Support/runtipi-appstore
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4b93b2360690bd2ab45468daa0e74ed80b2ac0a1
runtipi-appstore/apps/wazuh-runtipi/data/logs/logs.txt
Gui-Gos 96b46cb4b1
Some checks failed
Test / test (push) Has been cancelled
Details
Add logs and reference documentation resources 
- Add logs.txt (328KB) - health check and diagnostic logs
- Add wazuh-documentations/ - Offline copies of official Wazuh Docker documentation (HTML)
- Add wazuh-official-docker-main/ - Complete official Wazuh Docker repository for reference

These resources provide offline documentation and troubleshooting reference for the Wazuh RunTipi deployment.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-02 16:07:23 +01:00

7285 lines
328 KiB
Plaintext
Raw Blame History

root@tipi:~# echo "#################################################################"
echo "ls -R /opt/runtipi/app-data/synode-it/"
echo "#################################################################"
ls -R /opt/runtipi/app-data/synode-it/
echo "#################################################################"
echo "docker ps -a"
echo "#################################################################"
docker ps -a
echo "#################################################################"
echo "docker logs wazuh-runtipi_synode-it-wazuh-indexer-1"
echo "#################################################################"
docker logs wazuh-runtipi_synode-it-wazuh-indexer-1
echo "#################################################################"
echo "docker logs wazuh-runtipi_synode-it-wazuh-manager-1"
echo "#################################################################"
docker logs wazuh-runtipi_synode-it-wazuh-manager-1
echo "#################################################################"
echo "docker logs wazuh-runtipi_synode-it-wazuh-certs-1"
echo "#################################################################"
docker logs wazuh-runtipi_synode-it-wazuh-certs-1
echo "#################################################################"
echo "docker logs wazuh-runtipi_synode-it-wazuh-dashboard-1"
echo "#################################################################"
docker logs wazuh-runtipi_synode-it-wazuh-dashboard-1
echo "#################################################################"
echo "docker logs wazuh-runtipi_synode-it-wazuh-indexer-init-1"
echo "#################################################################"
docker logs wazuh-runtipi_synode-it-wazuh-indexer-init-1
bash /opt/runtipi/app-data/synode-it/wazuh-runtipi/data/debug/wazuh-health-check.sh
#################################################################
ls -R /opt/runtipi/app-data/synode-it/
#################################################################
/opt/runtipi/app-data/synode-it/:
wazuh-runtipi
/opt/runtipi/app-data/synode-it/wazuh-runtipi:
app.env data
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data:
config dashboard-config dashboard-custom debug indexer-data indexer-security manager-api manager-etc manager-logs manager-queue scripts
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/config:
certs.yml wazuh_ssl_certs
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/config/wazuh_ssl_certs:
admin-key.pem dashboard-key.pem indexer-key.pem root-ca.key root-ca-manager.pem server-key.pem wazuh.dashboard-key.pem wazuh.indexer-key.pem wazuh.manager-key.pem
admin.pem dashboard.pem indexer.pem root-ca-manager.key root-ca.pem server.pem wazuh.dashboard.pem wazuh.indexer.pem wazuh.manager.pem
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/dashboard-config:
opensearch_dashboards.yml
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/dashboard-custom:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/debug:
wazuh-health-check.sh
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data:
batch_metrics_enabled.conf logging_enabled.conf nodes performance_analyzer_enabled.conf rca_enabled.conf thread_contention_monitoring_enabled.conf
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes:
0
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0:
indices node.lock _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices:
18MchhZsSju3qq9i1Y5H5Q bPebeko8T6CwRqKcrHuKbg DQ_OR2__Qb68RA67hy0X-A DYh62qctQ3arcGYuH_i56g gHEYCq6CR8O-61IcxdbmjA _q_HjYGKTEiE6LcoPGOGxg w1TNGdcWRZy0quUmv00o6A
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q:
0 1 2 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/0/index:
_0.cfe _0.cfs _0.si _1.cfe _1.cfs _1.si segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/1:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/1/index:
_0.cfe _0.cfs _0.si _1.cfe _1.cfs _1.si segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/1/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/1/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/2:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/2/index:
_0.cfe _0.cfs _0.si _1.cfe _1.cfs _1.si segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/2/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/2/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/18MchhZsSju3qq9i1Y5H5Q/_state:
state-5.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg/0/index:
segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/bPebeko8T6CwRqKcrHuKbg/_state:
state-1.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A/0/index:
_0.cfe _0.cfs _0.si segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DQ_OR2__Qb68RA67hy0X-A/_state:
state-2.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g/0/index:
segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/DYh62qctQ3arcGYuH_i56g/_state:
state-1.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA/0/index:
segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/gHEYCq6CR8O-61IcxdbmjA/_state:
state-2.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg/0/index:
_0.cfe _0.cfs _0.si segments_2 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg/0/translog:
translog-2.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/_q_HjYGKTEiE6LcoPGOGxg/_state:
state-1.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A:
0 _state
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A/0:
index _state translog
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A/0/index:
_0.cfe _0.cfs _0.si _1.cfe _1.cfs _1.si _2.cfe _2.cfs _2.si _3.cfe _3.cfs _3.si _4.cfe _4.cfs _4.si _5.cfe _5.cfs _5.si _6.cfe _6.cfs _6.si _7.cfe _7.cfs _7.si segments_3 write.lock
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A/0/_state:
retention-leases-1.st state-0.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A/0/translog:
translog-3.tlog translog.ckp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/indices/w1TNGdcWRZy0quUmv00o6A/_state:
state-9.st
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-data/nodes/0/_state:
_10.cfe _10.cfs _10.si _5.cfe _5.cfs _5.si _f.cfe _f.cfs _f.si _i.cfe _i.cfs _i.si manifest-0.st node-0.st _p.cfe _p.cfs _p.si _q.cfe _q.cfs _q.si _s.cfe _s.cfs segments_13 _s.si write.lock _x.cfe _x.cfs _x.si
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-security:
action_groups.yml config.yml internal_users.yml nodes_dn.yml roles_mapping.yml roles.yml tenants.yml whitelist.yml
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-api:
api.yaml security ssl
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-api/security:
installation_uid private_key.pem public_key.pem rbac.db
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-api/ssl:
server.crt server.key
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-etc:
ossec.conf
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs:
active-responses.log alerts api api.log archives cluster cluster.log firewall integrations.log ossec.log wazuh
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/alerts:
2026 alerts.json alerts.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/alerts/2026:
Jan
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/alerts/2026/Jan:
ossec-alerts-02.json ossec-alerts-02.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/api:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/archives:
2026 archives.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/archives/2026:
Jan
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/archives/2026/Jan:
ossec-archive-02.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/cluster:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/firewall:
2026 firewall.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/firewall/2026:
Jan
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/firewall/2026/Jan:
ossec-firewall-02.log
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-logs/wazuh:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue:
agentless agents-timestamp alerts cluster db diff fim fts harvester indexer keystore logcollector rids router sockets syscollector tasks vd vd_updater
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/agentless:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/alerts:
ar cfgaq cfgarq execq
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/cluster:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/db:
000.db global.db wdb
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/diff:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/fim:
db
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/fim/db:
fim.db fim.db-journal
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/fts:
fts-queue hostinfo ig-queue
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/harvester:
system_event
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/harvester/system_event:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer:
db wazuh-states-inventory-hardware-wazuh.manager wazuh-states-inventory-networks-wazuh.manager wazuh-states-inventory-processes-wazuh.manager wazuh-states-inventory-system-wazuh.manager
wazuh-states-inventory-browser-extensions-wazuh.manager wazuh-states-inventory-hotfixes-wazuh.manager wazuh-states-inventory-packages-wazuh.manager wazuh-states-inventory-protocols-wazuh.manager wazuh-states-inventory-users-wazuh.manager
wazuh-states-inventory-groups-wazuh.manager wazuh-states-inventory-interfaces-wazuh.manager wazuh-states-inventory-ports-wazuh.manager wazuh-states-inventory-services-wazuh.manager wazuh-states-vulnerabilities-wazuh.manager
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db:
wazuh-states-inventory-browser-extensions-wazuh.manager wazuh-states-inventory-hotfixes-wazuh.manager wazuh-states-inventory-packages-wazuh.manager wazuh-states-inventory-protocols-wazuh.manager wazuh-states-inventory-users-wazuh.manager
wazuh-states-inventory-groups-wazuh.manager wazuh-states-inventory-interfaces-wazuh.manager wazuh-states-inventory-ports-wazuh.manager wazuh-states-inventory-services-wazuh.manager wazuh-states-vulnerabilities-wazuh.manager
wazuh-states-inventory-hardware-wazuh.manager wazuh-states-inventory-networks-wazuh.manager wazuh-states-inventory-processes-wazuh.manager wazuh-states-inventory-system-wazuh.manager
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-browser-extensions-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-groups-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-hardware-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-hotfixes-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-interfaces-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-networks-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-packages-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-ports-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-processes-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-protocols-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-services-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-system-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-inventory-users-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/db/wazuh-states-vulnerabilities-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-browser-extensions-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-groups-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-hardware-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-hotfixes-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-interfaces-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-networks-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-packages-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-ports-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-processes-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-protocols-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-services-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-system-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-inventory-users-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/indexer/wazuh-states-vulnerabilities-wazuh.manager:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/keystore:
000010.sst 000017.sst 000024.log CURRENT IDENTITY LOCK LOG LOG.old.1767364619586160 LOG.old.1767364627854510 LOG.old.1767364627927294 MANIFEST-000025 OPTIONS-000023 OPTIONS-000027
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/logcollector:
file_status.json
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/rids:
sender_counter
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/router:
deltas-syscollector policy rsync subscription.sock wdb-agent-events wdb-inventory-events
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/sockets:
analysis auth com control download logcollector logtest monitor queue remote syscheck updater-ondemand wdb-http.sock wmodules
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/syscollector:
db norm_config.json
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/syscollector/db:
local.db local.db-journal
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/tasks:
task tasks.db upgrade
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd:
delayed event feed inventory reports state_track
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/delayed:
000008.log CURRENT IDENTITY LOCK LOG LOG.old.1767364789798006 MANIFEST-000009 OPTIONS-000007 OPTIONS-000011
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/event:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/feed:
000186.sst 000247.sst 000325.sst 000567.sst 000870.sst 001135.sst 001484.sst 001864.sst 003005.sst 005457.sst 005584.sst 005604.sst 005623.sst 005642.sst 005661.sst 005681.sst 005703.sst 005722.sst 005741.sst
000197.sst 000248.sst 000327.sst 000582.sst 000873.sst 001137.sst 001486.sst 001875.sst 003663.sst 005484.sst 005585.sst 005605.sst 005624.sst 005643.sst 005662.sst 005683.sst 005704.sst 005723.sst 005742.sst
000198.sst 000250.sst 000329.sst 000619.sst 000919.sst 001222.sst 001513.sst 001876.sst 003782.sst 005551.log 005587.sst 005606.sst 005625.sst 005644.sst 005663.sst 005684.sst 005705.sst 005724.sst 005743.sst
000202.sst 000251.sst 000372.sst 000621.sst 000921.sst 001225.sst 001517.sst 001886.sst 003902.sst 005563.sst 005588.sst 005607.sst 005626.sst 005645.sst 005664.sst 005685.sst 005706.sst 005725.sst CURRENT
000211.sst 000252.sst 000374.sst 000630.sst 000928.sst 001230.sst 001557.sst 001889.sst 004220.sst 005564.sst 005589.sst 005608.sst 005627.sst 005646.sst 005665.sst 005686.sst 005707.sst 005726.sst IDENTITY
000212.sst 000253.sst 000398.sst 000632.sst 000958.sst 001232.sst 001559.sst 001975.sst 004428.sst 005565.sst 005590.sst 005609.sst 005628.sst 005647.sst 005667.sst 005687.sst 005708.sst 005727.sst LOCK
000218.sst 000255.sst 000435.sst 000643.sst 000960.sst 001239.sst 001623.sst 001977.sst 004550.sst 005566.sst 005591.sst 005610.sst 005629.sst 005648.sst 005668.sst 005688.sst 005709.sst 005728.sst LOG
000220.sst 000257.sst 000443.sst 000646.sst 001014.sst 001242.sst 001626.sst 002003.sst 004799.sst 005567.sst 005592.sst 005611.sst 005630.sst 005649.sst 005669.sst 005689.sst 005710.sst 005729.sst LOG.old.1762562988857022
000224.sst 000259.sst 000445.sst 000695.sst 001016.sst 001299.sst 001671.sst 002078.sst 004864.sst 005568.sst 005593.sst 005612.sst 005631.sst 005650.sst 005670.sst 005690.sst 005711.sst 005730.sst LOG.old.1762563426971991
000226.sst 000261.sst 000470.sst 000708.sst 001017.sst 001319.sst 001676.sst 002079.sst 004987.sst 005569.sst 005594.sst 005613.sst 005632.sst 005651.sst 005671.sst 005691.sst 005712.sst 005731.sst LOG.old.1767364763613696
000228.sst 000263.sst 000473.sst 000710.sst 001019.sst 001322.sst 001681.sst 002182.sst 004988.sst 005570.sst 005595.sst 005614.sst 005633.sst 005652.sst 005672.sst 005692.sst 005713.sst 005732.sst MANIFEST-005552
000232.sst 000264.sst 000481.sst 000715.sst 001021.sst 001326.sst 001693.sst 002437.sst 004989.sst 005576.sst 005596.sst 005615.sst 005634.sst 005653.sst 005673.sst 005693.sst 005714.sst 005733.sst OPTIONS-004877
000234.sst 000265.sst 000491.sst 000716.sst 001034.sst 001328.sst 001719.sst 002440.sst 005051.sst 005577.sst 005597.sst 005616.sst 005635.sst 005654.sst 005674.sst 005694.sst 005715.sst 005734.sst OPTIONS-005554
