{"id":871,"date":"2018-10-25T04:19:26","date_gmt":"2018-10-25T04:19:26","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=871"},"modified":"2022-10-21T11:37:42","modified_gmt":"2022-10-21T11:37:42","slug":"wazuh-agent-troubleshooting-guide","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/wazuh-agent-troubleshooting-guide\/","title":{"rendered":"Wazuh-agent troubleshooting guide."},"content":{"rendered":"<div class=\"pmdi_content_wrapper\">\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-weight: bold; text-decoration: underline;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image1.png\" width=\"601px \" height=\"174px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">If you see this error in kibana on an agent. It could be for a number of reasons. <\/span><\/p>\n<h1>Follow this process to figure it out.<\/h1>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_1_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Agent buffer on the client is full, which is caused by flood of alerts. The agents have a buffer size to keep resources on the clients consistent and minimal. If this fills up then kibana will stop collecting data.<\/span><\/li>\n<\/ul>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_1_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">The first step is the easiest log into the client and restart the client by <\/span>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_1_2\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Systemctl restart wazuh-agent<\/span><\/li>\n<li id=\"pmdi_list_1_2\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">\/etc\/init.d\/wazuh-agent restart<\/span><\/li>\n<li id=\"pmdi_list_1_2\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">And windows open the agent and click on restart<\/span><\/li>\n<\/ul>\n<\/li>\n<li id=\"pmdi_list_1_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">If you go kibana<\/span>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_1_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Click on agents<\/span><\/li>\n<li id=\"pmdi_list_1_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Then find your agent<\/span><\/li>\n<li id=\"pmdi_list_1_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Click on a agent <\/span><\/li>\n<li id=\"pmdi_list_1_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"1\"><span class=\"ListParagraph-H\">Click security audit <\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">It should look something like this.<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image2.png\" width=\"601px \" height=\"288px \" data-link=\"\"\/><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">If this does not appear then we need to check wazuh-manager <\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-weight: bold; text-decoration: underline;\">Reason<\/span><span style=\"font-weight: bold; text-decoration: underline;\">1<\/span><span style=\"font-weight: bold; text-decoration: underline;\"> :<\/span><span style=\"font-weight: bold;\">Space <\/span><span style=\"font-weight: bold;\">issues<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">Logs can stop generating if elastic-search partition reaches 85% full and put the manager into read only mode. <\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># ls \/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">usr<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/share\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">elasticsearch<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/data\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> (lives on a different <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">lvm<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">)<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># ls \/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">var\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> (lives on a different <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">lvm<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li style=\"list-style-type: none;\">\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_3_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"ListParagraph-H\">Ensure these partitions have plenty of space or wazuh will go into read only mode<\/span><\/li>\n<li id=\"pmdi_list_3_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"3\"><span class=\"ListParagraph-H\">Ones you have ensure there is adequate space you will need to execute a command in kibana to get it working again.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">PUT _settings<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">{<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp; &nbsp;&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8220;index<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8220;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">:<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">{<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8220;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">blocks.read_only<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8220;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">:<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8220;false&#8221;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp; &nbsp;&nbsp;<\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">}<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m6041114148831464572styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li style=\"list-style-type: none;\">\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_5_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"5\"><span class=\"ListParagraph-H\">In kibana, go to dev tools and put the above code and play the code.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image3.png\" width=\"601px \" height=\"445px \" data-link=\"\"\/><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">Alternative command that does the same thing.<\/span><\/p>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_8_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"8\"><span class=\"ListParagraph-H\"><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">curl&nbsp;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #666600;\">&#8211;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">XPUT&nbsp;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">&#8216;<\/span><a href=\"http:\/\/localhost:9200\/_settings\" target=\"_blank\" rel=\"noopener\">http:\/\/localhost:9200\/_settings<\/a><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">&#8216;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">&nbsp;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #666600;\">&#8211;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">H&nbsp;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">&#8216;Content-Type: application\/json&#8217;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">&nbsp;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #666600;\">&#8211;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">d<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">&#8216; { &#8220;index&#8221;: { &#8220;blocks&#8221;: { &#8220;<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">read_only_allow_delete<\/span><span class=\"m3712338085679250222styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #008800;\">&#8220;: &#8220;false&#8221; } } } &#8216;<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_5_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"5\"><span class=\"ListParagraph-H\">Next restart wazuh-manager and ossec<\/span>\n<ul style=\"list-style-type: disc; ;margin-left: 20px;\">\n<li id=\"pmdi_list_6_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"ListParagraph-H\"><span style=\"font-style: italic;\">\/var\/<\/span><span style=\"font-style: italic;\">ossec<\/span><span style=\"font-style: italic;\">\/bin\/<\/span><span style=\"font-style: italic;\">ossec<\/span><span style=\"font-style: italic;\">-control restart<\/span><\/span><\/li>\n<li id=\"pmdi_list_6_1\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"6\"><span class=\"ListParagraph-H\"><span style=\"font-style: italic;\">Systemctl<\/span><span style=\"font-style: italic;\"> restart <\/span><span style=\"font-style: italic;\">wazuh<\/span><span style=\"font-style: italic;\">-manager<\/span><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-weight: bold; text-decoration: underline;\">Re<\/span><span style=\"font-weight: bold; text-decoration: underline;\">ason 2:<\/span> Ensure services are running and check versions<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_9_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"9\"><span class=\"ListParagraph-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #660066;\">Elasticsearch<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">curl&nbsp;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">&#8211;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">XGET&nbsp;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">&#8216;localhost:9200&#8217;<\/span><\/span><\/li>\n<\/ul>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\">[root@<\/span><span style=\"background-color: #fafafa;\">waz01<\/span><span style=\"background-color: #fafafa;\">~]#<\/span><span style=\"background-color: #fafafa;\"> curl localhost:9200\/_cluster\/<\/span><span style=\"background-color: #fafafa;\">health?pretty<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\">{<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">cluster_name<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">elasticsearch<\/span><span style=\"background-color: #fafafa;\">&#8220;,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;status<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> &#8220;yellow&#8221;,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">timed_out<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> false,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">number_of_nodes<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 1,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">number_of_data_nodes<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 1,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">active_primary_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 563,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">active_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 563,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">relocating_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">initializing_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">unassigned_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 547,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">delayed_unassigned_shards<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">number_of_pending_tasks<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">number_of_in_flight_fetch<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">task_max_waiting_in_queue_millis<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 0,<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\"> &#8220;<\/span><span style=\"background-color: #fafafa;\">active_shards_percent_as_number<\/span><span style=\"background-color: #fafafa;\">&#8221; :<\/span><span style=\"background-color: #fafafa;\"> 50.72072072072073<\/span><\/span><\/p>\n<p class=\"NoSpacing-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"NoSpacing-H\"><span style=\"background-color: #fafafa;\">}<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_9_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"9\"><span class=\"ListParagraph-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #660066;\">Kibana<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">usr<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">share<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">kibana<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">bin<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">kibana<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">&#8211;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">V<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; ; color: #000000;\">[root@waz01 <\/span><span style=\"background-color: #fafafa; ; color: #000000;\">~]#<\/span><span style=\"background-color: #fafafa; ; color: #000000;\"> \/<\/span><span style=\"background-color: #fafafa; ; color: #000000;\">usr<\/span><span style=\"background-color: #fafafa; ; color: #000000;\">\/share\/<\/span><span style=\"background-color: #fafafa; ; color: #000000;\">kibana<\/span><span style=\"background-color: #fafafa; ; color: #000000;\">\/bin\/<\/span><span style=\"background-color: #fafafa; ; color: #000000;\">kibana<\/span><span style=\"background-color: #fafafa; ; color: #000000;\"> -V<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; ; color: #000000;\">6.4.0<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #660066;\">Logstash<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">usr<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #008800;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">share<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">bin<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&nbsp;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">&#8211;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">V<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">[root@waz01 ~]# \/usr\/share\/logstash\/bin\/logstash -V<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">logstash 6.4.2<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li style=\"list-style-type: none;\">\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_9_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"9\"><span class=\"ListParagraph-H\">Check to see if wazuh-manager and logstash are running<\/span><\/li>\n<\/ul>\n<\/li>\n<li id=\"pmdi_list_11_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"11\"><span class=\"ListParagraph-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemctl<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> status <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #666600;\">&#8211;<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">manager<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"IntenseEmphasis-H\">Active and working<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[root@waz01 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">~]#<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemctl<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> status <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\u25cf <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">manager.service<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> &#8211; <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Wazuh<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Loaded: loaded (\/etc\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/system\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-manager.service<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">; enabled; vendor <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">preset<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">: disabled)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Active: active (running) since Thu 2018-10-18 12:25:53 BST; 4 days ago<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Process: 4488 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ExecStop<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">usr<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/env ${DIRECTORY}\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-control stop (code=exited, status=0\/SUCCESS)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Process: 4617 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ExecStart<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">usr<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/env ${DIRECTORY}\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-control start (code=exited, status=0\/SUCCESS)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">CGroup<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">: \/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">system.slice<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-manager.service<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004635 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-authd<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004639 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-db<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004656 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-execd<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004662 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-analysisd<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004666 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-syscheckd<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004672 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-remoted<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004675 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-logcollector<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u251c\u25004695 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-monitord<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u2514\u25004699 \/var\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/bin\/<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-modulesd<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-db&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-execd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-analysisd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-syscheckd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-remoted&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-logcollector<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec-monitord<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:51 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">wazuh-modulesd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:53 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">env[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">4617]: Completed.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 18 12:25:53 <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemd<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">1]: Started <\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Wazuh<\/span><span class=\"m2638195685393672510styled-by-prettify-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> manager.<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemctl<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> status <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span class=\"IntenseEmphasis-H\">Active and working<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[root@<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">~]#<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemctl<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> status <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\u25cf <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.service<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> &#8211; <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Loaded: loaded (\/etc\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">systemd<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/system\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.service<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">; enabled; vendor <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">preset<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">: disabled)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Active: active (running) since Mon 2018-10-15 23:44:21 BST; 1 weeks 0 days ago<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> Main PID: 11924 (java)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">CGroup<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">: \/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">system.slice<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.service<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> \u2514\u250011924 \/bin\/java -Xms1g -Xmx1g &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">XX:+<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">UseParNewGC<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> -XX:+<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">UseConcMarkSweepGC<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">XX:CMSInitiatingOccupancyFraction<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=75 -XX:+<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">UseCMSInitiatingOccupancyOnly<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Djava.awt.headless<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=true &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Dfile.encoding<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=UTF-8 &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Djruby.compile.invokedynamic<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=true &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Djruby.jit.threshold<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=0 -XX:+<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">HeapDumpOnOutOfMemoryError<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> &#8211;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Djava.security.egd<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=file:\/dev\/urandom -cp \/usr\/share\/logstash\/logstash-core\/lib\/jars\/animal-sniffer-annotations-1.14.jar:\/usr\/share\/logstash\/logstash-core\/lib\/jars\/commons-codec-1.11.jar:\/u&#8230;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,581][WARN ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.outputs.elasticsearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">] Detected a 6.x and above cluster: the `type` event field won&#8217;t be used to determine the document _type {:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">es_version<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=&gt;6}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,604][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.outputs.elasticsearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">] New Elasticsearch output {:class=&gt;&#8221;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">LogStash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">::Outputs::<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ElasticSearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8220;, :hosts=&gt;[&#8220;\/\/localhost:9200&#8221;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,616][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.outputs.elasticsearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">] Using mapping template from {:path=&gt;nil}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[11924]: [2018-10-15T23:44:41,641][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.outputs.elasticsearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">] Attempting to install template {:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">manage_template<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=&gt;{&#8220;template&#8221;=&gt;&#8221;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">-*&#8221;, &#8220;version&#8221;=&gt;60001, &#8220;settings&#8221;=&gt;{&#8220;<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">index.refresh_interval<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8220;=&gt;&#8221;5s&#8221;}, &#8220;mappings&#8221;=&gt;{&#8220;_default_&#8221;=&gt;{&#8220;dynamic_templates&#8221;=&gt;[{&#8220;message_field&#8221;=&gt;{&#8220;path_match&#8221;=&gt;&#8221;mess<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,662][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.filters.geoip<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] Using <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">geoip<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> database {:path=&gt;&#8221;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/logstash-filter-geoip-5.0.3-java\/vendor\/GeoLite2-City.mmdb&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,925][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.inputs.file<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] No <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">sincedb_path<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> set, generating one based on the &#8220;path&#8221; setting {:sincedb_path=&gt;&#8221;\/var\/lib\/logstash\/plugins\/inputs\/file\/.sincedb_b6991da130c0919d87fbe36c3e98e363&#8243;, :path=&gt;[&#8220;\/var\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">ossec<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">\/logs\/alerts\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">alerts.json<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">&#8220;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:41 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:41,968][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.pipeline<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] Pipeline started successfully {:<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">pipeline_id<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=&gt;&#8221;main&#8221;, :thread=&gt;&#8221;#&lt;Thread:0x63e37301 sleep&gt;&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:42 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:42,013][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.agent<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] Pipelines running {:count=&gt;1, :<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">running_pipelines<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=&gt;[:main], :<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">non_running_pipelines<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">=&gt;[]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:42 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:42,032][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">filewatch.observingtail<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] START, creating Discoverer, Watch with file and <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">sincedb<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> collections<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Oct 15 23:44:42 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">waz01<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">[<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">11924]: [2018-10-15T23:44:42,288][INFO ][<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logstash.agent<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> ] Successfully started Logstash API endpoint {:port=&gt;9600}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">If any of these are failed restart them.