wazuh-dashboard-plugins
wazuh-dashboard-plugins copied to clipboard
wazuh
[Dashboard error] [WazuhError]: x_content_parse_exception: [x_content_parse_exception] Reason: [1:1362] [bool] failed to parse field [filter]
|Wazuh 4.8.0|Component|Installed directly in Ubuntu 22.04|Ubuntu 22.04|Wazuh Dashboard | Manager
I just installed Wazuh following the Quickstart documentation and when i loaded up the dashboard, I am getting this error:
[WazuhError]: x_content_parse_exception: [x_content_parse_exception] Reason: [1:1362] [bool] failed to parse field [filter]
What could be the reason for this?
Thanks
Exactly same issue for me too. Fresh 3 node distributed Wazuh deployment. No configuration has been done. I just logged in to the dashboard and seeing these errors.
Same issue |Debian 12 | bookworm|App version: 4.8.0 | App revision: 12 |Install date: Jul 17, 2024
Hello everyone,
I could not make this work on a clean Ubuntu 22.04 VM + quickstart install as stated, but some of you had agents connected to it, so my question is: this is happening on clean environments with already enrolled agents? If positive, what are the agent's versions and OS family?
I am not sure if it is solution but I have found a work around that I have tried repeatedly and it works. I had these errors on fresh installed Wazuh no matter how many times I installed. Only way I found the errors to go away completely is by enabling Cluster on the server. You dont necessarily have to add 2nd wazuh server or anything. Just enable it
This is the portion you have to edit. I found this on Wazuh cluster URL: https://documentation.wazuh.com/current/user-manual/manager/wazuh-server-cluster.html
<cluster> <name>wazuh</name> <node_name>master-node</node_name> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <node_type>master</node_type> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>MASTER_NODE_IP</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
As soon cluster is enabled after restarting wazuh-server, all errors on the Dashboard went away.
Hope this helps.
Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.
Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.
Although I primarily use Debian, I have installed Wazuh on Ubuntu 22, 24 while I was trying to figure out the issue. All had the similar issue and the enabling cluster fixed the errors on both Ubuntu and Debian. I have settled with Debian 12 for the final Wazuh deployment. I do not use single node deployment, but distributed Wazuh with 1 Dashboard, 1 Server and 1 Indexer. No errors.
I was able to make it work on Ubuntu 22.04 (Proxmox CT/ LXC) and Wazuh version 4.8.0, Setting up indexer, manager and dashboard on that order.
Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.
Although I primarily use Debian, I have installed Wazuh on Ubuntu 22, 24 while I was trying to figure out the issue. All had the similar issue and the enabling cluster fixed the errors on both Ubuntu and Debian. I have settled with Debian 12 for the final Wazuh deployment. I do not use single node deployment, but distributed Wazuh with 1 Dashboard, 1 Server and 1 Indexer. No errors.
That worked for me as well. Wazuh 4.8.1 + Ubuntu 24.04 LTS. Thanks!
Javi
I have tried to replicate it in several different environments with and without cluster mode, but couldn't. Can you please provide additional information on this?
We may find some additional context in Wazuh dashboard logs:
journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"
Get index template: In Wazuh dashboard go to Server management / Dev tools then please get the mapping of an alert index and provide the output.
You can check your indexes in the following way:
GET _cat/indices
and then check some index to see if you have all the fields as follows
GET <index>/_mapping
Example
GET wazuh-alerts-4.x-2024.06.28/_mapping
The request made to the indexer will also be useful:
- Open the browser dev tools. Usually F12 or ctrl+shift+i does the trick.
- Identify the request made to the indexer and share the payload and response like in the following screenshot:
Asteriscos,
I have experienced the same issue when I installed the assisted install of wazuh in ubuntu 22(jellyfish) version it was with a clean install, I did not do any nodes or any cluster. I only did 1 live agent for a test run to install a wazuh agent which I did get on the Wazuh dashboard but the dashboard itself recived errors like this
I have 3 node distributed deployment with 1 Dashboard, 1 Manager and 1 Indexer. Enabling Cluster fixed all these Bad Request issue for me. I did not add any extra nodes, simply enabled it following the Wazuh documentation on cluster creation.
Also having this issue on a new install, it's happened on every version/OS/deployment type I've tried. Anybody got a fix?
Have tried:
- Ubuntu 22.04, 24.04
- Debian 12 / Turnkey Debian 12
- Docker Deployment
- Version 4.7 to see if it's a new bug
- Enabling cluster
Hi, I tried to replicate the problem but I could not get the errors. Other co-workers tried to replicate it with the same result. I assume the provided information could not be enough to replicate the problem and something could be missing.
According to the comments, it seems the problem is related to Wazuh server has the cluster mode disabled.
The errors are coming from requests related the stats from LAST 24 HOURS ALERTS panel, that display the alerts count grouped by severity. These requests seem to have a problem in the query syntax and according to this evidence https://github.com/user-attachments/assets/5cc018bf-6c6a-4e78-8a57-33329fe9c64d, a match_phrase filter has not a value.
Each stat defines a query that includes a filter depending on if the Wazuh server cluster is enabled or not:
- Cluster mode enabled: filter by
cluster.name - Cluster mode disabled: filter by
manager.name
The query uses match_phrase with some of these fields and a value that should be the Wazuh server cluster name or Wazuh server manager name (depending on the status of the Wazuh server cluster).
Taking into account the problem occurs when the Wazuh server cluster is disabled, then it could be caused by the value of the Wazuh server manager name.
I was analyzing the source code and the value of the Wazuh server manager name could come from the manager property of a cookie (clusterInfo) stored in the browser and this is coming from the backend side of Wazuh dashboard, that gets it from the Wazuh server API request:
GET /agents?agents_list=000
So, maybe, the cause it is related to the hostname of the Wazuh server manager.