000238.sst 000292.sst 000493.sst 000739.sst 001036.sst 001331.sst 001720.sst 002537.sst 005061.sst 005578.sst 005598.sst 005617.sst 005636.sst 005655.sst 005675.sst 005695.sst 005716.sst 005735.sst
000239.sst 000294.sst 000501.sst 000750.sst 001043.sst 001382.sst 001770.sst 002562.sst 005142.sst 005579.sst 005599.sst 005618.sst 005637.sst 005656.sst 005676.sst 005696.sst 005717.sst 005736.sst
000241.sst 000302.sst 000544.sst 000809.sst 001093.sst 001413.sst 001783.sst 002641.sst 005152.sst 005580.sst 005600.sst 005619.sst 005638.sst 005657.sst 005677.sst 005697.sst 005718.sst 005737.sst
000242.sst 000304.sst 000547.sst 000810.sst 001104.sst 001416.sst 001806.sst 002662.sst 005165.sst 005581.sst 005601.sst 005620.sst 005639.sst 005658.sst 005678.sst 005698.sst 005719.sst 005738.sst
000244.sst 000312.sst 000558.sst 000833.sst 001128.sst 001450.sst 001821.sst 002663.sst 005455.sst 005582.sst 005602.sst 005621.sst 005640.sst 005659.sst 005679.sst 005699.sst 005720.sst 005739.sst
000245.sst 000314.sst 000561.sst 000850.sst 001130.sst 001452.sst 001823.sst 002995.sst 005456.sst 005583.sst 005603.sst 005622.sst 005641.sst 005660.sst 005680.sst 005702.sst 005721.sst 005740.sst
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/inventory:
000014.log CURRENT IDENTITY LOCK LOG LOG.old.1767364787732166 MANIFEST-000015 OPTIONS-000013 OPTIONS-000017
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/reports:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd/state_track:
000004.log CURRENT IDENTITY LOCK LOG MANIFEST-000005 OPTIONS-000007
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater:
rocksdb tmp
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater/rocksdb:
updater_vulnerability_feed_manager_metadata
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater/rocksdb/updater_vulnerability_feed_manager_metadata:
000012.sst 000013.log CURRENT IDENTITY LOCK LOG LOG.old.1767364773642184 MANIFEST-000014 OPTIONS-000011 OPTIONS-000016
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater/tmp:
contents downloads
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater/tmp/contents:
2890828-api_file.json 2896828-api_file.json 2902828-api_file.json 2908828-api_file.json 2914828-api_file.json 2920828-api_file.json 2926828-api_file.json 2932828-api_file.json 2938828-api_file.json 2944828-api_file.json
2891828-api_file.json 2897828-api_file.json 2903828-api_file.json 2909828-api_file.json 2915828-api_file.json 2921828-api_file.json 2927828-api_file.json 2933828-api_file.json 2939828-api_file.json 2945828-api_file.json
2892828-api_file.json 2898828-api_file.json 2904828-api_file.json 2910828-api_file.json 2916828-api_file.json 2922828-api_file.json 2928828-api_file.json 2934828-api_file.json 2940828-api_file.json 2946828-api_file.json
2893828-api_file.json 2899828-api_file.json 2905828-api_file.json 2911828-api_file.json 2917828-api_file.json 2923828-api_file.json 2929828-api_file.json 2935828-api_file.json 2941828-api_file.json 2947828-api_file.json
2894828-api_file.json 2900828-api_file.json 2906828-api_file.json 2912828-api_file.json 2918828-api_file.json 2924828-api_file.json 2930828-api_file.json 2936828-api_file.json 2942828-api_file.json 2948828-api_file.json
2895828-api_file.json 2901828-api_file.json 2907828-api_file.json 2913828-api_file.json 2919828-api_file.json 2925828-api_file.json 2931828-api_file.json 2937828-api_file.json 2943828-api_file.json 2949828-api_file.json
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/manager-queue/vd_updater/tmp/downloads:
/opt/runtipi/app-data/synode-it/wazuh-runtipi/data/scripts:
init-certs.sh init-dashboard.sh init-indexer-init.sh init-manager.sh
#################################################################
docker ps -a
#################################################################
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
08638d412b0a wazuh/wazuh-manager:4.14.1 "bash /scripts/init-…" 7 minutes ago Up 6 minutes (healthy) 0.0.0.0:1514-1515->1514-1515/tcp, [::]:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, [::]:514->514/udp, 0.0.0.0:55000->55000/tcp, [::]:55000->55000/tcp, 1516/tcp wazuh-runtipi_synode-it-wazuh-manager-1
3e7522da10fd wazuh/wazuh-indexer:4.14.1 "/entrypoint.sh open…" 7 minutes ago Up 6 minutes (healthy) 9200/tcp wazuh-runtipi_synode-it-wazuh-indexer-1
531b9035ffd0 wazuh/wazuh-dashboard:4.14.1 "bash /scripts/init-…" 7 minutes ago Up 6 minutes (healthy) 443/tcp, 0.0.0.0:5601->5601/tcp, [::]:5601->5601/tcp wazuh-runtipi_synode-it-wazuh-dashboard-1
c72deed62da4 wazuh/wazuh-indexer:4.14.1 "bash /scripts/init-…" 7 minutes ago Up 6 minutes (healthy) 9200/tcp wazuh-runtipi_synode-it-wazuh-indexer-init-1
b2d65641008e wazuh/wazuh-certs-generator:0.0.3 "sh /scripts/init-ce…" 7 minutes ago Up 6 minutes (healthy) wazuh-runtipi_synode-it-wazuh-certs-1
6708a581a4fd traefik:v3.6.1 "/entrypoint.sh --pr…" 9 days ago Up 2 days 0.0.0.0:80->80/tcp, [::]:80->80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp runtipi-reverse-proxy
ee2a8bb95782 ghcr.io/runtipi/runtipi:v4.6.5 "docker-entrypoint.s…" 9 days ago Up 2 days (healthy) 3000/tcp runtipi
6e543020cc6d postgres:14 "docker-entrypoint.s…" 9 days ago Up 2 days (healthy) 5432/tcp runtipi-db
ec73809babe8 rabbitmq:4-alpine "docker-entrypoint.s…" 9 days ago Up 2 days 4369/tcp, 5671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:5672->5672/tcp, [::]:5672->5672/tcp runtipi-queue
#################################################################
docker logs wazuh-runtipi_synode-it-wazuh-indexer-1
#################################################################
WARNING: Using incubator modules: jdk.incubator.vector
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.3.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Jan 02, 2026 2:36:42 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
WARNING: COMPAT locale provider will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.19.3.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
[2026-01-02T14:36:42,991][INFO ][o.o.n.Node ] [wazuh.indexer] version[2.19.3], pid[1], build[rpm/ac8f6e0114b657a116c4a41c3e12f8e0e181bbcd/2025-11-08T11:55:34.225460336Z], OS[Linux/6.8.0-90-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/21.0.7/21.0.7+6-LTS]
[2026-01-02T14:36:42,994][INFO ][o.o.n.Node ] [wazuh.indexer] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true]
[2026-01-02T14:36:42,995][INFO ][o.o.n.Node ] [wazuh.indexer] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.security.manager=allow, -Djava.locale.providers=SPI,COMPAT, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-786307466768349973, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.security.manager=allow, --add-modules=jdk.incubator.vector, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Xms1g, -Xmx1g, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/usr/share/wazuh-indexer/config, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2026-01-02T14:36:43,368][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [wazuh.indexer] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only
[2026-01-02T14:36:44,591][INFO ][o.o.s.s.t.SSLConfig ] [wazuh.indexer] SSL dual mode is disabled
[2026-01-02T14:36:44,592][INFO ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] OpenSearch Config path is /usr/share/wazuh-indexer/config
[2026-01-02T14:36:44,985][INFO ][o.o.s.s.SslSettingsManager] [wazuh.indexer] TLS HTTP Provider : JDK
[2026-01-02T14:36:44,986][INFO ][o.o.s.s.SslSettingsManager] [wazuh.indexer] Enabled TLS protocols for HTTP layer : [TLSv1.3, TLSv1.2]
[2026-01-02T14:36:44,988][INFO ][o.o.s.s.SslSettingsManager] [wazuh.indexer] TLS Transport Client Provider : JDK
[2026-01-02T14:36:44,988][INFO ][o.o.s.s.SslSettingsManager] [wazuh.indexer] TLS Transport Server Provider : JDK
[2026-01-02T14:36:44,989][INFO ][o.o.s.s.SslSettingsManager] [wazuh.indexer] Enabled TLS protocols for Transport layer : [TLSv1.3, TLSv1.2]
[2026-01-02T14:36:45,924][INFO ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Clustername: wazuh-cluster
[2026-01-02T14:36:45,952][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/config/certs has insecure file permissions (should be 0700)
[2026-01-02T14:36:45,953][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/dashboard-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,954][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.manager.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,954][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/root-ca-manager.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,955][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/root-ca.key has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,956][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/server.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,956][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/admin.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,957][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/indexer.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,957][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/server-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,958][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/admin-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,959][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/root-ca.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,959][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/dashboard.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,960][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.indexer-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,961][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.dashboard.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,961][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,962][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.dashboard-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,962][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/indexer-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,963][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/wazuh.manager-key.pem has insecure file permissions (should be 0600)
[2026-01-02T14:36:45,964][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/config/certs/root-ca-manager.key has insecure file permissions (should be 0600)
[2026-01-02T14:36:47,347][INFO ][o.o.p.c.c.PluginSettings ] [wazuh.indexer] Trying to create directory /dev/shm/performanceanalyzer/.
[2026-01-02T14:36:47,348][INFO ][o.o.p.c.c.PluginSettings ] [wazuh.indexer] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600
[2026-01-02T14:36:47,851][INFO ][o.o.i.r.ReindexPlugin ] [wazuh.indexer] ReindexPlugin reloadSPI called
[2026-01-02T14:36:47,853][INFO ][o.o.i.r.ReindexPlugin ] [wazuh.indexer] Unable to find any implementation for RemoteReindexExtension
[2026-01-02T14:36:47,889][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: opensearch_time_series_analytics, index: .opendistro-anomaly-detector-jobs
[2026-01-02T14:36:47,925][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions
[2026-01-02T14:36:47,927][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config
[2026-01-02T14:36:47,930][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: checkBatchJobTaskStatus, index: .ml_commons_task_polling_job
[2026-01-02T14:36:47,932][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: scheduler_geospatial_ip2geo_datasource, index: .scheduler-geospatial-ip2geo-datasource
[2026-01-02T14:36:47,934][INFO ][o.o.j.JobSchedulerPlugin ] [wazuh.indexer] Loaded scheduler extension: async-query-scheduler, index: .async-query-scheduler
[2026-01-02T14:36:47,941][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [aggs-matrix-stats]
[2026-01-02T14:36:47,942][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [analysis-common]
[2026-01-02T14:36:47,943][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [cache-common]
[2026-01-02T14:36:47,943][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [geo]
[2026-01-02T14:36:47,943][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [ingest-common]
[2026-01-02T14:36:47,944][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [ingest-geoip]
[2026-01-02T14:36:47,944][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [ingest-user-agent]
[2026-01-02T14:36:47,944][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [lang-expression]
[2026-01-02T14:36:47,945][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [lang-mustache]
[2026-01-02T14:36:47,945][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [lang-painless]
[2026-01-02T14:36:47,945][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [mapper-extras]
[2026-01-02T14:36:47,946][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [opensearch-dashboards]
[2026-01-02T14:36:47,946][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [parent-join]
[2026-01-02T14:36:47,946][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [percolator]
[2026-01-02T14:36:47,946][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [rank-eval]
[2026-01-02T14:36:47,947][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [reindex]
[2026-01-02T14:36:47,947][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [repository-url]
[2026-01-02T14:36:47,947][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [search-pipeline-common]
[2026-01-02T14:36:47,948][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [systemd]
[2026-01-02T14:36:47,948][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded module [transport-netty4]
[2026-01-02T14:36:47,949][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-alerting]
[2026-01-02T14:36:47,949][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-anomaly-detection]
[2026-01-02T14:36:47,949][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-asynchronous-search]
[2026-01-02T14:36:47,950][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-cross-cluster-replication]
[2026-01-02T14:36:47,950][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-geospatial]
[2026-01-02T14:36:47,951][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-index-management]
[2026-01-02T14:36:47,951][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-job-scheduler]
[2026-01-02T14:36:47,951][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-knn]
[2026-01-02T14:36:47,952][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-ml]
[2026-01-02T14:36:47,952][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-neural-search]
[2026-01-02T14:36:47,952][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-notifications]
[2026-01-02T14:36:47,952][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-notifications-core]
[2026-01-02T14:36:47,953][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-observability]
[2026-01-02T14:36:47,953][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-performance-analyzer]
[2026-01-02T14:36:47,953][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-reports-scheduler]
[2026-01-02T14:36:47,954][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-security]
[2026-01-02T14:36:47,954][INFO ][o.o.p.PluginsService ] [wazuh.indexer] loaded plugin [opensearch-sql]
[2026-01-02T14:36:47,972][INFO ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml
[2026-01-02T14:36:48,056][WARN ][stderr ] [wazuh.indexer] WARNING: A restricted method in java.lang.foreign.Linker has been called
[2026-01-02T14:36:48,056][WARN ][stderr ] [wazuh.indexer] WARNING: java.lang.foreign.Linker::downcallHandle has been called by the unnamed module
[2026-01-02T14:36:48,057][WARN ][stderr ] [wazuh.indexer] WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for this module
[2026-01-02T14:36:48,151][INFO ][o.a.l.s.MemorySegmentIndexInputProvider] [wazuh.indexer] Using MemorySegmentIndexInput and native madvise support with Java 21 or later; to disable start with -Dorg.apache.lucene.store.MMapDirectory.enableMemorySegments=false
[2026-01-02T14:36:48,160][INFO ][o.o.e.NodeEnvironment ] [wazuh.indexer] using [1] data paths, mounts [[/var/lib/wazuh-indexer (/dev/mapper/ubuntu--vg-ubuntu--lv)]], net usable_space [69.8gb], net total_space [97.8gb], types [ext4]
[2026-01-02T14:36:48,160][INFO ][o.o.e.NodeEnvironment ] [wazuh.indexer] heap size [1gb], compressed ordinary object pointers [true]
[2026-01-02T14:36:48,200][INFO ][o.o.n.Node ] [wazuh.indexer] node name [wazuh.indexer], node ID [jeO_mKrESxWeD0COXlnc_w], cluster name [wazuh-cluster], roles [ingest, remote_cluster_client, data, cluster_manager]
[2026-01-02T14:36:48,259][INFO ][o.o.e.ExtensionsManager ] [wazuh.indexer] ExtensionsManager initialized
[2026-01-02T14:36:52,263][INFO ][o.o.n.p.NeuralSearch ] [wazuh.indexer] Registering hybrid query phase searcher with feature flag [plugins.neural_search.hybrid_search_disabled]
[2026-01-02T14:36:52,761][WARN ][o.o.s.c.Salt ] [wazuh.indexer] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2026-01-02T14:36:52,809][ERROR][o.o.s.a.s.SinkProvider ] [wazuh.indexer] Default endpoint could not be created, auditlog will not work properly.