<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">systemctl<\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\"> restart <\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">logstash<\/span><span style=\"font-family: Courier New; font-style: italic; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">systemctl<\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\"> restart <\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">elasticsearch<\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">systemctl<\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\"> restart <\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">wazuh<\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-style: italic; color: #000000;\">-manger<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Reason 3: Logstash is broken<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_12_0\" class=\"ListParagraph-P\" style=\"direction: ltr; unicode-bidi: normal;\" data-numid=\"12\"><span class=\"ListParagraph-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Check the logs for errors.<\/span><\/span><\/li>\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">tail \/var\/log\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">logstash<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/logstash-plain.log<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Possible error<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">#<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">1 <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[root@waz01 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">~]#<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> tail \/var\/log\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/logstash-plain.log<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;1}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] retrying failed action with response code: 403 ({&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">cluster_block_exception<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;, &#8220;reason&#8221;=&gt;&#8221;blocked by: [FORBIDDEN\/12\/index read-only \/ allow delete (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">api<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">)];&#8221;})<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] retrying failed action with response code: 403 ({&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">cluster_block_exception<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;, &#8220;reason&#8221;=&gt;&#8221;blocked by: [FORBIDDEN\/12\/index read-only \/ allow delete (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">api<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">)];&#8221;})<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;2}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] retrying failed action with response code: 403 ({&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">cluster_block_exception<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;, &#8220;reason&#8221;=&gt;&#8221;blocked by: [FORBIDDEN\/12\/index read-only \/ allow delete (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">api<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">)];&#8221;})<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;1}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;2}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">475][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;3}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">476][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] retrying failed action with response code: 403 ({&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">cluster_block_exception<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;, &#8220;reason&#8221;=&gt;&#8221;blocked by: [FORBIDDEN\/12\/index read-only \/ allow delete (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">api<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">)];&#8221;})<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-09T17:37:59,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">476][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">] Retrying individual bulk actions that failed or were rejected by the previous bulk request. <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:count<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;1}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Possible error#<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">2 :<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:10,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">967][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ERROR][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">org.logstash.Logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">java.lang.IllegalStateException<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Logstash stopped processing because of an error: (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">SystemExit<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">) exit<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:26,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">863][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">FATAL][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.runner<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] An unexpected error occurred! <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:error<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;#&lt;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ArgumentError<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Path &#8220;\/var\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/queue&#8221; must be a writable directory. It is not writable.&gt;, :backtrace=&gt;[&#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:447:in `validate'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:229:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_value<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:140:in `block in <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;org\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">jruby<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/RubyHash.java:1343:in `each'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:139:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/runner.rb:278:in `execute'&#8221;, &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">0.6.5\/lib\/clamp\/command.rb:67:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt; text-decoration: underline;\">\/runner.rb:237:in `run'&#8221;,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-0.6.5\/lib\/clamp\/command.rb:132:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/lib\/bootstrap\/environment.rb:73:in `&lt;main&gt;'&#8221;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:26,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">878][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ERROR][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">org.logstash.Logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">java.lang.IllegalStateException<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Logstash stopped processing because of an error: (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">SystemExit<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">) exit<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:42,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">543][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">FATAL][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.runner<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] An unexpected error occurred! <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:error<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;#&lt;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ArgumentError<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Path &#8220;\/var\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/queue&#8221; must be a writable directory. It is not writable.&gt;, :backtrace=&gt;[&#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:447:in `validate'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:229:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_value<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:140:in `block in <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;org\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">jruby<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/RubyHash.java:1343:in `each'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:139:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/runner.rb:278:in `execute'&#8221;, &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-0.6.5\/lib\/clamp\/command.rb:67:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/runner.rb:237:in `run'&#8221;, &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-0.6.5\/lib\/clamp\/command.rb:132:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/lib\/bootstrap\/environment.rb:73:in `&lt;main&gt;'&#8221;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:42,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">557][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ERROR][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">org.logstash.Logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">java.lang.IllegalStateException<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Logstash stopped processing because of an error: (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">SystemExit<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">) exit<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:58,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">344][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">FATAL][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash.runner<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] An unexpected error occurred! <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{:error<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">=&gt;#&lt;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ArgumentError<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Path &#8220;\/var\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/queue&#8221; must be a writable directory. It is not writable.&gt;, :backtrace=&gt;[&#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:447:in `validate'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:229:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_value<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:140:in `block in <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;org\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">jruby<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/RubyHash.java:1343:in `each'&#8221;, &#8220;\/usr\/share\/logstash\/logstash-core\/lib\/logstash\/settings.rb:139:in `<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">validate_all<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8216;&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/runner.rb:278:in `execute'&#8221;, &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-0.6.5\/lib\/clamp\/command.rb:67:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-core\/lib\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/runner.rb:237:in `run'&#8221;, &#8220;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/clamp-0.6.5\/lib\/clamp\/command.rb:132:in `run'&#8221;, &#8220;\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">usr<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/share\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/lib\/bootstrap\/environment.rb:73:in `&lt;main&gt;'&#8221;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">[2018-10-15T20:06:58,<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">359][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ERROR][<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">org.logstash.Logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> ] <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">java.lang.IllegalStateException<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: Logstash stopped processing because of an error: (<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">SystemExit<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">) <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">exi<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; font-weight: bold; color: #000000;\">Probably need to reinstall <\/span><span style=\"background-color: #fafafa; font-family: Courier New; font-weight: bold; color: #000000;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">1. Stop affected services:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> stop <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> stop <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">filebeat<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> (this should not be installed on a <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">stand alone<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> setup as it causes performance issues.