replace it accordingly.

Very important: Clean the browser’s cache and cookies.

"Index pattern was refreshed" toast keeps popping up

If "Index pattern was refreshed" message keeps popping up in a module dashboard, it means Wazuh alerts index-pattern doesn't have some of the fields some visualization needs. Therefore the visualization creates those fields it needs in the alerts index-pattern. In case the template that the index-pattern uses is not the latest version, this message can pop up because there are no alerts using these fields. To solve this, please update the index-pattern template using the following command:

# curl https://raw.githubusercontent.com/wazuh/wazuh/v4.4.3/extensions/elasticsearch/7.x/wazuh-template.json | curl -X PUT "https://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- -u <elasticsearch_user>:<elasticsearch_password> -k

{"acknowledged":true}

Wazuh API seems to be down

This issue means that your Wazuh API might be unavailable. Check the status of the Wazuh manager to check if the service is active:

Systemd

SysV init

# systemctl status wazuh-manager

# service wazuh-manager status

If the Wazuh API is running, try to fetch data using the CLI from the Kibana server:

# curl -k -X GET "https://<api_url>:55000/" -H "Authorization: Bearer $(curl -u <api_user>:<api_password> -k -X POST 'https://<api_url>:55000/security/user/authenticate?raw=true')"

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
  100   271  100   271    0     0    879      0 --:--:-- --:--:-- --:--:--   882
  {"data": {"title": "Wazuh API REST", "api_version": "4.1.1", "revision": 40110, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.1/LICENSE", "hostname": "localhost.localdomain", "timestamp": "2021-03-03T10:01:18+0000"}, "error": 0}

I do not see alerts in the Wazuh Kibana plugin

The first step is to check if there are alerts in Elasticsearch.

# curl https://<ELASTICSEARCH_IP>:9200/_cat/indices/wazuh-alerts-* -u <elasticsearch_user>:<elasticsearch_password> -k

 green open wazuh-alerts-4.x-2021.03.03 xwFPX7nFQxGy-O5aBA3LFQ 3 0 340 0 672.6kb 672.6kb

If you do not see any Wazuh related index, it means you have no alerts stored in Elasticsearch.

To ensure that Filebeat is correctly configured, run the following command:

# filebeat test output

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Could not connect to API with id: default: 3003 - Missing param: API USERNAME

Starting Wazuh 4.0 the Wazuh API username variable changed from user to username. It's necessary to change the credentials (foo:bar are no longer accepted) as well as the name of the variable in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. For example, the configuration can be:

hosts:
 - production:
     url: https://localhost
     port: 55000
     username: wazuh-wui
     password: wazuh-wui
     run_as: false

Wazuh Kibana plugin page goes blank

Sometimes, after an upgrade, the Wazuh Kibana plugin page goes blank. This is due to some issues with the cache memory of the browser.

To fix this you need to:

Chromium browser

Firefox browser

Safari browser

  1. Open the web browser and press F12 to access the DevTools pane.

  2. Click the Network tab and then check the Disable cache option.

  1. Open your browser and press F12 to access the DevTools pane.

  2. Click the Network tab and then check the Disable cache option.

  1. To enable the Develop tools, follow these steps:

  1. Go to the Safari settings gear icon and click Preferences.

  2. Click the Advanced tab to open the pane and check the Show Develop menu in menu bar option.

  3. Close the Preferences window.

  4. Check if the browser’s menu bar is enabled. If not, go to the Safari settings gear icon and click Show Menu Bar.

  1. Click the Develop tab on the menu bar and click Show Web Inspector to open the web inspector pane.

  2. Click the Network tab and then check the Ignore cache when loading resources option.

After following these steps, refresh the page and close the browser.

"Conflict with the Wazuh app version" error is displayed

Sometimes, after an upgrade, the Wazuh Kibana plugin displays the "Conflict with the Wazuh app version" error. This is due to some issues with the cache memory of the browser.

To fix this you need to:

Chromium browser

Firefox browser

Safari browser

  1. Open the web browser and press F12 to access the DevTools pane.

  2. Click the Network tab and then check the Disable cache option.

  1. Open your browser and press F12 to access the DevTools pane.

  2. Click the Network tab and then check the Disable cache option.

  1. To enable the Develop tools, follow these steps:

  1. Go to the Safari settings gear icon and click Preferences.

  2. Click the Advanced tab to open the pane and check the Show Develop menu in menu bar option.

  3. Close the Preferences window.

  4. Check if the browser’s menu bar is enabled. If not, go to the Safari settings gear icon and click Show Menu Bar.

  1. Click the Develop tab on the menu bar and click Show Web Inspector to open the web inspector pane.

  2. Click the Network tab and then check the Ignore cache when loading resources option.

After following these steps, refresh the page and close the browser.

"Wazuh API and Wazuh app version mismatch" error is displayed

This error shows a mismatch between the Wazuh server and the Wazuh Kibana plugin versions.

The Wazuh server and the Wazuh Kibana plugin must run the same major and minor versions. For example:

  • Wazuh server 4.4.x

  • Wazuh Kibana plugin 4.4.y

Moreover, we recommend both server and plugin run the same full version, for example 4.4.3. Running the same full version ensures the correct operation and communication between these components.

Check out how to upgrade Wazuh in our upgrade guide.

None of the above solutions are fixing my problem

All the components we use have their own log files, you can check them and look for error and warning messages.

  1. Check the Elastic Stack log files:

    # cat /var/log/elasticsearch/<elasticsearch-cluster-name>.log | grep -i -E "error|warn"
# cat /var/log/filebeat/filebeat | grep -i -E "error|warn"

    Note

    The Elastic Stack uses the /var/log folder to store logs by default. This setting can be customized following the documentation for Elasticsearch or Filebeat.

    Warning

    By default, Kibana doesn't store logs on a file. You can change this by configuring logging.dest setting in the kibana.yml configuration file. Check the Kibana documentation for more details.

  2. Check the Wazuh Kibana plugin log file:

    # cat /usr/share/kibana/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

  3. Check the Wazuh manager log file:

    # cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"