[2026-01-02T14:36:52,811][WARN ][o.o.s.a.r.AuditMessageRouter] [wazuh.indexer] No default storage available, audit log may not work properly. Please check configuration.
[2026-01-02T14:36:52,811][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Message routing enabled: false
[2026-01-02T14:36:52,858][INFO ][o.o.s.f.SecurityFilter ] [wazuh.indexer] <NONE> indices are made immutable.
[2026-01-02T14:36:53,243][INFO ][o.o.t.b.CircuitBreakerService] [wazuh.indexer] Registered memory breaker.
[2026-01-02T14:36:53,715][INFO ][o.o.r.m.c.i.SdkClientFactory] [wazuh.indexer] Using local opensearch cluster as metadata store.
[2026-01-02T14:36:53,738][INFO ][o.o.m.b.MLCircuitBreakerService] [wazuh.indexer] Registered ML memory breaker.
[2026-01-02T14:36:53,740][INFO ][o.o.m.b.MLCircuitBreakerService] [wazuh.indexer] Registered ML disk breaker.
[2026-01-02T14:36:53,740][INFO ][o.o.m.b.MLCircuitBreakerService] [wazuh.indexer] Registered ML native memory breaker.
[2026-01-02T14:36:53,857][INFO ][o.r.Reflections ] [wazuh.indexer] Reflections took 68 ms to scan 1 urls, producing 27 keys and 67 values
[2026-01-02T14:36:53,884][INFO ][o.r.Reflections ] [wazuh.indexer] Reflections took 3 ms to scan 1 urls, producing 3 keys and 5 values
[2026-01-02T14:36:53,945][WARN ][o.o.s.p.SQLPlugin ] [wazuh.indexer] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information
[2026-01-02T14:36:54,927][INFO ][o.o.t.NettyAllocator ] [wazuh.indexer] creating NettyAllocator with the following configs: [name=unpooled, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_unpooled_allocator=null, g1gc_enabled=true, g1gc_region_size=1mb, heap_size=1gb}]
[2026-01-02T14:36:54,935][INFO ][o.o.s.s.t.SSLConfig ] [wazuh.indexer] SSL dual mode is disabled
[2026-01-02T14:36:55,102][INFO ][o.o.d.DiscoveryModule ] [wazuh.indexer] using discovery type [single-node] and seed hosts providers [settings]
[2026-01-02T14:36:55,750][WARN ][o.o.g.DanglingIndicesState] [wazuh.indexer] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2026-01-02T14:36:56,636][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [wazuh.indexer] PerformanceAnalyzer Enabled: false
[2026-01-02T14:36:56,667][INFO ][o.o.n.Node ] [wazuh.indexer] initialized
[2026-01-02T14:36:56,668][INFO ][o.o.n.Node ] [wazuh.indexer] starting ...
[2026-01-02T14:36:56,779][INFO ][o.o.t.TransportService ] [wazuh.indexer] publish_address {10.128.10.3:9300}, bound_addresses {[::]:9300}
[2026-01-02T14:36:56,782][INFO ][o.o.t.TransportService ] [wazuh.indexer] Remote clusters initialized successfully.
[2026-01-02T14:36:57,067][INFO ][o.o.c.c.Coordinator ] [wazuh.indexer] setting initial configuration to VotingConfiguration{jeO_mKrESxWeD0COXlnc_w}
[2026-01-02T14:36:57,257][INFO ][o.o.c.s.MasterService ] [wazuh.indexer] Tasks batched with key: org.opensearch.cluster.coordination.JoinHelper, count:3 and sample tasks: elected-as-cluster-manager ([1] nodes joined)[{wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} elect leader, _BECOME_CLUSTER_MANAGER_TASK_, _FINISH_ELECTION_], term: 1, version: 1, delta: cluster-manager node changed {previous [], current [{wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true}]}
[2026-01-02T14:36:57,364][INFO ][o.o.c.c.CoordinationState] [wazuh.indexer] cluster UUID set to [Sjkv4gUiQEG7JRqpbXlNnw]
[2026-01-02T14:36:57,444][INFO ][o.o.c.s.ClusterApplierService] [wazuh.indexer] cluster-manager node changed {previous [], current [{wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true}]}, term: 1, version: 1, reason: Publication{term=1, version=1}
[2026-01-02T14:36:57,453][INFO ][o.o.t.i.IndexManagement ] [wazuh.indexer] Candidate custom result indices are empty.
[2026-01-02T14:36:57,454][INFO ][o.o.t.i.IndexManagement ] [wazuh.indexer] Candidate custom result indices are empty.
[2026-01-02T14:36:57,455][INFO ][o.o.t.c.ClusterEventListener] [wazuh.indexer] Cluster is not recovered yet.
[2026-01-02T14:36:57,482][INFO ][o.o.i.i.ManagedIndexCoordinator] [wazuh.indexer] Cache cluster manager node onClusterManager time: 1767364617482
[2026-01-02T14:36:57,493][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [wazuh.indexer] Config override setting update called with empty string. Ignoring.
[2026-01-02T14:36:57,503][INFO ][o.o.d.PeerFinder ] [wazuh.indexer] setting findPeersInterval to [1s] as node commission status = [true] for local node [{wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true}]
[2026-01-02T14:36:57,506][INFO ][o.o.h.AbstractHttpServerTransport] [wazuh.indexer] publish_address {10.128.10.3:9200}, bound_addresses {[::]:9200}
[2026-01-02T14:36:57,507][INFO ][o.o.n.Node ] [wazuh.indexer] started
[2026-01-02T14:36:57,508][INFO ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Will not attempt to create index .opendistro_security and default configs if they are absent. Use securityadmin to initialize cluster
[2026-01-02T14:36:57,509][INFO ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Background init thread started. Install default config?: false
[2026-01-02T14:36:57,509][INFO ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] 0 OpenSearch Security modules loaded so far: []
[2026-01-02T14:36:57,510][INFO ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Wait for cluster to be available ...
[2026-01-02T14:36:57,548][INFO ][o.o.t.c.HashRing ] [wazuh.indexer] Node added: [jeO_mKrESxWeD0COXlnc_w]
[2026-01-02T14:36:57,554][INFO ][o.o.t.c.HashRing ] [wazuh.indexer] Add data node to version hash ring: jeO_mKrESxWeD0COXlnc_w
[2026-01-02T14:36:57,557][INFO ][o.o.t.c.HashRing ] [wazuh.indexer] All nodes with known version: {jeO_mKrESxWeD0COXlnc_w=ADNodeInfo{version=2.19.3, isEligibleDataNode=true}}
[2026-01-02T14:36:57,557][INFO ][o.o.t.c.HashRing ] [wazuh.indexer] Rebuild hash ring for realtime with cooldown, nodeChangeEvents size 0
[2026-01-02T14:36:57,557][INFO ][o.o.t.c.HashRing ] [wazuh.indexer] Build version hash ring successfully
[2026-01-02T14:36:57,558][INFO ][o.o.t.c.ADDataMigrator ] [wazuh.indexer] Start migrating AD data
[2026-01-02T14:36:57,559][INFO ][o.o.t.c.ADDataMigrator ] [wazuh.indexer] AD job index doesn't exist, no need to migrate
[2026-01-02T14:36:57,559][INFO ][o.o.t.c.ClusterEventListener] [wazuh.indexer] Init version hash ring successfully
[2026-01-02T14:36:57,577][INFO ][o.o.g.GatewayService ] [wazuh.indexer] recovered [0] indices into cluster_state
[2026-01-02T14:36:57,602][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opensearch-observability/bPebeko8T6CwRqKcrHuKbg]
[2026-01-02T14:36:57,768][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [.opensearch-observability] creating index, cause [api], templates [], shards [1]/[0]
[2026-01-02T14:36:57,905][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:36:57,906][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opensearch-observability/bPebeko8T6CwRqKcrHuKbg]
[2026-01-02T14:36:57,955][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:36:57,959][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:36:57,962][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:36:58,343][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.opensearch-observability][0]]]).
[2026-01-02T14:36:58,435][INFO ][o.o.o.i.ObservabilityIndex] [wazuh.indexer] observability:Index .opensearch-observability creation Acknowledged
[2026-01-02T14:36:58,516][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,516][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,516][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,517][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,517][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,517][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,518][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,518][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,518][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:36:58,518][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [wazuh.indexer] Failure no such index [.opendistro_security] retrieving configuration for [ACTIONGROUPS, ALLOWLIST, AUDIT, CONFIG, INTERNALUSERS, NODESDN, ROLES, ROLESMAPPING, TENANTS, WHITELIST] (index=.opendistro_security)
[2026-01-02T14:37:00,242][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:00,246][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:00,248][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:00,251][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:00,565][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:02,381][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:02,743][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:02,746][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:02,750][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:02,753][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:03,042][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:03,047][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [.opendistro_security] creating index, cause [api], templates [], shards [1]/[1]
[2026-01-02T14:37:03,049][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] updating number_of_replicas to [0] for indices [.opendistro_security]
[2026-01-02T14:37:03,142][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:03,336][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.opendistro_security][0]]]).
[2026-01-02T14:37:03,707][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:03,714][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] create_mapping
[2026-01-02T14:37:03,959][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:03,969][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,134][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,143][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,288][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,301][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,429][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,443][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,578][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,590][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,714][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,722][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:04,905][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.opendistro_security/w1TNGdcWRZy0quUmv00o6A]
[2026-01-02T14:37:04,914][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [.opendistro_security/w1TNGdcWRZy0quUmv00o6A] update_mapping [_doc]
[2026-01-02T14:37:05,040][WARN ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Unable to reload configuration, initalization thread has not yet completed.
[2026-01-02T14:37:05,243][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:05,246][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:05,248][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:05,251][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:07,516][INFO ][o.o.m.a.MLModelAutoReDeployer] [wazuh.indexer] Index not found, not performing auto reloading!
[2026-01-02T14:37:07,517][INFO ][o.o.m.c.MLCommonsClusterManagerEventListener] [wazuh.indexer] Starting ML sync up job...
[2026-01-02T14:37:07,743][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:07,746][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:07,750][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:07,753][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:10,244][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:10,246][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:10,249][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:10,251][ERROR][o.o.s.a.BackendRegistry ] [wazuh.indexer] Not yet initialized (you may need to run securityadmin)
[2026-01-02T14:37:11,856][INFO ][stdout ] [wazuh.indexer] [FINE] No subscribers registered for event class org.opensearch.security.securityconf.DynamicConfigFactory$NodesDnModelImpl
[2026-01-02T14:37:11,857][INFO ][stdout ] [wazuh.indexer] [FINE] No subscribers registered for event class org.greenrobot.eventbus.NoSubscriberEvent
[2026-01-02T14:37:11,858][INFO ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Hot-reloading of audit configuration is disabled. Using configuration with defaults from opensearch settings. Populate the configuration in index using audit.yml or securityadmin to enable it.
[2026-01-02T14:37:11,859][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing on REST API is enabled.
[2026-01-02T14:37:11,859][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing.
[2026-01-02T14:37:11,859][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing on Transport API is enabled.
[2026-01-02T14:37:11,859][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing.
[2026-01-02T14:37:11,859][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing of request body is enabled.
[2026-01-02T14:37:11,860][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Bulk requests resolution is disabled during request auditing.
[2026-01-02T14:37:11,860][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Index resolution is enabled during request auditing.
[2026-01-02T14:37:11,860][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Sensitive headers exclusion from auditing is enabled.
[2026-01-02T14:37:11,860][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing requests from kibanaserver users is disabled.
[2026-01-02T14:37:11,861][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing request headers <NONE> is disabled.
[2026-01-02T14:37:11,861][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing request url params <NONE> is disabled.
[2026-01-02T14:37:11,861][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing of external configuration is disabled.
[2026-01-02T14:37:11,861][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing of internal configuration is disabled.
[2026-01-02T14:37:11,862][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing only metadata information for read request is disabled.
[2026-01-02T14:37:11,862][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing will watch {} for read requests.
[2026-01-02T14:37:11,862][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing read operation requests from kibanaserver users is disabled.
[2026-01-02T14:37:11,863][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing only metadata information for write request is disabled.
[2026-01-02T14:37:11,863][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing diffs for write requests is disabled.
[2026-01-02T14:37:11,863][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing write operation requests from kibanaserver users is disabled.
[2026-01-02T14:37:11,864][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Auditing will watch <NONE> for write requests.
[2026-01-02T14:37:11,864][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] .opendistro_security is used as internal security index.
[2026-01-02T14:37:11,864][INFO ][o.o.s.a.i.AuditLogImpl ] [wazuh.indexer] Internal index used for posting audit logs is null
[2026-01-02T14:37:11,864][INFO ][o.o.s.c.ConfigurationRepository] [wazuh.indexer] Node 'wazuh.indexer' initialized
[2026-01-02T14:37:13,308][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.kibana_1/gHEYCq6CR8O-61IcxdbmjA]
[2026-01-02T14:37:13,335][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [.kibana_1] creating index, cause [api], templates [], shards [1]/[1]
[2026-01-02T14:37:13,337][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] updating number_of_replicas to [0] for indices [.kibana_1]
[2026-01-02T14:37:13,402][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.kibana_1/gHEYCq6CR8O-61IcxdbmjA]
[2026-01-02T14:37:13,565][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana_1][0]]]).