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">2. Remove <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Filebeat<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># yum remove <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">filebeat<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 12pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">3. Setting up Logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># curl -so \/etc\/logstash\/conf.d\/01-wazuh.conf&nbsp;<\/span><a href=\"https:\/\/raw.githubusercontent.com\/wazuh\/wazuh\/3.6\/extensions\/logstash\/01-wazuh-local.conf\" target=\"_blank\" rel=\"noopener\">https:\/\/raw.githubusercontent.com\/wazuh\/wazuh\/3.6\/extensions\/logstash\/01-wazuh-local.conf<\/a><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">usermod<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -a -G <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_9_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"9\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Next step is to correct folder owner for certain Logstash directories:<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">chown<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -R <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash:logstash<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> \/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">usr<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/share\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">chown<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -R <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash:logstash<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> \/var\/lib\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\">Note<\/span><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\"> if <\/span><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\"> still shows writing <\/span><span style=\"font-family: Courier New; font-weight: bold; font-style: italic; color: #222222; font-size: 10pt;\">issues in the logs increase the permissions to <\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">chmod<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\"> -R 766 \/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">usr<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">\/share\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">logstash<\/span><\/span><\/li>\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><\/span><\/li>\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 72pt;\" data-numid=\"\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 72pt;\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>Now restart Logstash:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">5<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">. Restart Logstash<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> &amp; run the curl command to ensure its not <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">readonly<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_10_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\" data-numid=\"10\"><span class=\"ListParagraph-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">curl&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">XPUT&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;<\/span><a href=\"http:\/\/localhost:9200\/_settings\" target=\"_blank\" rel=\"noopener\">http:\/\/localhost:9200\/_settings<\/a><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">H&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;Content-Type: application\/json&#8217;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">d<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216; { &#8220;index&#8221;: { &#8220;blocks&#8221;: { &#8220;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">read_only_allow_delete<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;: &#8220;false&#8221; } } } &#8216;<\/span><\/span><\/li>\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 72pt;\" data-numid=\"\"><span class=\"ListParagraph-H\"><span style=\"background-color: #f8f8f8; font-family: Consolas; color: #333333; font-size: 8.5pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">6. Now check again your Logstash&nbsp;log&nbsp;file:<\/span><\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 72pt;\"><span class=\"ListParagraph-H\"><span style=\"background-color: #f8f8f8; font-family: Consolas; color: #333333; font-size: 8.5pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">6. Now check again your Logstash&nbsp;log&nbsp;file:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># cat \/var\/log\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/logstash-plain.log&nbsp;| grep &#8211;<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">i<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -E &#8220;(<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">error|warning|critical<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">)&#8221;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">Hopefully you see no errors being generated<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">Next check the plain log<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_14_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\" data-numid=\"14\"><span class=\"ListParagraph-H\"><span style=\"font-family: Courier New; color: #c00000; font-size: 10pt;\">tail -10 \/var\/log\/<\/span><span style=\"font-family: Courier New; color: #c00000; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #c00000; font-size: 10pt;\">\/logstash-plain.log<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"IntenseEmphasis-H\">Good log output:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[root@<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">waz01<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">~]#<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> tail -10 \/var\/log\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">\/logstash-plain.log<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">581][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">WARN ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">] Detected a 6.x and above cluster: the `type` event field won&#8217;t be used to determine the document _type {:<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">es_version<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">=&gt;6}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">604][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">] New Elasticsearch output {:class=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">LogStash<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">::Outputs::<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">ElasticSearch<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;, :hosts=&gt;[&#8220;\/\/localhost:9200&#8221;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">616][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">] Using mapping template from {:path=&gt;nil}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,641][INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.outputs.elasticsearch<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">] Attempting to install template {:<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">manage_template<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">=&gt;{&#8220;template&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">-*&#8221;, &#8220;version&#8221;=&gt;60001, &#8220;settings&#8221;=&gt;{&#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">index.refresh_interval<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;&#8221;5s&#8221;}, &#8220;mappings&#8221;=&gt;{&#8220;_default_&#8221;=&gt;{&#8220;dynamic_templates&#8221;=&gt;[{&#8220;message_field&#8221;=&gt;{&#8220;path_match&#8221;=&gt;&#8221;message&#8221;, &#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">match_mapping_type<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;&#8221;string&#8221;, &#8220;mapping&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;text&#8221;, &#8220;norms&#8221;=&gt;false}}}, {&#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">string_fields<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;{&#8220;match&#8221;=&gt;&#8221;*&#8221;, &#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">match_mapping_type<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;&#8221;string&#8221;, &#8220;mapping&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;text&#8221;, &#8220;norms&#8221;=&gt;false, &#8220;fields&#8221;=&gt;{&#8220;keyword&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;keyword&#8221;, &#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">ignore_above<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;256}}}}}], &#8220;properties&#8221;=&gt;{&#8220;@timestamp&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;date&#8221;}, &#8220;@version&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;keyword&#8221;}, &#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">geoip<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;{&#8220;dynamic&#8221;=&gt;true, &#8220;properties&#8221;=&gt;{&#8220;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">ip<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;=&gt;{&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">ip<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;}, &#8220;location&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">geo_point<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;}, &#8220;latitude&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">half_float<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;}, &#8220;longitude&#8221;=&gt;{&#8220;type&#8221;=&gt;&#8221;<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">half_float<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;}}}}}}}}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">662][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.filters.geoip<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] Using <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">geoip<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> database {:path=&gt;&#8221;\/usr\/share\/logstash\/vendor\/bundle\/jruby\/2.3.0\/gems\/logstash-filter-geoip-5.0.3-java\/vendor\/GeoLite2-City.mmdb&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">925][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.inputs.file<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] No <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">sincedb_path<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> set, generating one based on the &#8220;path&#8221; setting {:sincedb_path=&gt;&#8221;\/var\/lib\/logstash\/plugins\/inputs\/file\/.sincedb_b6991da130c0919d87fbe36c3e98e363&#8243;, :path=&gt;[&#8220;\/var\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">\/logs\/alerts\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">alerts.json<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">&#8220;]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:41,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">968][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.pipeline<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] Pipeline started successfully {:<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">pipeline_id<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">=&gt;&#8221;main&#8221;, :thread=&gt;&#8221;#&lt;Thread:0x63e37301 sleep&gt;&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:42,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">013][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.agent<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] Pipelines running {:count=&gt;1, :<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">running_pipelines<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">=&gt;[:main], :<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">non_running_pipelines<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">=&gt;[]}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:42,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">032][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">filewatch.observingtail<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] START, creating Discoverer, Watch with file and <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">sincedb<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> collections<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[2018-10-15T23:44:42,<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">288][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">INFO ][<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">logstash.agent<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> ] Successfully started Logstash API endpoint {:port=&gt;9600}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Now that we have all clear, let&#8217;s check component by component:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">1. Check last 10 alerts generated in your <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager. Also, check the field&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">timestamp,&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">we must take care about the timestamp.