I have some questions:
- Does the error happen each time you access to the
Home>Overviewapplication of Wazuh dashboard or this only happens once? Does refreshing the page or navigating solve the problem if you access to the same view where the errors appeared previously? - Does accessing to another application related to the Wazuh plugin for Wazuh dashboard such as
Threat Huntingdisplay a filter under the search bar with the fieldmanager.nameand has a value? (Wazuh server cluster should be disabled, else a filter withcluster.namewill be included instead) - Does cleaning the browser cache file solve the problem?
- What is the hostname of the Wazuh server host?
- Provide the value of
clusterInfocookie. This can be obtained using the browser dev tools so this could vary depending on the browser. In Google Chrome (or variants):Application>Cookies. In Firefox:Storage>Cookies - Provide the request payload of the request related to the stats from the
LAST 24 HOURS ALERTS. This can be obtained following the details drop-down of https://github.com/wazuh/wazuh-dashboard-plugins/issues/6861#issuecomment-2252989590. - Get the
managerproperty for the Wazuh server agent. Go toServer management>Dev Toolsand run the following Wazuh server API request:
GET /agents?agents_list=000&select=manager
Desvelao,
ok I think I have it figured it out for me I didn't follow the steps properly here is a video link on youtube that this guy does 1 node and the cluster is disabled (this is to test out wazuh) https://www.youtube.com/watch?v=3CfjoCQmpo8 called Wazuh All-in-One Server Installation Guide: Boost Your Security!
He uses a VM but you can use it on your vm or a spare laptop to download the OS I used Ubuntu Jammy Jellyfish version, once you have the OS installed and get curl installed here is what I did for the command terminal
curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml nothing happens no install or download just the next command you need Next you type this command sudo nano config.yml
You will see this pic
it should look like this in your terminal curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml sudo nano config.yml
Otherwise it won't show up
once you have that yml file type your IP address for your VM or laptop. I did my local IP address type the command "ip a s"
you type in your ip address in the inserted slot delete you don't need the
you do that for the indexer, server and the dashboard and leave the names alone you don't need to mess with that once you have that done hold ctrl and x to exit out it will ask you to save it press y and hit enter
once that is done the next command is this
bash wazuh-install.sh --generate-config-files
(let that finish install)
next command is sudo bash./wazuh-install.sh -a
(this will take a bit maybe 20 minutes or more for me) let it install all the way and you will get an admin as user name and password that was given to you and that should be it. here are the command lines I used hope this helps and good luck
curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml sudo nano config.yml bash wazuh-install.sh --generate-config-files sudo bash./wazuh-install.sh -a
We were unable to replicate the issue, therefore I will close it. If you can provide additional information about this feel free to open it again.
Followed https://documentation.wazuh.com/current/quickstart.html on a clean ubuntu 24. Exact the same issue.
https://192.168.2.207/app/threat-hunting#/overview/?tab=general&tabView=dashboard&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'wazuh-alerts-*',key:GeoLocation.area_code,negate:!f,params:(query:'1312321321'),type:phrase),query:(match_phrase:(GeoLocation.area_code:'1312321321')))),query:(language:kuery,query:''))
i try the quickstart wazuh installation and have the same issue, but i found the solution by trying to running the wazuh-modulesd and restart the wazuh-manager and now it's gone. Here's the command:
/var/ossec/bin/wazuh-modulesd
systemctl restart wazuh-manager.service
i try the quickstart wazuh installation and have the same issue, but i found the solution by trying to running the
wazuh-modulesdand restart the wazuh-manager and now it's gone. Here's the command:/var/ossec/bin/wazuh-modulesd systemctl restart wazuh-manager.service
I had the same problem and this fixed it. No more errors in any dashboard. Thanks @mxzyy !
I had the same issue while installing it on my PC. However, when I deploy it in the cloud (GCP), it works very well. Wazuh version: 4.9.2 OS: Ubuntu 24.02 LTS (same for both my cloud and PC).
i try the quickstart wazuh installation and have the same issue, but i found the solution by trying to running the
wazuh-modulesdand restart the wazuh-manager and now it's gone. Here's the command:/var/ossec/bin/wazuh-modulesd systemctl restart wazuh-manager.service
I see someone recently mentioned this and since I've been playing with this myself, I feel I should add my $0.02.
I found that when starting this using the single-node container I was getting the same issue. I've added it to my ansible script deploying a single-node instance and it worked pretty well (v 4.11.0). This was exactly what it needed, for whatever reason.
docker exec single-node-wazuh.manager-1 /var/ossec/bin/wazuh-modulesd
Hopefully this helps someone
I just ran into this with the docker compose setup. Using @ferasdour's workaround, e.g. starting /var/ossec/bin/wazuh-modulesd inside the container once, seems to have fixed it.
i try the quickstart wazuh installation and have the same issue, but i found the solution by trying to running the
wazuh-modulesdand restart the wazuh-manager and now it's gone. Here's the command:/var/ossec/bin/wazuh-modulesd systemctl restart wazuh-manager.serviceI see someone recently mentioned this and since I've been playing with this myself, I feel I should add my $0.02.
I found that when starting this using the single-node container I was getting the same issue. I've added it to my ansible script deploying a single-node instance and it worked pretty well (v 4.11.0). This was exactly what it needed, for whatever reason.
docker exec single-node-wazuh.manager-1 /var/ossec/bin/wazuh-modulesdHopefully this helps someone
Thank you, this worked for me on Ubuntu 24.10 x86_64 single node docker deployment. I was going crazy till I found this thread.