[2026-01-02T14:37:14,874][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[yznG4X0lQhWWGmQDodcSbA/Q3a4CzLiQxqV2j4tGWqZuA]
[2026-01-02T14:37:14,886][INFO ][o.o.c.m.MetadataIndexTemplateService] [wazuh.indexer] adding template [wazuh-statistics] for index patterns [wazuh-statistics-*]
[2026-01-02T14:37:44,893][WARN ][r.suppressed ] [wazuh.indexer] path: /_template/wazuh-agent, params: {name=wazuh-agent}
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index-template [wazuh-agent], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:37:47,527][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:37:48,672][WARN ][r.suppressed ] [wazuh.indexer] path: /_ingest/pipeline/filebeat-7.10.2-wazuh-alerts-pipeline, params: {id=filebeat-7.10.2-wazuh-alerts-pipeline}
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (put-pipeline-filebeat-7.10.2-wazuh-alerts-pipeline) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:37:57,485][INFO ][o.o.i.i.ManagedIndexCoordinator] [wazuh.indexer] Performing ISM template migration.
[2026-01-02T14:37:57,487][INFO ][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] Doing ISM template migration 1 time.
[2026-01-02T14:37:57,488][INFO ][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] Use 2026-01-02T13:36:57.482Z as migrating ISM template last_updated_time
[2026-01-02T14:37:57,489][INFO ][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] ISM templates: {}
[2026-01-02T14:37:57,490][INFO ][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] Policies to update: []
[2026-01-02T14:37:57,492][INFO ][o.o.i.i.ManagedIndexCoordinator] [wazuh.indexer] Performing move cluster state metadata.
[2026-01-02T14:37:57,493][INFO ][o.o.i.i.MetadataService ] [wazuh.indexer] ISM config index not exist, so we cancel the metadata migration job.
[2026-01-02T14:37:57,499][INFO ][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] Failure experienced when migrating ISM Template and update ISM policies: {}
[2026-01-02T14:37:57,527][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:37:58,633][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [43694ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [3] unchanged indices
[2026-01-02T14:37:58,635][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [43.6s] publication of cluster state version [18] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:38:07,542][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:11,011][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [12408ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [3] unchanged indices
[2026-01-02T14:38:11,012][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [12.4s] publication of cluster state version [19] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:38:11,023][INFO ][o.o.c.s.ClusterSettings ] [wazuh.indexer] updating [plugins.index_state_management.template_migration.control] from [0] to [-1]
[2026-01-02T14:38:11,030][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[-EXGiQ34TPOjfnsNzeOW1A/K8bcwogOQyGmqVaH-mhVrg]
[2026-01-02T14:38:11,047][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[aL9eijaqQ2GJkfC2k7yrYw/yq1kwdTDSfynMAtgsc3JMQ]
[2026-01-02T14:38:11,052][INFO ][o.o.c.m.MetadataIndexTemplateService] [wazuh.indexer] adding template [wazuh-agent] for index patterns [wazuh-monitoring-*]
[2026-01-02T14:38:17,545][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:20,602][WARN ][r.suppressed ] [wazuh.indexer] path: /_template/wazuh, params: {name=wazuh}
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:23,707][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [12608ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [3] unchanged indices
[2026-01-02T14:38:23,708][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [12.6s] publication of cluster state version [20] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:38:23,716][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.plugins-ml-config/_q_HjYGKTEiE6LcoPGOGxg]
[2026-01-02T14:38:23,727][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [.plugins-ml-config] creating index, cause [api], templates [], shards [1]/[1]
[2026-01-02T14:38:23,728][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] updating number_of_replicas to [0] for indices [.plugins-ml-config]
[2026-01-02T14:38:37,600][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:41,028][ERROR][o.o.i.i.m.ISMTemplateService] [wazuh.indexer] Failed to update template migration setting
org.opensearch.OpenSearchException: reroute after update settings failed
at org.opensearch.action.admin.cluster.settings.TransportClusterUpdateSettingsAction$1$1.onFailure(TransportClusterUpdateSettingsAction.java:240) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.cluster.service.MasterService$SafeClusterStateTaskListener.onFailure(MasterService.java:704) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (reroute_after_cluster_update_settings) within 30s
... 7 more
[2026-01-02T14:38:42,058][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [18412ms] which is above the warn threshold of [10s]; wrote global metadata [false] and metadata for [1] indices and skipped [3] unchanged indices
[2026-01-02T14:38:42,230][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [18.6s] publication of cluster state version [21] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:38:42,234][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[.plugins-ml-config/_q_HjYGKTEiE6LcoPGOGxg]
[2026-01-02T14:38:44,895][WARN ][r.suppressed ] [wazuh.indexer] path: /_template/wazuh-agent, params: {name=wazuh-agent}
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index-template [wazuh-agent], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:47,751][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:52,648][WARN ][r.suppressed ] [wazuh.indexer] path: /_template/wazuh, params: {name=wazuh}
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:53,618][ERROR][o.o.m.c.MLSyncUpCron ] [wazuh.indexer] Failed to initialize or update ML Config index
[2026-01-02T14:38:57,492][INFO ][o.o.i.i.ManagedIndexCoordinator] [wazuh.indexer] Cancel background move metadata process.
[2026-01-02T14:38:57,493][INFO ][o.o.i.i.ManagedIndexCoordinator] [wazuh.indexer] Performing move cluster state metadata.
[2026-01-02T14:38:57,493][INFO ][o.o.i.i.MetadataService ] [wazuh.indexer] Move metadata has finished.
[2026-01-02T14:38:57,753][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:59,576][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2026-01-02T14:39:04,498][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:04,505][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[vlaaL8FtSia5a8qDi4vjaw/3wzIY1EHS4KoekVq3SpMug]
[2026-01-02T14:39:04,513][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:04,515][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:18,704][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [14209ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [4] unchanged indices
[2026-01-02T14:39:18,705][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [14.2s] publication of cluster state version [22] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:18,716][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g]
[2026-01-02T14:39:18,724][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-monitoring-2026.1w] creating index, cause [api], templates [wazuh-agent], shards [1]/[0]
[2026-01-02T14:39:33,245][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [14610ms] which is above the warn threshold of [10s]; wrote global metadata [false] and metadata for [1] indices and skipped [4] unchanged indices
[2026-01-02T14:39:33,246][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [14.6s] publication of cluster state version [23] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:33,249][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g]
[2026-01-02T14:39:35,505][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[TQemaB2DTUm7p-qowv4Yhg/BC4Y1JkxTeO7dfDmAktF2A]
[2026-01-02T14:39:35,568][INFO ][o.o.c.m.MetadataIndexTemplateService] [wazuh.indexer] adding template [wazuh] for index patterns [wazuh-alerts-4.x-*, wazuh-archives-4.x-*]
[2026-01-02T14:39:46,892][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [11415ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [5] unchanged indices
[2026-01-02T14:39:46,893][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [11.4s] publication of cluster state version [24] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:49,292][INFO ][o.o.c.m.MetadataUpdateSettingsService] [wazuh.indexer] updating number_of_replicas to [0] for indices [wazuh-monitoring-2026.1w]
[2026-01-02T14:39:49,307][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:49,393][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02] creating index, cause [auto(bulk api)], templates [wazuh], shards [3]/[0]
[2026-01-02T14:39:49,418][INFO ][o.o.m.c.MLSyncUpCron ] [wazuh.indexer] ML configuration initialized successfully
[2026-01-02T14:39:50,623][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:55,429][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-alerts-4.x-2026.01.02][1], [wazuh-alerts-4.x-2026.01.02][2]]]).
[2026-01-02T14:39:56,461][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:56,518][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:39:57,747][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:57,785][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:39:59,688][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:59,726][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:00,025][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:00,065][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:40:01,242][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:01,249][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-statistics-2026.1w] creating index, cause [api], templates [wazuh-statistics], shards [1]/[0]
[2026-01-02T14:40:02,396][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:03,121][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:04,894][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-statistics-2026.1w][0]]]).
[2026-01-02T14:40:05,857][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:05,871][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A] update_mapping [_doc]
[2026-01-02T14:41:57,062][INFO ][o.o.j.s.JobSweeper ] [wazuh.indexer] Running full sweep
[2026-01-02T14:41:57,485][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [wazuh.indexer] Canceling sweep ism plugin version job
[2026-01-02T14:42:59,058][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
#################################################################
docker logs wazuh-runtipi_synode-it-wazuh-manager-1
#################################################################
MANAGER_INIT: Starting manager initialization...
MANAGER_INIT: Configuration complete, starting Wazuh...
WATCHDOG: Waiting for Wazuh services to be fully started...
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 0-wazuh-init: executing...
/var/ossec/data_tmp/permanent/var/ossec/api/configuration/
Installing /var/ossec/api/configuration
/var/ossec/data_tmp/permanent/var/ossec/etc/
The path /var/ossec/etc is already mounted
/var/ossec/data_tmp/permanent/var/ossec/logs/
Installing /var/ossec/logs
/var/ossec/data_tmp/permanent/var/ossec/queue/
Installing /var/ossec/queue
/var/ossec/data_tmp/permanent/var/ossec/agentless/
Installing /var/ossec/agentless
/var/ossec/data_tmp/permanent/var/ossec/var/multigroups/
Installing /var/ossec/var/multigroups
/var/ossec/data_tmp/permanent/var/ossec/integrations/
Installing /var/ossec/integrations
/var/ossec/data_tmp/permanent/var/ossec/active-response/bin/
Installing /var/ossec/active-response/bin
/var/ossec/data_tmp/permanent/var/ossec/wodles/
The path /var/ossec/wodles is already mounted
/var/ossec/data_tmp/permanent/etc/filebeat/
The path /etc/filebeat is already mounted
Updating /var/ossec/etc/internal_options.conf
Updating /var/ossec/integrations/slack
Updating /var/ossec/integrations/slack.py
Updating /var/ossec/integrations/virustotal
Updating /var/ossec/integrations/virustotal.py
Updating /var/ossec/integrations/shuffle
Updating /var/ossec/integrations/shuffle.py
Updating /var/ossec/integrations/pagerduty
Updating /var/ossec/integrations/pagerduty.py
Updating /var/ossec/integrations/maltiverse
Updating /var/ossec/integrations/maltiverse.py
Updating /var/ossec/active-response/bin/default-firewall-drop
Updating /var/ossec/active-response/bin/disable-account
Updating /var/ossec/active-response/bin/firewalld-drop
Updating /var/ossec/active-response/bin/firewall-drop
Updating /var/ossec/active-response/bin/host-deny
Updating /var/ossec/active-response/bin/ip-customblock
Updating /var/ossec/active-response/bin/ipfw
Updating /var/ossec/active-response/bin/kaspersky.py
Updating /var/ossec/active-response/bin/kaspersky
Updating /var/ossec/active-response/bin/npf
Updating /var/ossec/active-response/bin/wazuh-slack
Updating /var/ossec/active-response/bin/pf
Updating /var/ossec/active-response/bin/restart-wazuh
Updating /var/ossec/active-response/bin/restart.sh
Updating /var/ossec/active-response/bin/route-null
Updating /var/ossec/agentless/sshlogin.exp
Updating /var/ossec/agentless/ssh_pixconfig_diff
Updating /var/ossec/agentless/ssh_asa-fwsmconfig_diff
Updating /var/ossec/agentless/ssh_integrity_check_bsd
Updating /var/ossec/agentless/main.exp
Updating /var/ossec/agentless/su.exp
Updating /var/ossec/agentless/ssh_integrity_check_linux
Updating /var/ossec/agentless/register_host.sh
Updating /var/ossec/agentless/ssh_generic_diff
Updating /var/ossec/agentless/ssh_foundry_diff
Updating /var/ossec/agentless/ssh_nopass.exp
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/utils.py
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/aws/__init__.py
Updating /var/ossec/wodles/aws/aws_tools.py
Updating /var/ossec/wodles/aws/wazuh_integration.py
Updating /var/ossec/wodles/aws/buckets_s3/__init__.py
Updating /var/ossec/wodles/aws/buckets_s3/aws_bucket.py
Updating /var/ossec/wodles/aws/buckets_s3/cloudtrail.py
Updating /var/ossec/wodles/aws/buckets_s3/config.py
Updating /var/ossec/wodles/aws/buckets_s3/guardduty.py
Updating /var/ossec/wodles/aws/buckets_s3/load_balancers.py
Updating /var/ossec/wodles/aws/buckets_s3/server_access.py
Updating /var/ossec/wodles/aws/buckets_s3/umbrella.py
Updating /var/ossec/wodles/aws/buckets_s3/vpcflow.py
Updating /var/ossec/wodles/aws/buckets_s3/waf.py
Updating /var/ossec/wodles/aws/services/__init__.py
Updating /var/ossec/wodles/aws/services/aws_service.py
Updating /var/ossec/wodles/aws/services/cloudwatchlogs.py
Updating /var/ossec/wodles/aws/services/inspector.py
Updating /var/ossec/wodles/aws/subscribers/__init__.py
Updating /var/ossec/wodles/aws/subscribers/s3_log_handler.py
Updating /var/ossec/wodles/aws/subscribers/sqs_message_processor.py
Updating /var/ossec/wodles/aws/subscribers/sqs_queue.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/azure/db/orm.py
Updating /var/ossec/wodles/azure/db/utils.py
Updating /var/ossec/wodles/azure/db/__init__.py
Updating /var/ossec/wodles/azure/azure_utils.py
Updating /var/ossec/wodles/azure/azure_services/__init__.py
Updating /var/ossec/wodles/azure/azure_services/analytics.py
Updating /var/ossec/wodles/azure/azure_services/graph.py
Updating /var/ossec/wodles/azure/azure_services/storage.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Updating /var/ossec/wodles/gcloud/exceptions.py
Updating /var/ossec/wodles/gcloud/buckets/bucket.py
Updating /var/ossec/wodles/gcloud/buckets/access_logs.py
Updating /var/ossec/wodles/gcloud/pubsub/subscriber.py
Updating /var/ossec/etc/lists/malicious-ioc/malicious-ip
Updating /var/ossec/etc/lists/malicious-ioc/malicious-domains
Updating /var/ossec/etc/lists/malicious-ioc/malware-hashes
Updating /etc/filebeat/wazuh-template.json
Updating /etc/filebeat/filebeat.yml
find: '/proc/224': No such file or directory
find: '/proc/409/task/409/fd/6': No such file or directory
find: '/proc/409/task/409/fdinfo/6': No such file or directory
find: '/proc/409/fd/5': No such file or directory
find: '/proc/409/fdinfo/5': No such file or directory
find: '/proc/412/task/412/fd/6': No such file or directory
find: '/proc/412/task/412/fdinfo/6': No such file or directory
find: '/proc/412/fd/5': No such file or directory
find: '/proc/412/fdinfo/5': No such file or directory
find: '/proc/451/task/451/fd/6': No such file or directory
find: '/proc/451/task/451/fdinfo/6': No such file or directory
find: '/proc/451/fd/5': No such file or directory
find: '/proc/451/fdinfo/5': No such file or directory
No Wazuh configuration files to mount...