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">tail&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">10<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">logs<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">alerts<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">alerts<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">json<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>2. If the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager is generating alerts from your view (step 1), then let&#8217;s check if Logstash is reading our alerts. You should see two processes:&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">java<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;for Logstash and&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec-ana<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;from <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">lsof<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> \/var\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/logs\/alerts\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">alerts.json<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> (<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec-ana<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> &amp; java should be running if not restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">[root@<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">waz01<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">~]#<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">lsof<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\"> \/var\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">\/logs\/alerts\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">alerts.json<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">COMMAND PID USER FD TYPE DEVICE SIZE\/OFF NODE NAME<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ossec-<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ana<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\"> 4662<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\"> 10w REG 253,3 2060995503 201341089 \/var\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">\/logs\/alerts\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">alerts.json<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">java 11924 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">logstash<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\"> 93r REG 253,3 2060995503 201341089 \/var\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">\/logs\/alerts\/<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\">alerts.json<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>3. If Logstash is reading our alerts, let&#8217;s check if there is an Elasticsearch index for today (<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">wazuh-alerts-3.x-2018.10.16<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">)):<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">curl localhost<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">9200<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">_cat<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">indices<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">alerts<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">3.x<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">-*<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">[root@<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">waz01<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">~]#<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> curl localhost:9200\/_cat\/indices\/wazuh-alerts-3.x-*<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.07 HLNDuMjHS1Ox3iLoSwFE7g 5 1 294 0 1000.8kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1000.8kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.25 Eg1rvDXbSNSq5EqJAtSm_A 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 247998<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 87.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">87.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.05 HHRnxqjtTKimmW6FEUUfdw 5 1 143 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 679<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.6kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">679.6kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.08 MqIJtCNQR3aU3inuv-pxpw 5 1 183 0 748kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">748kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.15 GIx8fMXnQ3ukrSkKmjbViQ 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 171191<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 45.9mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">45.9mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.10 W3pw1hDwSp2QAtRm0hwoaQ 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 896799<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 662.6mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">662.6mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.15 rnC7kyXRQSCSXm6wVCiWOw 5 1 2628257 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.02 nKEdjkFOQ9abitVi_dKF3g 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 727934<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 232.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">232.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.21 FY0mIXGQQHmCpYgRgOIJhg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 203134<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 63.5mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">63.5mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.01 mvYSVDZJSfa-F_5dKIBwAg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 402155<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 129.9mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">129.9mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.18 _2WiGz6fRXSNyDjy8qPefg 5 1 2787147 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.19 ebb9Jrt1TT6Qm6df7VjZxg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 201897<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 58.3mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">58.3mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.13 KPy8HfiyRyyPeeHpTGKJNg 5 1 52530 0 13.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">13.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.23 T7YJjWhgRMaYyCT-XC1f5w 5 1 1074081 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 742<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.6mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">742.6mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.03 bMW_brMeRkSDsJWL6agaWg 5 1 1321895 0 715mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">715mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.18 B1wJIN1SQKuSQbkoFsTmnA 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 187805<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 52.4mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">52.4mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.04 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">CvatsnVxTDKgtPzuSkebFQ<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 5 1 28 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 271<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.1kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">271.1kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.21 AWVQ7D8VS_S0DHiXvtNB1Q 5 1 2724453 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.27 8wRF0XhXQnuVexAxLF6Y5w 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 233117<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 79.2mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">79.2mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.13 wM5hHYMCQsG5XCkIquE-QA 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 304830<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 222.4mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">222.4mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.12 1aB7pIcnTWqZPZkFagHnKA 5 1 73 0 516kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">516kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.29 BXyZe2eySkSlwutudcTzNA 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 222734<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 73.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">73.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.04 x8198rpWTxOVBgJ6eTjJJg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 492044<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 364.9mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">364.9mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.23 ZQZE9KD1R1y6WypYVV5kfg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 216141<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 73.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">73.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.22 60AsCkS-RGG0Z2kFGcrbxg 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 218077<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 74.2mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">74.2mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.12 WdiFnzu7QlaBetwzcsIFYQ 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 363029<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 237.7mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">237.7mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.24 Loa8kM7cSJOujjRzvYsVKw 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 286140<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 106.3mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">106.3mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.17 zK3MCinOSF2_3rNAJnuPCQ 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 174254<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 48.3mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">48.3mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.17 A4yCMv4YTuOQWelbb3XQtQ 5 1 2703251 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.02 lt8xvq2ZRdOQGW7pSX5-wg 5 1 148 0 507kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">507kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.08.31 RP0_5r1aQdiMmQYeD0-3CQ 5 1 28 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 247<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.8kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">247.8kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.28 iZ2J4UMhR6y1eHH1JiiqLQ 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 232290<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 78.6mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">78.6mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.09 FRELA8dFSWy6aMd12ZFnqw 5 1 428 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 895<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.1kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">895.1kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.16 uwLNlaQ1Qnyp2V9jXJJHvA 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 171478<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 46.5mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">46.5mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.14 WQV3dpLeSdapmaKOewUh-Q 5 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1 226964<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 0 154.9mb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">154.9mb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.09.11 2Zc4Fg8lR6G64XuJLZbkBA 5 1 203 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 772<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.1kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">772.1kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.16 p2F-trx1R7mBXQUb4eY-Fg 5 1 2655690 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.08.29 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">kAPHZSRpQqaMhoWgkiXupg<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\"> 5 1 28 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 236<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.6kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">236.6kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.08.28 XmD43PlgTUWaH4DMvZMiqw 5 1 175 <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">0 500<\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">.9kb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">500.9kb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">yellow open wazuh-alerts-3.x-2018.10.19 O4QFPk1FS1urV2CGM2Ul4g 5 1 2718909 0 1.8gb <\/span><span style=\"font-family: Courier New; color: #222222; font-size: 8pt;\">1.8gb<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">4. If Elasticsearch has an index for today&nbsp;(<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">wazuh-alerts-3.x-2018.10.16<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">), the problem is probably&nbsp;selected time range in Kibana. To discard any error related to this, please go to&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">Kibana &gt; Discover<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">, and look for<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">alerts in that section of Kibana itself. If there are alerts from today in the Discover section<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">. <\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"ListParagraph-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #222222; font-size: 10pt;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image4.png\" width=\"643.045459317585px \" height=\"168.995905511811px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">This means the <\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #222222;\">Elasticsearch stack is finally working (at least at index level)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Reason 4: Agent buffer is full due to flood events.