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing...
Customize Elasticsearch output IP
Configuring username.
Configuring password.
Configuring SSL verification mode.
Configuring Certificate Authorities.
Configuring SSL Certificate.
Configuring SSL Key.
[cont-init.d] 1-config-filebeat: exited 0.
[cont-init.d] 2-manager: executing...
WATCHDOG: Still waiting for wazuh-db to start (20s elapsed)...
Configuring password.
2026/01/02 14:37:01 wazuh-modulesd:router: INFO: Loaded router module.
2026/01/02 14:37:01 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2026/01/02 14:37:01 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Starting Wazuh v4.14.1...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2026/01/02 14:37:05 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
WATCHDOG: wazuh-db is running, waiting additional 5s for stability...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
2026/01/02 14:37:07 wazuh-modulesd:router: INFO: Loaded router module.
2026/01/02 14:37:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
2026/01/02 14:37:07 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
Started wazuh-modulesd...
WATCHDOG: Making ossec.conf persistent...
WATCHDOG: Backing up current ossec.conf to custom storage...
WATCHDOG: Creating symlink /var/ossec/etc/ossec.conf -> custom/ossec.conf
WATCHDOG: ✓ ossec.conf is now persistent (symlink verified)
WATCHDOG: Initialization complete, entering monitoring mode
Completed.
[cont-init.d] 2-manager: exited 0.
[cont-init.d] done.
[services.d] starting services
starting Filebeat
[services.d] done.
2026/01/02 14:37:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-processes-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-ports-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-hotfixes-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-hardware-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-protocols-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-interfaces-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-networks-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-users-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-groups-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-browser-extensions-wazuh.manager', retrying until the connection is successful.
2026-01-02T14:37:10.546Z INFO instance/beat.go:645 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2026-01-02T14:37:10.579Z INFO instance/beat.go:653 Beat ID: 05736137-3166-4c08-b5af-386763d70982
2026-01-02T14:37:10.580Z INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2026-01-02T14:37:10.580Z INFO [beat] instance/beat.go:981 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "05736137-3166-4c08-b5af-386763d70982"}}}
2026-01-02T14:37:10.580Z INFO [beat] instance/beat.go:990 Build info {"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2025-10-17T12:05:34.000Z", "version": "7.10.2"}}}
2026-01-02T14:37:10.580Z INFO [beat] instance/beat.go:993 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":16,"version":"go1.14.12"}}}
2026-01-02T14:37:10.581Z INFO [beat] instance/beat.go:997 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2025-12-31T11:52:27Z","containerized":false,"name":"wazuh.manager","ip":["127.0.0.1/8","::1/128","10.128.10.5/24"],"kernel_version":"6.8.0-90-generic","mac":["ca:44:df:0b:12:82"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux","version":"2023","major":2023,"minor":9,"patch":20251208},"timezone":"UTC","timezone_offset_sec":0}}}
2026-01-02T14:37:10.582Z INFO [beat] instance/beat.go:1026 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 2191, "ppid": 2189, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2026-01-02T14:37:09.730Z"}}}
2026-01-02T14:37:10.582Z INFO instance/beat.go:299 Setup Beat: filebeat; Version: 7.10.2
2026-01-02T14:37:10.582Z INFO eslegclient/connection.go:99 elasticsearch url: https://wazuh.indexer:9200
2026-01-02T14:37:10.583Z INFO [publisher] pipeline/module.go:113 Beat name: wazuh.manager
2026-01-02T14:37:10.584Z INFO beater/filebeat.go:117 Enabled modules/filesets: wazuh (alerts), ()
2026-01-02T14:37:10.585Z INFO instance/beat.go:455 filebeat start running.
2026-01-02T14:37:10.600Z INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2026-01-02T14:37:10.600Z INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2026-01-02T14:37:10.601Z INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 0
2026-01-02T14:37:10.601Z INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2026-01-02T14:37:10.601Z INFO log/input.go:157 Configured paths: [/var/ossec/logs/alerts/alerts.json]
2026-01-02T14:37:10.601Z INFO [crawler] beater/crawler.go:141 Starting input (ID: 9132358592892857476)
2026-01-02T14:37:10.601Z INFO [crawler] beater/crawler.go:108 Loading and starting Inputs completed. Enabled inputs: 1
2026-01-02T14:37:10.602Z INFO log/harvester.go:302 Harvester started for file: /var/ossec/logs/alerts/alerts.json
2026/01/02 14:37:10 logger-helper: INFO: InventoryHarvesterFacade module started.
2026/01/02 14:37:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-services-wazuh.manager', retrying until the connection is successful.
2026/01/02 14:37:14 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2026/01/02 14:37:14 sca: INFO: Security Configuration Assessment scan finished. Duration: 7 seconds.
2026-01-02T14:37:18.604Z INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://wazuh.indexer:9200))
2026-01-02T14:37:18.604Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2026-01-02T14:37:18.604Z INFO [publisher] pipeline/retry.go:223 done
2026-01-02T14:37:18.624Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026-01-02T14:37:18.627Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026/01/02 14:37:34 wazuh-syscheckd: INFO: netstat not available. Skipping port check.
2026/01/02 14:37:40 rootcheck: INFO: Ending rootcheck scan.
2026-01-02T14:37:50.561Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Connection marked as failed because the onConnect callback failed: 1 error: Error loading pipeline for fileset wazuh/alerts: couldn't load pipeline: couldn't load json. Error: 503 Service Unavailable: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (put-pipeline-filebeat-7.10.2-wazuh-alerts-pipeline) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (put-pipeline-filebeat-7.10.2-wazuh-alerts-pipeline) within 30s"},"status":503}. Response body: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (put-pipeline-filebeat-7.10.2-wazuh-alerts-pipeline) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (put-pipeline-filebeat-7.10.2-wazuh-alerts-pipeline) within 30s"},"status":503}
2026-01-02T14:37:50.561Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2026-01-02T14:37:50.561Z INFO [publisher] pipeline/retry.go:223 done
2026-01-02T14:37:50.561Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 1 reconnect attempt(s)
2026-01-02T14:37:50.577Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026-01-02T14:37:50.581Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2026-01-02T14:37:50.585Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2026-01-02T14:38:22.623Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Connection marked as failed because the onConnect callback failed: error loading template: could not load template. Elasticsearch returned: couldn't load template: 503 Service Unavailable: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"},"status":503}. Response body: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"},"status":503}. Template is: {
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"mappings": {
"date_detection": false,
"dynamic_templates": [
{
"string_as_keyword": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"timezone": {
"type": "text"
}
}
},
"agent": {
"properties": {
"id": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"cluster": {
"properties": {
"name": {
"type": "keyword"
},
"node": {
"type": "keyword"
}
}
},
"command": {
"type": "keyword"
},
"data": {
"properties": {
"YARA": {
"properties": {
"api_customer": {
"type": "keyword"
},
"log_type": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"rule_author": {
"type": "keyword"
},
"rule_description": {
"type": "keyword"
},
"rule_name": {
"type": "keyword"
},
"scanned_file": {
"type": "keyword"
},
"tags": {
"type": "keyword"
}
}
},
"action": {
"type": "keyword"
},
"audit": {
"properties": {
"acct": {
"type": "keyword"
},
"arch": {
"type": "keyword"
},
"auid": {
"type": "keyword"
},
"command": {
"type": "keyword"
},
"cwd": {
"type": "keyword"
},
"dev": {
"type": "keyword"
},
"directory": {
"properties": {
"inode": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"egid": {
"type": "keyword"
},
"enforcing": {
"type": "keyword"
},
"euid": {
"type": "keyword"
},
"exe": {
"type": "keyword"
},
"execve": {
"properties": {
"a0": {
"type": "keyword"
},
"a1": {
"type": "keyword"
},
"a2": {
"type": "keyword"
},
"a3": {
"type": "keyword"
}
}
},
"exit": {
"type": "keyword"
},
"file": {
"properties": {
"inode": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"fsgid": {
"type": "keyword"
},
"fsuid": {
"type": "keyword"
},
"gid": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"key": {
"type": "keyword"
},
"list": {
"type": "keyword"
},
"old-auid": {
"type": "keyword"
},
"old-ses": {
"type": "keyword"
},
"old_enforcing": {
"type": "keyword"
},
"old_prom": {
"type": "keyword"
},
"op": {
"type": "keyword"
},
"pid": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
},
"prom": {
"type": "keyword"
},
"res": {
"type": "keyword"
},
"session": {
"type": "keyword"
},
"sgid": {
"type": "keyword"
},
"srcip": {
"type": "keyword"
},
"subj": {
"type": "keyword"
},
"success": {
"type": "keyword"
},
"suid": {
"type": "keyword"
},
"syscall": {
"type": "keyword"
},
"tty": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"uid": {
"type": "keyword"
}
}
},
"aws": {
"properties": {
"accountId": {
"type": "keyword"
},
"bytes": {
"type": "long"
},
"createdAt": {
"type": "date"
},
"dstaddr": {
"type": "ip"
},
"end": {
"type": "date"
},
"log_info": {
"properties": {
"s3bucket": {
"type": "keyword"
}
}
},
"region": {
"type": "keyword"
},
"resource.instanceDetails": {
"properties": {
"launchTime": {
"type": "date"
},
"networkInterfaces": {
"properties": {
"privateIpAddress": {
"type": "ip"
},
"publicIp": {
"type": "ip"
}
}
}
}
},
"service": {
"properties": {
"action.networkConnectionAction.remoteIpDetails": {
"properties": {
"geoLocation": {
"type": "geo_point"
},
"ipAddressV4": {
"type": "ip"
}
}
},
"count": {
"type": "long"
},
"eventFirstSeen": {
"type": "date"
},
"eventLastSeen": {
"type": "date"
}
}
},
"source": {
"type": "keyword"
},
"source_ip_address": {
"type": "ip"
},
"srcaddr": {
"type": "ip"
},
"start": {
"type": "date"
},
"updatedAt": {
"type": "date"
}
}
},
"azureSignInStatus": {
"properties": {
"additionalDetails": {
"type": "keyword"
},
"errorCode": {
"type": "integer"
},
"failureReason": {
"type": "keyword"
}
}
},
"cis": {
"properties": {
"benchmark": {
"type": "keyword"
},
"error": {
"type": "long"
},
"fail": {
"type": "long"
},
"group": {
"type": "keyword"
},
"notchecked": {
"type": "long"
},
"pass": {
"type": "long"
},
"result": {
"type": "keyword"
},
"rule_title": {
"type": "keyword"
},
"score": {
"type": "long"
},
"timestamp": {
"type": "keyword"
},
"unknown": {
"type": "long"
}
}
},
"command": {
"type": "keyword"
},
"data": {
"type": "keyword"
},
"docker": {
"properties": {
"Action": {
"type": "keyword"
},
"Actor": {
"properties": {
"Attributes": {
"properties": {
"image": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"Type": {
"type": "keyword"
},
"from": {
"type": "keyword"
}
}
},
"dstip": {
"type": "keyword"
},
"dstport": {
"type": "keyword"
},
"dstuser": {
"type": "keyword"
},
"extra_data": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"gcp": {
"properties": {
"jsonPayload": {
"properties": {
"authAnswer": {
"type": "keyword"
},
"queryName": {
"type": "keyword"
},
"responseCode": {
"type": "keyword"
},
"vmInstanceId": {
"type": "keyword"
},
"vmInstanceName": {
"type": "keyword"
}
}
},
"resource": {
"properties": {
"labels": {
"properties": {
"location": {
"type": "keyword"
},
"project_id": {
"type": "keyword"
},
"source_type": {
"type": "keyword"
}
}
},
"type": {
"type": "keyword"
}
}
},
"severity": {
"type": "keyword"
}
}
},
"github": {
"properties": {
"action": {
"type": "keyword"
},
"actor": {
"type": "keyword"
},
"actor_location": {
"properties": {
"country_code": {
"type": "keyword"
}
}
},
"org": {
"type": "keyword"
},
"repo": {
"type": "keyword"
}
}
},
"hardware": {
"properties": {
"cpu_cores": {
"type": "long"
},
"cpu_mhz": {
"type": "double"
},
"cpu_name": {
"type": "keyword"
},
"ram_free": {
"type": "long"
},
"ram_total": {
"type": "long"
},
"ram_usage": {
"type": "long"
},
"serial": {
"type": "keyword"
}
}
},
"id": {
"type": "keyword"
},
"integration": {
"type": "keyword"
},
"ms-graph": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"activationLockBypassCode": {
"type": "keyword"
},
"activity": {
"type": "keyword"
},
"activityDateTime": {
"type": "date"
},
"activityOperationType": {
"type": "keyword"
},
"activityResult": {
"type": "keyword"
},
"activityType": {
"type": "keyword"
},
"actor": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"applicationDisplayName": {
"type": "keyword"
},
"applicationId": {
"type": "keyword"
},
"auditActorType": {
"type": "keyword"
},
"ipAddress": {
"type": "keyword"
},
"servicePrincipalName": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"userId": {
"type": "keyword"
},
"userPermissions": {
"type": "text"
},
"userPrincipalName": {
"type": "keyword"
}
}
},
"actorDisplayName": {
"type": "keyword"
},
"alertWebUrl": {
"type": "keyword"
},
"androidSecurityPatchLevel": {
"type": "keyword"
},
"appliedConditionalAccessPolicies": {
"type": "keyword"
},
"assignedTo": {
"type": "keyword"
},
"azureADDeviceId": {
"type": "keyword"
},
"azureADRegistered": {
"type": "keyword"
},
"category": {
"type": "keyword"
},
"classification": {
"type": "keyword"
},
"comments": {
"type": "keyword"
},
"complianceGracePeriodExpirationDateTime": {
"type": "date"
},
"complianceState": {
"type": "keyword"
},
"componentName": {
"type": "keyword"
},
"configurationManagerClientEnabledFeatures": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"compliancePolicy": {
"type": "keyword"
},
"deviceConfiguration": {
"type": "keyword"
},
"inventory": {
"type": "keyword"
},
"modernApps": {
"type": "keyword"
},
"resourceAccess": {
"type": "keyword"
},
"windowsUpdateForBusiness": {
"type": "keyword"
}
},
"type": "nested"
},
"correlationId": {
"type": "keyword"
},
"createdDateTime": {
"type": "date"
},
"description": {
"type": "text"
},
"detectionSource": {
"type": "keyword"
},
"detectorId": {
"type": "keyword"
},
"determination": {
"type": "keyword"
},
"deviceActionResults": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"actionName": {
"type": "keyword"
},
"actionState": {
"type": "keyword"
},
"lastUpdatedDateTime": {
"type": "date"
},
"startDateTime": {
"type": "date"
}
},
"type": "nested"
},
"deviceCategoryDisplayName": {
"type": "keyword"
},
"deviceCount": {
"type": "integer"
},
"deviceEnrollmentType": {
"type": "keyword"
},
"deviceHealthAttestationState": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"attestationIdentityKey": {
"type": "keyword"
},
"bitLockerStatus": {
"type": "keyword"
},
"bootAppSecurityVersion": {
"type": "keyword"
},
"bootDebugging": {
"type": "keyword"
},
"bootManagerSecurityVersion": {
"type": "keyword"
},
"bootManagerVersion": {
"type": "keyword"
},
"bootRevisionListInfo": {
"type": "keyword"
},
"codeIntegrity": {
"type": "keyword"
},
"codeIntegrityCheckVersion": {
"type": "keyword"
},
"codeIntegrityPolicy": {
"type": "keyword"
},
"contentNamespaceUrl": {
"type": "keyword"
},
"contentVersion": {
"type": "keyword"
},
"dataExcutionPolicy": {
"type": "keyword"
},
"deviceHealthAttestationStatus": {
"type": "keyword"
},
"earlyLaunchAntiMalwareDriverProtection": {
"type": "keyword"
},
"healthAttestationSupportedStatus": {
"type": "keyword"
},
"healthStatusMismatchInfo": {
"type": "keyword"
},
"issuedDateTime": {
"type": "date"
},
"lastUpdateDateTime": {
"type": "date"
},
"operatingSystemKernelDebugging": {
"type": "keyword"
},
"operatingSystemRevListInfo": {
"type": "keyword"
},
"pcr0": {
"type": "keyword"
},
"pcrHashAlgorithm": {
"type": "keyword"
},
"resetCount": {
"type": "keyword"
},
"restartCount": {
"type": "keyword"
},
"safeMode": {
"type": "keyword"
},
"secureBoot": {
"type": "keyword"
},
"secureBootConfigurationPolicyFingerPrint": {
"type": "keyword"
},
"testSigning": {
"type": "keyword"
},
"tpmVersion": {
"type": "keyword"
},
"virtualSecureMode": {
"type": "keyword"
},
"windowsPE": {
"type": "keyword"
}
},
"type": "nested"
},
"deviceName": {
"type": "keyword"
},
"deviceRegistrationState": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"easActivated": {
"type": "keyword"
},
"easActivationDateTime": {
"type": "date"
},
"easDeviceId": {
"type": "keyword"
},
"emailAddress": {
"type": "keyword"
},
"enrolledDateTime": {
"type": "date"
},
"enrollmentProfileName": {
"type": "keyword"
},
"ethernetMacAddress": {
"type": "keyword"
},
"evidence": {
"properties": {
"_comment": {
"type": "keyword"
}
},
"type": "nested"
},
"exchangeAccessState": {
"type": "keyword"
},
"exchangeAccessStateReason": {
"type": "keyword"
},
"exchangeLastSuccessfulSyncDateTime": {
"type": "date"
},
"firstActivityDateTime": {
"type": "date"
},
"freeStorageSpaceInBytes": {
"type": "keyword"
},
"iccid": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"imei": {
"type": "keyword"
},
"incidentId": {
"type": "keyword"
},
"incidentWebUrl": {
"type": "keyword"
},
"isEncrypted": {
"type": "keyword"
},
"isSupervised": {
"type": "keyword"
},
"jailBroken": {
"type": "keyword"
},
"lastActivityDateTime": {
"type": "date"
},
"lastSyncDateTime": {
"type": "date"
},
"lastUpdateDateTime": {
"type": "date"
},
"managedDeviceName": {
"type": "keyword"
},
"managedDeviceOwnerType": {
"type": "keyword"
},
"managedDevices": {
"properties": {
"deviceName": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
},
"type": "nested"
},
"managementAgent": {
"type": "keyword"
},
"managementCertificateExpirationDate": {
"type": "date"
},
"manufacturer": {
"type": "keyword"
},
"meid": {
"type": "keyword"
},
"mitreTechniques": {
"type": "keyword"
},
"model": {
"type": "keyword"
},
"notes": {
"type": "keyword"
},
"operatingSystem": {
"type": "keyword"
},
"osVersion": {
"type": "keyword"
},
"partnerReportedThreatState": {
"type": "keyword"
},
"phoneNumber": {
"type": "keyword"
},
"physicalMemoryInBytes": {
"type": "keyword"
},
"platform": {
"type": "keyword"
},
"providerAlertId": {
"type": "keyword"
},
"publisher": {
"type": "keyword"
},
"relationship": {
"type": "keyword"
},
"remediationStatus": {
"type": "keyword"
},
"remoteAssistanceSessionErrorDetails": {
"type": "keyword"
},
"remoteAssistanceSessionUrl": {
"type": "keyword"
},
"requireUserEnrollmentApproval": {
"type": "keyword"
},
"resolvedDateTime": {
"type": "date"
},
"resource": {
"type": "keyword"
},
"resources": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"auditResourceType": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"modifiedProperties": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"newValue": {
"type": "keyword"
},
"oldValue": {
"type": "keyword"
}
},
"type": "nested"
},
"resourceId": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
},
"type": "nested"
},
"roles": {
"type": "keyword"
},
"serialNumber": {
"type": "keyword"
},
"serviceSource": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"sizeInByte": {
"type": "keyword"
},
"status": {
"type": "keyword"
},
"subscriberCarrier": {
"type": "keyword"
},
"tenantId": {
"type": "keyword"
},
"threatDisplayName": {
"type": "keyword"
},
"threatFamilyName": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"totalStorageSpaceInBytes": {
"type": "keyword"
},
"udid": {
"type": "keyword"
},
"userDisplayName": {
"type": "keyword"
},
"userId": {
"type": "keyword"
},
"userPrincipalName": {
"type": "keyword"
},
"verdict": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"wiFiMacAddress": {
"type": "keyword"
}
}
},
"netinfo": {
"properties": {
"iface": {
"properties": {
"adapter": {
"type": "keyword"
},
"ipv4": {
"properties": {
"address": {
"type": "keyword"
},
"broadcast": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
}
}
},
"ipv6": {
"properties": {
"address": {
"type": "keyword"
},
"broadcast": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
}
}
},
"mac": {
"type": "keyword"
},
"mtu": {
"type": "long"
},
"name": {
"type": "keyword"
},
"rx_bytes": {
"type": "long"
},
"rx_dropped": {
"type": "long"
},
"rx_errors": {
"type": "long"
},
"rx_packets": {
"type": "long"
},
"state": {
"type": "keyword"
},
"tx_bytes": {
"type": "long"
},
"tx_dropped": {
"type": "long"
},
"tx_errors": {
"type": "long"
},
"tx_packets": {
"type": "long"
},
"type": {
"type": "keyword"
}
}
}
}
},
"office365": {
"properties": {
"Actor": {
"properties": {
"ID": {
"type": "keyword"
}
}
},
"ClientIP": {
"type": "keyword"
},
"Operation": {
"type": "keyword"
},
"ResultStatus": {
"type": "keyword"
},
"Subscription": {
"type": "keyword"
},
"UserId": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"architecture": {
"type": "keyword"
},
"build": {
"type": "keyword"
},
"codename": {
"type": "keyword"
},
"display_version": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
},
"major": {
"type": "keyword"
},
"minor": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"patch": {
"type": "keyword"
},
"platform": {
"type": "keyword"
},
"release": {
"type": "keyword"
},
"release_version": {
"type": "keyword"
},
"sysname": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"oscap": {
"properties": {
"check": {
"properties": {
"description": {
"type": "text"
},
"id": {
"type": "keyword"
},
"identifiers": {
"type": "text"
},
"oval": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"rationale": {
"type": "text"
},
"references": {
"type": "text"
},
"result": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"scan": {
"properties": {
"benchmark": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"content": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"profile": {
"properties": {
"id": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"return_code": {
"type": "long"
},
"score": {
"type": "double"
}
}
}
}
},
"osquery": {
"properties": {
"action": {
"type": "keyword"
},
"calendarTime": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"pack": {
"type": "keyword"
}
}
},
"parameters": {
"properties": {
"extra_args": {
"type": "keyword"
}
}
},
"port": {
"properties": {
"inode": {
"type": "long"
},
"local_ip": {
"type": "ip"
},
"local_port": {
"type": "long"
},
"pid": {
"type": "long"
},
"process": {
"type": "keyword"
},
"protocol": {
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"remote_port": {
"type": "long"
},
"rx_queue": {
"type": "long"
},
"state": {
"type": "keyword"
},
"tx_queue": {
"type": "long"
}
}
},
"process": {
"properties": {
"args": {
"type": "keyword"
},
"cmd": {
"type": "keyword"
},
"egroup": {
"type": "keyword"
},
"euser": {
"type": "keyword"
},
"fgroup": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"nice": {
"type": "long"
},
"nlwp": {
"type": "long"
},
"pgrp": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"priority": {
"type": "long"
},
"processor": {
"type": "long"
},
"resident": {
"type": "long"
},
"rgroup": {
"type": "keyword"
},
"ruser": {
"type": "keyword"
},
"session": {
"type": "long"
},
"sgroup": {
"type": "keyword"
},
"share": {
"type": "long"
},
"size": {
"type": "long"
},
"start_time": {
"type": "long"
},
"state": {
"type": "keyword"
},
"stime": {
"type": "long"
},
"suser": {
"type": "keyword"
},
"tgid": {
"type": "long"
},
"tty": {
"type": "long"
},
"utime": {
"type": "long"
},
"vm_size": {
"type": "long"
}
}
},
"program": {
"properties": {
"architecture": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"format": {
"type": "keyword"
},
"install_time": {
"type": "keyword"
},
"location": {
"type": "keyword"
},
"multiarch": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"priority": {
"type": "keyword"
},
"section": {
"type": "keyword"
},
"size": {
"type": "long"
},
"source": {
"type": "keyword"
},
"vendor": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"protocol": {
"type": "keyword"
},
"sca": {
"properties": {
"check": {
"properties": {
"compliance": {
"properties": {
"cis": {
"type": "keyword"
},
"cis_csc": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"nist_800_53": {
"type": "keyword"
},
"pci_dss": {
"type": "keyword"
}
}
},
"description": {
"type": "keyword"
},
"directory": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"previous_result": {
"type": "keyword"
},
"process": {
"type": "keyword"
},
"rationale": {
"type": "keyword"
},
"reason": {
"type": "keyword"
},
"references": {
"type": "keyword"
},
"registry": {
"type": "keyword"
},
"remediation": {
"type": "keyword"
},
"result": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"description": {
"type": "keyword"
},
"failed": {
"type": "integer"
},
"file": {
"type": "keyword"
},
"invalid": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"passed": {
"type": "integer"
},
"policy": {
"type": "keyword"
},
"policy_id": {
"type": "keyword"
},
"scan_id": {
"type": "keyword"
},
"score": {
"type": "long"
},
"total_checks": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"scan_id": {
"type": "keyword"
},
"srcip": {
"type": "keyword"
},
"srcport": {
"type": "keyword"
},
"srcuser": {
"type": "keyword"
},
"system_name": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"title": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"uid": {
"type": "keyword"
},
"url": {
"type": "keyword"
},
"virustotal": {
"properties": {
"description": {
"type": "keyword"
},
"error": {
"type": "keyword"
},
"found": {
"type": "keyword"
},
"malicious": {
"type": "keyword"
},
"permalink": {
"type": "keyword"
},
"positives": {
"type": "keyword"
},
"scan_date": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
},
"source": {
"properties": {
"alert_id": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"md5": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
}
}
},
"total": {
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"assigner": {
"type": "keyword"
},
"cve": {
"type": "keyword"
},
"cve_version": {
"type": "keyword"
},
"cvss": {
"properties": {
"cvss2": {
"properties": {
"base_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
},
"impact_score": {
"type": "keyword"
},
"vector": {
"properties": {
"access_complexity": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"user_interaction": {
"type": "keyword"
}
}
}
}
},
"cvss3": {
"properties": {