<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> If this occurs events are not <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">logged<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> and data is lost.<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> We want to drill down on a specific agent to figure out what is causing the issue.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Try to fetch data directly from Elasticsearch for the today&#8217;s index and for the agent 013. Copy and paste the next query in the Kibana dev tools:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">GET wazuh<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">alerts<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">3.x<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">2018.10<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">17<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">_search<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">{<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;query&#8221;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">{<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp; &nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;match&#8221;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">{<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp; &nbsp; &nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;<\/span><a href=\"http:\/\/agent.id\/\" target=\"_blank\" rel=\"noopener\">agent.id<\/a><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8220;013&#8221;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp; <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">}<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">}<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image5.png\" width=\"601px \" height=\"410px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">This should provide a log an output to show that the agent is logged in the indices for that day. If this is <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">successful<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> then we know that the logs are coming and <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">kibana<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"> is able to communicate. <\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image6.png\" width=\"602px \" height=\"384px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #000000;\">Next steps<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_17_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\" data-numid=\"17\"><span class=\"ListParagraph-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">Login using SSH into the agent &#8220;013&#8221; and execute the next command:<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;cut&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">d<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;\/&#8217;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">f1<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"> (centos)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">syslog<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;cut&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">d<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;\/&#8217;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\"> f1<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">(ubuntu)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_14_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"14\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">root@w<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">azuh-<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">03:\/var\/log# <\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">wc<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> -l \/var\/log\/syslog | cut -d&#8217;\/&#8217; -f1<\/span><\/span><\/li>\n<li id=\"pmdi_list__\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">36451&nbsp;<\/span><\/span><\/li>\n<\/ul>\n<p class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">36451&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #000000; font-size: 12pt;\">Also, it would be nice if you provide us your&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #000000; font-size: 12pt;\">audit<\/span><span style=\"font-family: Arial; color: #000000; font-size: 12pt;\">&nbsp;rules, let&#8217;s check them using the next command:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">auditctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -l<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">It should show you a positive number, and that number is the number of lines in the&nbsp;<\/span><span style=\"font-family: Times New Roman; font-style: italic; color: #000000; font-size: 12pt;\">audit.log<\/span><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">&nbsp;file. Note down it.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_17_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\" data-numid=\"17\"><span class=\"ListParagraph-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">Now restart the <\/span><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\"> agent:<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">-agent<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">We need to wait for&nbsp;<\/span><span style=\"font-family: Times New Roman; font-style: italic; color: #000000; font-size: 12pt;\">syscheck<\/span><span style=\"font-family: Times New Roman; font-style: italic; color: #000000; font-size: 12pt;\">&nbsp;<\/span><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">scan is finished, this trick is useful to know exactly when it&#8217;s done:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># tail -f \/var\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/logs\/ossec.log&nbsp;| grep <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">syscheck<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> | grep Ending<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>The above command shouldn&#8217;t show anything until the scan is finished (it could take some time, be patient please). At the end, you should see a line like this:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">2018<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">10<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">17<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">13<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">36<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">03<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">syscheckd<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;INFO<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">:<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #660066; font-size: 10pt;\">Ending<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">syscheck<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"> scan&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">(<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">forwarding database<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">).<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>Now, it&#8217;s time for checking the&nbsp;<\/span><span style=\"font-family: Times New Roman; font-style: italic; color: #000000; font-size: 12pt;\">audit.log<\/span><span style=\"font-family: Times New Roman; color: #000000; font-size: 12pt;\">&nbsp;file again:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;cut&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">d<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;\/&#8217;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">f1<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">log<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">audit<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">syslog<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;cut&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">d<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\">&#8216;\/&#8217;<\/span><span style=\"font-family: Courier New; color: #008800; font-size: 10pt;\"> f1<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #006666; font-size: 12pt;\">If you still see the agent buffer full after these <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #006666; font-size: 12pt;\">steps<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #006666; font-size: 12pt;\"> then we need to do debugging.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">tail -f \/var\/<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">ossec<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">\/<\/span><span class=\"il-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">logs<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">\/ossec.<\/span><span class=\"il-H\" style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">log<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">&nbsp;| grep <\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\">syscheck<\/span><span style=\"background-color: #fafafa; font-family: Courier New; color: #880000;\"> | grep Ending<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">root@<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">waz03<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">:\/var\/log# cat \/var\/<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/logs\/ossec.log&nbsp;| grep &#8211;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">i<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> -E &#8220;(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">error|warning|critical<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">)&#8221;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">2018\/10\/17 00:09:08 <\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">ossec-agentd<\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">: WARNING: Agent buffer at 90 %.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">2018\/10\/17 00:09:08 <\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">ossec-agentd<\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">: WARNING: Agent buffer is full: Events may be lost.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">2018\/10\/17 12:10:20 <\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">ossec-agentd<\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">: WARNING: Agent buffer at 90 %.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">2018\/10\/17 12:10:20 <\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">ossec-agentd<\/span><span style=\"background-color: #ffffff; font-family: Arial; color: #500050; font-size: 8pt;\">: WARNING: Agent buffer is full: Events may be lost.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:25:20 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-logcollector<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: ERROR: (1103): Could not open file &#8216;\/var\/log\/messages&#8217; due to [(2)<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">No&nbsp;such file or directory)].<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:25:20 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-logcollector<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: ERROR: (1103): Could not open file &#8216;\/var\/log\/secure&#8217; due to [(2)<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">No&nbsp;such file or directory)].<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:26:08 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-agentd<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: WARNING: Agent buffer at 90 %.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:26:08 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-agentd<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: WARNING: Agent buffer is full: Events may be lost.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:28:18 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-logcollector<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: ERROR: (1103): Could not open file &#8216;\/var\/log\/messages&#8217; due to [(2)<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">No&nbsp;such file or directory)].