"base_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
},
"impact_score": {
"type": "keyword"
},
"vector": {
"properties": {
"access_complexity": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"user_interaction": {
"type": "keyword"
}
}
}
}
}
}
},
"cwe_reference": {
"type": "keyword"
},
"package": {
"properties": {
"architecture": {
"type": "keyword"
},
"condition": {
"type": "keyword"
},
"generated_cpe": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"source": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"published": {
"type": "date"
},
"rationale": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"scanner.reference": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"status": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"updated": {
"type": "date"
}
}
}
}
},
"decoder": {
"properties": {
"accumulate": {
"type": "long"
},
"fts": {
"type": "long"
},
"ftscomment": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"parent": {
"type": "keyword"
}
}
},
"full_log": {
"type": "text"
},
"host": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"input": {
"properties": {
"type": {
"type": "keyword"
}
}
},
"location": {
"type": "keyword"
},
"manager": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"predecoder": {
"properties": {
"hostname": {
"type": "keyword"
},
"program_name": {
"type": "keyword"
},
"timestamp": {
"type": "keyword"
}
}
},
"previous_log": {
"type": "text"
},
"previous_output": {
"type": "keyword"
},
"program_name": {
"type": "keyword"
},
"rule": {
"properties": {
"cis": {
"type": "keyword"
},
"cve": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"firedtimes": {
"type": "long"
},
"frequency": {
"type": "long"
},
"gdpr": {
"type": "keyword"
},
"gpg13": {
"type": "keyword"
},
"groups": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"info": {
"type": "keyword"
},
"level": {
"type": "long"
},
"mail": {
"type": "boolean"
},
"mitre": {
"properties": {
"id": {
"type": "keyword"
},
"tactic": {
"type": "keyword"
},
"technique": {
"type": "keyword"
}
}
},
"nist_800_53": {
"type": "keyword"
},
"pci_dss": {
"type": "keyword"
},
"tsc": {
"type": "keyword"
}
}
},
"syscheck": {
"properties": {
"audit": {
"properties": {
"effective_user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"group": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"login_user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"process": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
}
}
},
"user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"diff": {
"type": "keyword"
},
"event": {
"type": "keyword"
},
"gid_after": {
"type": "keyword"
},
"gid_before": {
"type": "keyword"
},
"gname_after": {
"type": "keyword"
},
"gname_before": {
"type": "keyword"
},
"hard_links": {
"type": "keyword"
},
"inode_after": {
"type": "keyword"
},
"inode_before": {
"type": "keyword"
},
"md5_after": {
"type": "keyword"
},
"md5_before": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"mtime_after": {
"format": "date_optional_time",
"type": "date"
},
"mtime_before": {
"format": "date_optional_time",
"type": "date"
},
"path": {
"type": "keyword"
},
"perm_after": {
"type": "keyword"
},
"perm_before": {
"type": "keyword"
},
"sha1_after": {
"type": "keyword"
},
"sha1_before": {
"type": "keyword"
},
"sha256_after": {
"type": "keyword"
},
"sha256_before": {
"type": "keyword"
},
"size_after": {
"type": "long"
},
"size_before": {
"type": "long"
},
"tags": {
"type": "keyword"
},
"uid_after": {
"type": "keyword"
},
"uid_before": {
"type": "keyword"
},
"uname_after": {
"type": "keyword"
},
"uname_before": {
"type": "keyword"
}
}
},
"timestamp": {
"format": "date_optional_time||epoch_millis",
"type": "date"
},
"title": {
"type": "keyword"
},
"type": {
"type": "text"
}
}
},
"order": 0,
"settings": {
"index.auto_expand_replicas": "0-1",
"index.mapping.total_fields.limit": 10000,
"index.number_of_replicas": "0",
"index.number_of_shards": "3",
"index.query.default_field": [
"GeoLocation.city_name",
"GeoLocation.continent_code",
"GeoLocation.country_code2",
"GeoLocation.country_code3",
"GeoLocation.country_name",
"GeoLocation.ip",
"GeoLocation.postal_code",
"GeoLocation.real_region_name",
"GeoLocation.region_name",
"GeoLocation.timezone",
"agent.id",
"agent.ip",
"agent.name",
"cluster.name",
"cluster.node",
"command",
"data",
"data.action",
"data.audit",
"data.audit.acct",
"data.audit.arch",
"data.audit.auid",
"data.audit.command",
"data.audit.cwd",
"data.audit.dev",
"data.audit.directory.inode",
"data.audit.directory.mode",
"data.audit.directory.name",
"data.audit.egid",
"data.audit.enforcing",
"data.audit.euid",
"data.audit.exe",
"data.audit.execve.a0",
"data.audit.execve.a1",
"data.audit.execve.a2",
"data.audit.execve.a3",
"data.audit.exit",
"data.audit.file.inode",
"data.audit.file.mode",
"data.audit.file.name",
"data.audit.fsgid",
"data.audit.fsuid",
"data.audit.gid",
"data.audit.id",
"data.audit.key",
"data.audit.list",
"data.audit.old-auid",
"data.audit.old-ses",
"data.audit.old_enforcing",
"data.audit.old_prom",
"data.audit.op",
"data.audit.pid",
"data.audit.ppid",
"data.audit.prom",
"data.audit.res",
"data.audit.session",
"data.audit.sgid",
"data.audit.srcip",
"data.audit.subj",
"data.audit.success",
"data.audit.suid",
"data.audit.syscall",
"data.audit.tty",
"data.audit.uid",
"data.aws.accountId",
"data.aws.account_id",
"data.aws.action",
"data.aws.actor",
"data.aws.aws_account_id",
"data.aws.description",
"data.aws.dstport",
"data.aws.errorCode",
"data.aws.errorMessage",
"data.aws.eventID",
"data.aws.eventName",
"data.aws.eventSource",
"data.aws.eventType",
"data.aws.id",
"data.aws.name",
"data.aws.requestParameters.accessKeyId",
"data.aws.requestParameters.bucketName",
"data.aws.requestParameters.gatewayId",
"data.aws.requestParameters.groupDescription",
"data.aws.requestParameters.groupId",
"data.aws.requestParameters.groupName",
"data.aws.requestParameters.host",
"data.aws.requestParameters.hostedZoneId",
"data.aws.requestParameters.instanceId",
"data.aws.requestParameters.instanceProfileName",
"data.aws.requestParameters.loadBalancerName",
"data.aws.requestParameters.loadBalancerPorts",
"data.aws.requestParameters.masterUserPassword",
"data.aws.requestParameters.masterUsername",
"data.aws.requestParameters.name",
"data.aws.requestParameters.natGatewayId",
"data.aws.requestParameters.networkAclId",
"data.aws.requestParameters.path",
"data.aws.requestParameters.policyName",
"data.aws.requestParameters.port",
"data.aws.requestParameters.stackId",
"data.aws.requestParameters.stackName",
"data.aws.requestParameters.subnetId",
"data.aws.requestParameters.subnetIds",
"data.aws.requestParameters.volumeId",
"data.aws.requestParameters.vpcId",
"data.aws.resource.accessKeyDetails.accessKeyId",
"data.aws.resource.accessKeyDetails.principalId",
"data.aws.resource.accessKeyDetails.userName",
"data.aws.resource.instanceDetails.instanceId",
"data.aws.resource.instanceDetails.instanceState",
"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.subnetId",
"data.aws.resource.instanceDetails.networkInterfaces.vpcId",
"data.aws.resource.instanceDetails.tags.value",
"data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId",
"data.aws.responseElements.description",
"data.aws.responseElements.instanceId",
"data.aws.responseElements.instances.instanceId",
"data.aws.responseElements.instancesSet.items.instanceId",
"data.aws.responseElements.listeners.port",
"data.aws.responseElements.loadBalancerName",
"data.aws.responseElements.loadBalancers.vpcId",
"data.aws.responseElements.loginProfile.userName",
"data.aws.responseElements.networkAcl.vpcId",
"data.aws.responseElements.ownerId",
"data.aws.responseElements.publicIp",
"data.aws.responseElements.user.userId",
"data.aws.responseElements.user.userName",
"data.aws.responseElements.volumeId",
"data.aws.service.serviceName",
"data.aws.severity",
"data.aws.source",
"data.aws.sourceIPAddress",
"data.aws.srcport",
"data.aws.userIdentity.accessKeyId",
"data.aws.userIdentity.accountId",
"data.aws.userIdentity.userName",
"data.aws.vpcEndpointId",
"data.command",
"data.cis.group",
"data.cis.rule_title",
"data.data",
"data.docker.Actor.Attributes.container",
"data.docker.Actor.Attributes.image",
"data.docker.Actor.Attributes.name",
"data.docker.Actor.ID",
"data.docker.id",
"data.docker.from",
"data.docker.message",
"data.docker.status",
"data.dstip",
"data.dstport",
"data.dstuser",
"data.extra_data",
"data.gcp.jsonPayload.queryName",
"data.gcp.jsonPayload.vmInstanceName",
"data.gcp.resource.labels.location",
"data.gcp.resource.labels.project_id",
"data.gcp.resource.labels.source_type",
"data.gcp.resource.type",
"data.github.org",
"data.github.actor",
"data.github.action",
"data.github.repo",
"data.hardware.serial",
"data.id",
"data.integration",
"data.netinfo.iface.adapter",
"data.netinfo.iface.ipv4.address",
"data.netinfo.iface.ipv6.address",
"data.netinfo.iface.mac",
"data.netinfo.iface.name",
"data.office365.Actor.ID",
"data.office365.UserId",
"data.office365.Operation",
"data.office365.ClientIP",
"data.ms-graph.relationship",
"data.ms-graph.classification",
"data.ms-graph.detectionSource",
"data.ms-graph.determination",
"data.ms-graph.remediationStatus",
"data.ms-graph.roles",
"data.ms-graph.verdict",
"data.ms-graph.serviceSource",
"data.ms-graph.severity",
"data.ms-graph.actorDisplayName",
"data.ms-graph.alertWebUrl",
"data.ms-graph.assignedTo",
"data.ms-graph.category",
"data.ms-graph.comments",
"data.ms-graph.description",
"data.ms-graph.detectorId",
"data.ms-graph.evidence._comment",
"data.ms-graph.id",
"data.ms-graph.incidentId",
"data.ms-graph.incidentWebUrl",
"data.ms-graph.mitreTechniques",
"data.ms-graph.providerAlertId",
"data.ms-graph.resource",
"data.ms-graph.status",
"data.ms-graph.tenantId",
"data.ms-graph.threatDisplayName",
"data.ms-graph.threatFamilyName",
"data.ms-graph.title",
"data.ms-graph.@odata.type",
"data.ms-graph.activationLockBypassCode",
"data.ms-graph.activity",
"data.ms-graph.activityOperationType",
"data.ms-graph.activityResult",
"data.ms-graph.activityType",
"data.ms-graph.actor.@odata.type",
"data.ms-graph.actor.applicationDisplayName",
"data.ms-graph.actor.applicationId",
"data.ms-graph.actor.auditActorType",
"data.ms-graph.actor.ipAddress",
"data.ms-graph.actor.servicePrincipalName",
"data.ms-graph.actor.type",
"data.ms-graph.actor.userId",
"data.ms-graph.actor.userPermissions",
"data.ms-graph.actor.userPrincipalName",
"data.ms-graph.androidSecurityPatchLevel",
"data.ms-graph.appliedConditionalAccessPolicies",
"data.ms-graph.azureADDeviceId",
"data.ms-graph.azureADRegistered",
"data.ms-graph.complianceState",
"data.ms-graph.componentName",
"data.ms-graph.configurationManagerClientEnabledFeatures.@odata.type",
"data.ms-graph.configurationManagerClientEnabledFeatures.compliancePolicy",
"data.ms-graph.configurationManagerClientEnabledFeatures.deviceConfiguration",
"data.ms-graph.configurationManagerClientEnabledFeatures.inventory",
"data.ms-graph.configurationManagerClientEnabledFeatures.modernApps",
"data.ms-graph.configurationManagerClientEnabledFeatures.resourceAccess",
"data.ms-graph.configurationManagerClientEnabledFeatures.windowsUpdateForBusiness",
"data.ms-graph.correlationId",
"data.ms-graph.deviceActionResults.@odata.type",
"data.ms-graph.deviceActionResults.actionName",
"data.ms-graph.deviceActionResults.actionState",
"data.ms-graph.deviceCategoryDisplayName",
"data.ms-graph.deviceEnrollmentType",
"data.ms-graph.deviceHealthAttestationState.@odata.type",
"data.ms-graph.deviceHealthAttestationState.attestationIdentityKey",
"data.ms-graph.deviceHealthAttestationState.bitLockerStatus",
"data.ms-graph.deviceHealthAttestationState.bootAppSecurityVersion",
"data.ms-graph.deviceHealthAttestationState.bootDebugging",
"data.ms-graph.deviceHealthAttestationState.bootManagerSecurityVersion",
"data.ms-graph.deviceHealthAttestationState.bootManagerVersion",
"data.ms-graph.deviceHealthAttestationState.bootRevisionListInfo",
"data.ms-graph.deviceHealthAttestationState.codeIntegrity",
"data.ms-graph.deviceHealthAttestationState.codeIntegrityCheckVersion",
"data.ms-graph.deviceHealthAttestationState.codeIntegrityPolicy",
"data.ms-graph.deviceHealthAttestationState.contentNamespaceUrl",
"data.ms-graph.deviceHealthAttestationState.contentVersion",
"data.ms-graph.deviceHealthAttestationState.dataExcutionPolicy",
"data.ms-graph.deviceHealthAttestationState.deviceHealthAttestationStatus",
"data.ms-graph.deviceHealthAttestationState.earlyLaunchAntiMalwareDriverProtection",
"data.ms-graph.deviceHealthAttestationState.healthAttestationSupportedStatus",
"data.ms-graph.deviceHealthAttestationState.healthStatusMismatchInfo",
"data.ms-graph.deviceHealthAttestationState.operatingSystemKernelDebugging",
"data.ms-graph.deviceHealthAttestationState.operatingSystemRevListInfo",
"data.ms-graph.deviceHealthAttestationState.pcr0",
"data.ms-graph.deviceHealthAttestationState.pcrHashAlgorithm",
"data.ms-graph.deviceHealthAttestationState.resetCount",
"data.ms-graph.deviceHealthAttestationState.restartCount",
"data.ms-graph.deviceHealthAttestationState.safeMode",
"data.ms-graph.deviceHealthAttestationState.secureBoot",
"data.ms-graph.deviceHealthAttestationState.secureBootConfigurationPolicyFingerPrint",
"data.ms-graph.deviceHealthAttestationState.testSigning",
"data.ms-graph.deviceHealthAttestationState.tpmVersion",
"data.ms-graph.deviceHealthAttestationState.virtualSecureMode",
"data.ms-graph.deviceHealthAttestationState.windowsPE",