<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:28:18 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-logcollector<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: ERROR: (1103): Could not open file &#8216;\/var\/log\/secure&#8217; due to [(2)<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">-(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">No&nbsp;such file or directory)].<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:29:06 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-agentd<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: WARNING: Agent buffer at 90 %.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">2018\/10\/17 14:29:06 <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">ossec-agentd<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">: WARNING: Agent buffer is full: Events may be lost.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"IntenseEmphasis-H\" style=\"font-size: 14pt;\">Debugging json alerts for specific agent 13<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Ok, let&#8217;s debug your agent events using&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">logall_json<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;in the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager instance.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Login using&nbsp;SSH into the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager instance and edit the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> file. <\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_14_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"14\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">Edit the file \/var\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/etc\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> and look for the&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&lt;global&gt;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&nbsp;section, then enable&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&lt;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">logall_json<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&gt;<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">logall_json<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">yes<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">logall_json<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">2. Restart the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">-manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>3. Login using&nbsp;SSH into the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">agent<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">(<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">13)<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> instance, restart it and&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">tail -f&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">until it shows you the warning message:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">-agent<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># tail -f \/var\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/logs\/ossec.log&nbsp;| grep WARNING<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>4. Once you see<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec-agentd<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">: WARNING: Agent buffer at 90 %.&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">in the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent&nbsp;logs,&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp; &nbsp; then switch your CLI to the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager instance again and <\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp; &nbsp; the next file <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">we want to tail is <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">from your <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">tail &#8211;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">f<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">\/var\/<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">\/logs\/archives\/<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">archives.json<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">5. Now we can <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">take a look<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> into events in order to clarify what is flooding <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">agent &#8220;013&#8221;.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Once <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">you have the log<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> is se<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">en<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">, you can disable&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">logall_json<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;and restart the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">6.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Log from <\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">tail &#8211;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">f<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">\/var\/<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">\/logs\/archives\/<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">archives.json<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\"> (<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">wazuh<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">-manager)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{&#8220;timestamp&#8221;:&#8221;2018-10-17T18:06:17.33+0100&#8243;,&#8221;rule&#8221;:{&#8220;level&#8221;:7,&#8221;description&#8221;:&#8221;Host-based anomaly detection event (rootcheck).&#8221;,&#8221;id&#8221;:&#8221;510&#8243;,&#8221;firedtimes&#8221;:3352,&#8221;mail&#8221;:false,&#8221;groups&#8221;:[&#8220;ossec&#8221;,&#8221;rootcheck&#8221;],&#8221;gdpr&#8221;:[&#8220;IV_35.7.d&#8221;]},&#8221;agent&#8221;:{&#8220;id&#8221;:&#8221;013&#8243;,&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">na<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">me&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">waz03<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;,&#8221;ip&#8221;:&#8221;10.79.244.143&#8243;},&#8221;manager&#8221;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">waz01<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;},&#8221;id&#8221;:&#8221;1539795977.2752038221&#8243;,<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&#8220;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">full_log&#8221;:&#8221;File<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\"> &#8216;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers\/install-cni\/e26aa5b1&#8217; is owned<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\"> by root and has written permissions to <\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">anyone.&#8221;,&#8221;decoder<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">rootcheck<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;},&#8221;data&#8221;:{&#8220;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">title&#8221;:&#8221;File<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\"> is owned by root and has written permission<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">s to anyone.&#8221;,&#8221;file&#8221;:&#8221;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers\/install-cni\/e26aa5b1&#8243;},&#8221;location&#8221;:&#8221;rootcheck&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{&#8220;timestamp&#8221;:&#8221;2018-10-17T18:06:17.35+0100&#8243;,&#8221;rule&#8221;:{&#8220;level&#8221;:7,&#8221;description&#8221;:&#8221;Host-based anomaly detection event (rootcheck).&#8221;,&#8221;id&#8221;:&#8221;510&#8243;,&#8221;firedtimes&#8221;:3353,&#8221;mail&#8221;:false,&#8221;groups&#8221;:[&#8220;ossec&#8221;,&#8221;rootcheck&#8221;],&#8221;gdpr&#8221;:[&#8220;IV_35.7.d&#8221;]},&#8221;agent&#8221;:{&#8220;id&#8221;:&#8221;013&#8243;,&#8221;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">waz03<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;,&#8221;ip&#8221;:&#8221;10.79.244.143&#8243;},&#8221;manager&#8221;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">waz01<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;},&#8221;id&#8221;:&#8221;1539795977.2752038739&#8243;,&#8221;full_log&#8221;:&#8221;File &#8216;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers\/install-cni\/12cb9011&#8217; is owned by root and has written permissions to <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">anyone.&#8221;,&#8221;decoder<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;},&#8221;data&#8221;:{&#8220;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">title&#8221;:&#8221;File<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"> is owned by root and has written permissions <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">to anyone.&#8221;,&#8221;file&#8221;:&#8221;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers\/install-cni\/12cb9011&#8243;},&#8221;location&#8221;:&#8221;rootcheck&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{&#8220;timestamp&#8221;:&#8221;2018-10-17T18:06:17.37+0100&#8243;,&#8221;rule&#8221;:{&#8220;level&#8221;:7,&#8221;description&#8221;:&#8221;Host-based anomaly detection event <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">(<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">rootcheck).&#8221;,&#8221;id&#8221;:&#8221;510&#8243;,&#8221;firedtimes&#8221;:3354,&#8221;mail&#8221;:false,&#8221;groups&#8221;:[&#8220;ossec&#8221;,&#8221;rootcheck&#8221;],&#8221;gdpr&#8221;:[&#8220;IV_35.7.d&#8221;]},&#8221;agent&#8221;:{&#8220;id&#8221;:&#8221;013&#8243;,&#8221;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">waz03<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;,&#8221;ip&#8221;:&#8221;10.79.244.143&#8243;},&#8221;manager&#8221;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">waz01<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\">&#8220;},&#8221;id&#8221;:&#8221;1539795977.<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">2752039257&#8243;,&#8221;full_log&#8221;:&#8221;File &#8216;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers\/install-cni\/4a930107&#8217; is owned by root and has written permissions to <\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">anyone.&#8221;,&#8221;decoder<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&#8220;:{&#8220;name&#8221;:&#8221;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&#8220;},&#8221;data&#8221;:{&#8220;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">title&#8221;:&#8221;File<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\"> is owned<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 8pt;\"> by root and has written permissions to anyone.&#8221;,&#8221;file&#8221;:&#8221;\/var\/lib\/kubelet\/pods\/2ff462ce-7233-11e8-8282-005056b518e6\/containers<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">\/install-cni\/4a930107&#8243;},&#8221;location&#8221;:&#8221;rootcheck&#8221;}<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">{&#8220;timestamp&#8221;:&#8221;2018-10-17T18:06:17.40+0100&#8243;,&#8221;rule<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;:{<\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\">&#8220;level&#8221;:7,&#8221;description&#8221;:&#8221;Host-based anomaly detection event <\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Arial; color: #222222; font-size: 8pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 18pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">From the above log we can see that <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">kubernetes<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> is sending a lot of events to the agent causing the buffer to fill up. To solve <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">this<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> we particular issue from happening in future. We can disable this at the client level or the global level.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;&nbsp;&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Here you can see the number of events from&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;in your <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">archives.json<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">cat <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">archives<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">json<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">489<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Here you can see the&nbsp;number&nbsp;of events from&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;and rule&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">510<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;in <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">the<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">archives.json<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">cat <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">archives<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">json<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep&nbsp;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">510<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">489<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Here you can see the&nbsp;number&nbsp;of events from&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;and rule&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">510<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;and including&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&#8220;\/var\/lib\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">kubelet<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/pods\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&#8220;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp; in<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> your <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">archives.json<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">cat <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">archives<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">.<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">json<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep <\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep&nbsp;<\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">510<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;grep&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">var<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">lib<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">kubelet<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">pods<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">wc<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">&nbsp;<\/span><span style=\"font-family: Courier New; color: #666600; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">l<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #006666; font-size: 10pt;\">489<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">So<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> we <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">have two options:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">Option 1<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">. Edit the&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;from your <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent &#8220;013&#8221;.&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">(This is the one I did)<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Login using SSH into the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent &#8220;013&#8221; instance.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Edit the file&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/var\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/etc\/<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ossec.conf<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">, and look for the&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;block, then put a&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&lt;ignore&gt;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;block for that directory.&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&#8230;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;ignore&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">\/var\/lib\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">kubelet<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/ignore&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&#8230;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Restart the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent &#8220;013&#8221;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">-agent<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">Option 2<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">.<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">&nbsp;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Check in which group is your agent and edit its centralized configuration.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Login using SSH into the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager instance.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Check the group where is agent&nbsp;&#8220;013&#8221;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># \/var\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">ossec<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">\/bin\/<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">agent_groups<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> -s &#8211;<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">i<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> 013<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Note down the group, example:&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">default<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Edit the file under&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">\/var\/ossec\/etc\/shared\/default\/agent.conf<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;(replace&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">default<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;by the real group name, it could be different from my example),&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">then add the&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">rootcheck<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;ignore inside the&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&lt;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">agent_config<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&gt;<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;block, example:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">agent_config<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">&lt;!&#8211; Shared agent configuration here &#8211;&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp; &nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;ignore&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">\/var\/lib\/<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\">kuberlet<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/ignore&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span>&nbsp;&nbsp;<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">rootcheck<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #000000; font-size: 10pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&lt;\/<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">agent_config<\/span><span style=\"font-family: Courier New; color: #000088; font-size: 10pt;\">&gt;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Restart the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">-manager<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&#8211; Restart the<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent on client as well<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #fafafa; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"># <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">systemctl<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\"> restart <\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">wazuh<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">&#8211;<\/span><span style=\"font-family: Courier New; color: #880000; font-size: 10pt;\">agent<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">The&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">solution #1<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;takes effect immediately.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">The&nbsp;<\/span><span style=\"font-family: Arial; font-weight: bold; color: #222222; font-size: 12pt;\">solution #2<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">&nbsp;will push the new configuration from the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> manager to the <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Wazuh<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> agent, once the agent receives it,&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">it auto restarts itself automatically and then it applies the new configuration. It could take a bit more time than solution #1.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">On a side note, you can <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">take a look<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> at this useful link about the agent flooding:<\/span><\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_19_0\" class=\"Normal-P\" style=\"margin-top: 5pt; margin-bottom: 5pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal; margin-left: 47.25pt;\" data-numid=\"19\"><span class=\"Normal-H\"><a href=\"https:\/\/documentation.wazuh.com\/current\/user-manual\/capabilities\/antiflooding.html\" target=\"_blank\" rel=\"noopener\">https:\/\/documentation.wazuh.com\/current\/user-manual\/capabilities\/antiflooding.html<\/a><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">The above link talks about how to prevent from being flooded.&nbsp;<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Now the agent should show correctly in the 15min time range. If a bunch of <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">client<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> had the issue then you need to use ansible to send out a agent restart on all clients or setup a cron on all the machines to restart the agent every 24 hours.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image7.png\" width=\"602px \" height=\"231px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Discover on the agent should also show logs<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"><img decoding=\"async\" src=\"http:\/\/www.nicktailor.com\/wp-content\/uploads\/2018\/10\/1540441125_image8.png\" width=\"600px \" height=\"244px \" data-link=\"\"\/><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">Ansible <\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\">adhoc<\/span><span style=\"font-family: Arial; color: #222222; font-size: 12pt;\"> command or playbook.<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span class=\"IntenseEmphasis-H\">Example:<\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<ul style=\"list-style-type: decimal; ;margin-left: 20px;\">\n<li id=\"pmdi_list_14_0\" class=\"ListParagraph-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\" data-numid=\"14\"><span class=\"ListParagraph-H\"><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> ansible &#8211;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">i<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> hosts<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">&#8211;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">linux<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">development<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> -a &#8220;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">sudo&nbsp;<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">systemctl<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> restart <\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">wazuh<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">-agent&#8221; &#8211;vault-password-file \/etc\/ansible\/vaultpw.txt -u <\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">ansible<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\">_nickt<\/span><span style=\"font-family: Arial; font-style: italic; color: #222222; font-size: 12pt;\"> -k -K<\/span><\/span><\/li>\n<\/ul>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"margin-bottom: 0pt; background-color: #ffffff; direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\"><span style=\"background-color: #fafafa; font-family: Courier New; color: #006666; font-size: 12pt;\"><span style=\"display: block;\"><span style=\"display: none;\">&#8230;<\/span><\/span><\/span><\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal; margin-left: 36pt;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<p class=\"Normal-P\" style=\"direction: ltr; unicode-bidi: normal;\"><span class=\"Normal-H\">&nbsp;<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>If you see this error in kibana on an agent. It could be for a number of reasons. Follow this process to figure it out. Agent buffer on the client is full, which is caused by flood of alerts. The agents have a buffer size to keep resources on the clients consistent and minimal. If this fills up then kibana<a href=\"https:\/\/nicktailor.com\/tech-blog\/wazuh-agent-troubleshooting-guide\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,138,56],"tags":[],"class_list":["post-871","post","type-post","status-publish","format-standard","hentry","category-elk","category-linux","category-wazuh"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=871"}],"version-history":[{"count":5,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/871\/revisions"}],"predecessor-version":[{"id":1602,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/871\/revisions\/1602"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}