"data.ms-graph.deviceName",
"data.ms-graph.deviceRegistrationState",
"data.ms-graph.displayName",
"data.ms-graph.easActivated",
"data.ms-graph.easDeviceId",
"data.ms-graph.emailAddress",
"data.ms-graph.enrollmentProfileName",
"data.ms-graph.ethernetMacAddress",
"data.ms-graph.exchangeAccessState",
"data.ms-graph.exchangeAccessStateReason",
"data.ms-graph.freeStorageSpaceInBytes",
"data.ms-graph.iccid",
"data.ms-graph.imei",
"data.ms-graph.isEncrypted",
"data.ms-graph.isSupervised",
"data.ms-graph.jailBroken",
"data.ms-graph.managedDeviceName",
"data.ms-graph.managedDevices.deviceName",
"data.ms-graph.managedDevices.id",
"data.ms-graph.managedDeviceOwnerType",
"data.ms-graph.managementAgent",
"data.ms-graph.manufacturer",
"data.ms-graph.meid",
"data.ms-graph.model",
"data.ms-graph.notes",
"data.ms-graph.operatingSystem",
"data.ms-graph.osVersion",
"data.ms-graph.partnerReportedThreatState",
"data.ms-graph.phoneNumber",
"data.ms-graph.physicalMemoryInBytes",
"data.ms-graph.platform",
"data.ms-graph.publisher",
"data.ms-graph.remoteAssistanceSessionErrorDetails",
"data.ms-graph.remoteAssistanceSessionUrl",
"data.ms-graph.requireUserEnrollmentApproval",
"data.ms-graph.resources.@odata.type",
"data.ms-graph.resources.auditResourceType",
"data.ms-graph.resources.displayName",
"data.ms-graph.resources.modifiedProperties.@odata.type",
"data.ms-graph.resources.modifiedProperties.displayName",
"data.ms-graph.resources.modifiedProperties.oldValue",
"data.ms-graph.resources.modifiedProperties.newValue",
"data.ms-graph.resources.resourceId",
"data.ms-graph.resources.type",
"data.ms-graph.serialNumber",
"data.ms-graph.sizeInByte",
"data.ms-graph.subscriberCarrier",
"data.ms-graph.totalStorageSpaceInBytes",
"data.ms-graph.udid",
"data.ms-graph.userDisplayName",
"data.ms-graph.userId",
"data.ms-graph.userPrincipalName",
"data.ms-graph.version",
"data.ms-graph.wiFiMacAddress",
"data.os.architecture",
"data.os.build",
"data.os.codename",
"data.os.hostname",
"data.os.major",
"data.os.minor",
"data.os.patch",
"data.os.name",
"data.os.platform",
"data.os.release",
"data.os.release_version",
"data.os.display_version",
"data.os.sysname",
"data.os.version",
"data.oscap.check.description",
"data.oscap.check.id",
"data.oscap.check.identifiers",
"data.oscap.check.oval.id",
"data.oscap.check.rationale",
"data.oscap.check.references",
"data.oscap.check.result",
"data.oscap.check.severity",
"data.oscap.check.title",
"data.oscap.scan.benchmark.id",
"data.oscap.scan.content",
"data.oscap.scan.id",
"data.oscap.scan.profile.id",
"data.oscap.scan.profile.title",
"data.osquery.columns.address",
"data.osquery.columns.command",
"data.osquery.columns.description",
"data.osquery.columns.dst_ip",
"data.osquery.columns.gid",
"data.osquery.columns.hostname",
"data.osquery.columns.md5",
"data.osquery.columns.path",
"data.osquery.columns.sha1",
"data.osquery.columns.sha256",
"data.osquery.columns.src_ip",
"data.osquery.columns.user",
"data.osquery.columns.username",
"data.osquery.name",
"data.osquery.pack",
"data.port.process",
"data.port.protocol",
"data.port.state",
"data.process.args",
"data.process.cmd",
"data.process.egroup",
"data.process.euser",
"data.process.fgroup",
"data.process.name",
"data.process.rgroup",
"data.process.ruser",
"data.process.sgroup",
"data.process.state",
"data.process.suser",
"data.program.architecture",
"data.program.description",
"data.program.format",
"data.program.location",
"data.program.multiarch",
"data.program.name",
"data.program.priority",
"data.program.section",
"data.program.source",
"data.program.vendor",
"data.program.version",
"data.protocol",
"data.pwd",
"data.sca",
"data.sca.check.compliance.cis",
"data.sca.check.compliance.cis_csc",
"data.sca.check.compliance.pci_dss",
"data.sca.check.compliance.hipaa",
"data.sca.check.compliance.nist_800_53",
"data.sca.check.description",
"data.sca.check.directory",
"data.sca.check.file",
"data.sca.check.id",
"data.sca.check.previous_result",
"data.sca.check.process",
"data.sca.check.rationale",
"data.sca.check.reason",
"data.sca.check.references",
"data.sca.check.registry",
"data.sca.check.remediation",
"data.sca.check.result",
"data.sca.check.title",
"data.sca.description",
"data.sca.file",
"data.sca.invalid",
"data.sca.name",
"data.sca.policy",
"data.sca.policy_id",
"data.sca.scan_id",
"data.sca.total_checks",
"data.scan_id",
"data.script",
"data.src_ip",
"data.src_port",
"data.srcip",
"data.srcport",
"data.srcuser",
"data.status",
"data.system_name",
"data.title",
"data.tty",
"data.uid",
"data.url",
"data.virustotal.description",
"data.virustotal.error",
"data.virustotal.found",
"data.virustotal.permalink",
"data.virustotal.scan_date",
"data.virustotal.sha1",
"data.virustotal.source.alert_id",
"data.virustotal.source.file",
"data.virustotal.source.md5",
"data.virustotal.source.sha1",
"data.vulnerability.cve",
"data.vulnerability.cvss.cvss2.base_score",
"data.vulnerability.cvss.cvss2.exploitability_score",
"data.vulnerability.cvss.cvss2.impact_score",
"data.vulnerability.cvss.cvss2.vector.access_complexity",
"data.vulnerability.cvss.cvss2.vector.attack_vector",
"data.vulnerability.cvss.cvss2.vector.authentication",
"data.vulnerability.cvss.cvss2.vector.availability",
"data.vulnerability.cvss.cvss2.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss2.vector.integrity_impact",
"data.vulnerability.cvss.cvss2.vector.privileges_required",
"data.vulnerability.cvss.cvss2.vector.scope",
"data.vulnerability.cvss.cvss2.vector.user_interaction",
"data.vulnerability.cvss.cvss3.base_score",
"data.vulnerability.cvss.cvss3.exploitability_score",
"data.vulnerability.cvss.cvss3.impact_score",
"data.vulnerability.cvss.cvss3.vector.access_complexity",
"data.vulnerability.cvss.cvss3.vector.attack_vector",
"data.vulnerability.cvss.cvss3.vector.authentication",
"data.vulnerability.cvss.cvss3.vector.availability",
"data.vulnerability.cvss.cvss3.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss3.vector.integrity_impact",
"data.vulnerability.cvss.cvss3.vector.privileges_required",
"data.vulnerability.cvss.cvss3.vector.scope",
"data.vulnerability.cvss.cvss3.vector.user_interaction",
"data.vulnerability.cwe_reference",
"data.vulnerability.package.source",
"data.vulnerability.package.architecture",
"data.vulnerability.package.condition",
"data.vulnerability.package.generated_cpe",
"data.vulnerability.package.name",
"data.vulnerability.package.version",
"data.vulnerability.rationale",
"data.vulnerability.reference",
"data.vulnerability.severity",
"data.vulnerability.status",
"data.vulnerability.title",
"data.vulnerability.assigner",
"data.vulnerability.cve_version",
"data.win.eventdata.auditPolicyChanges",
"data.win.eventdata.auditPolicyChangesId",
"data.win.eventdata.binary",
"data.win.eventdata.category",
"data.win.eventdata.categoryId",
"data.win.eventdata.data",
"data.win.eventdata.image",
"data.win.eventdata.ipAddress",
"data.win.eventdata.ipPort",
"data.win.eventdata.keyName",
"data.win.eventdata.logonGuid",
"data.win.eventdata.logonProcessName",
"data.win.eventdata.operation",
"data.win.eventdata.parentImage",
"data.win.eventdata.processId",
"data.win.eventdata.processName",
"data.win.eventdata.providerName",
"data.win.eventdata.returnCode",
"data.win.eventdata.service",
"data.win.eventdata.status",
"data.win.eventdata.subcategory",
"data.win.eventdata.subcategoryGuid",
"data.win.eventdata.subcategoryId",
"data.win.eventdata.subjectDomainName",
"data.win.eventdata.subjectLogonId",
"data.win.eventdata.subjectUserName",
"data.win.eventdata.subjectUserSid",
"data.win.eventdata.targetDomainName",
"data.win.eventdata.targetLinkedLogonId",
"data.win.eventdata.targetLogonId",
"data.win.eventdata.targetUserName",
"data.win.eventdata.targetUserSid",
"data.win.eventdata.workstationName",
"data.win.system.channel",
"data.win.system.computer",
"data.win.system.eventID",
"data.win.system.eventRecordID",
"data.win.system.eventSourceName",
"data.win.system.keywords",
"data.win.system.level",
"data.win.system.message",
"data.win.system.opcode",
"data.win.system.processID",
"data.win.system.providerGuid",
"data.win.system.providerName",
"data.win.system.securityUserID",
"data.win.system.severityValue",
"data.win.system.userID",
"decoder.ftscomment",
"decoder.name",
"decoder.parent",
"full_log",
"host",
"id",
"input",
"location",
"manager.name",
"message",
"offset",
"predecoder.hostname",
"predecoder.program_name",
"previous_log",
"previous_output",
"program_name",
"rule.cis",
"rule.cve",
"rule.description",
"rule.gdpr",
"rule.gpg13",
"rule.groups",
"rule.id",
"rule.info",
"rule.mitre.id",
"rule.mitre.tactic",
"rule.mitre.technique",
"rule.pci_dss",
"rule.hipaa",
"rule.nist_800_53",
"syscheck.audit.effective_user.id",
"syscheck.audit.effective_user.name",
"syscheck.audit.group.id",
"syscheck.audit.group.name",
"syscheck.audit.login_user.id",
"syscheck.audit.login_user.name",
"syscheck.audit.process.id",
"syscheck.audit.process.name",
"syscheck.audit.process.ppid",
"syscheck.audit.user.id",
"syscheck.audit.user.name",
"syscheck.diff",
"syscheck.event",
"syscheck.gid_after",
"syscheck.gid_before",
"syscheck.gname_after",
"syscheck.gname_before",
"syscheck.inode_after",
"syscheck.inode_before",
"syscheck.md5_after",
"syscheck.md5_before",
"syscheck.path",
"syscheck.mode",
"syscheck.perm_after",
"syscheck.perm_before",
"syscheck.sha1_after",
"syscheck.sha1_before",
"syscheck.sha256_after",
"syscheck.sha256_before",
"syscheck.tags",
"syscheck.uid_after",
"syscheck.uid_before",
"syscheck.uname_after",
"syscheck.uname_before",
"syscheck.arch",
"syscheck.value_name",
"syscheck.value_type",
"syscheck.changed_attributes",
"title"
],
"index.refresh_interval": "5s"
},
"version": 1
}
2026-01-02T14:38:22.623Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 2 reconnect attempt(s)
2026-01-02T14:38:22.624Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2026-01-02T14:38:22.624Z INFO [publisher] pipeline/retry.go:223 done
2026-01-02T14:38:22.629Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026-01-02T14:38:22.633Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2026-01-02T14:38:22.635Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2026-01-02T14:38:57.326Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh.indexer:9200)): Connection marked as failed because the onConnect callback failed: error loading template: could not load template. Elasticsearch returned: couldn't load template: 503 Service Unavailable: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"},"status":503}. Response body: {"error":{"root_cause":[{"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"}],"type":"process_cluster_event_timeout_exception","reason":"failed to process cluster event (create-index-template [wazuh], cause [api]) within 30s"},"status":503}. Template is: {
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*"
],
"mappings": {
"date_detection": false,
"dynamic_templates": [
{
"string_as_keyword": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword"
},
"region_name": {
"type": "keyword"
},
"timezone": {
"type": "text"
}
}
},
"agent": {
"properties": {
"id": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"cluster": {
"properties": {
"name": {
"type": "keyword"
},
"node": {
"type": "keyword"
}
}
},
"command": {
"type": "keyword"
},
"data": {
"properties": {
"YARA": {
"properties": {
"api_customer": {
"type": "keyword"
},
"log_type": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"rule_author": {
"type": "keyword"
},
"rule_description": {
"type": "keyword"
},
"rule_name": {
"type": "keyword"
},
"scanned_file": {
"type": "keyword"
},
"tags": {
"type": "keyword"
}
}
},
"action": {
"type": "keyword"
},
"audit": {
"properties": {
"acct": {
"type": "keyword"
},
"arch": {
"type": "keyword"
},
"auid": {
"type": "keyword"
},
"command": {
"type": "keyword"
},
"cwd": {
"type": "keyword"
},
"dev": {
"type": "keyword"
},
"directory": {
"properties": {
"inode": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"egid": {
"type": "keyword"
},
"enforcing": {
"type": "keyword"
},
"euid": {
"type": "keyword"
},
"exe": {
"type": "keyword"
},
"execve": {
"properties": {
"a0": {
"type": "keyword"
},
"a1": {
"type": "keyword"
},
"a2": {
"type": "keyword"
},
"a3": {
"type": "keyword"
}
}
},
"exit": {
"type": "keyword"
},
"file": {
"properties": {
"inode": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"fsgid": {
"type": "keyword"
},
"fsuid": {
"type": "keyword"
},
"gid": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"key": {
"type": "keyword"
},
"list": {
"type": "keyword"
},
"old-auid": {
"type": "keyword"
},
"old-ses": {
"type": "keyword"
},
"old_enforcing": {
"type": "keyword"
},
"old_prom": {
"type": "keyword"
},
"op": {
"type": "keyword"
},
"pid": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
},
"prom": {
"type": "keyword"
},
"res": {
"type": "keyword"
},
"session": {
"type": "keyword"
},
"sgid": {
"type": "keyword"
},
"srcip": {
"type": "keyword"
},
"subj": {
"type": "keyword"
},
"success": {
"type": "keyword"
},
"suid": {
"type": "keyword"
},
"syscall": {
"type": "keyword"
},
"tty": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"uid": {
"type": "keyword"
}
}
},
"aws": {
"properties": {
"accountId": {
"type": "keyword"
},
"bytes": {
"type": "long"
},
"createdAt": {
"type": "date"
},
"dstaddr": {
"type": "ip"
},
"end": {
"type": "date"
},
"log_info": {
"properties": {
"s3bucket": {
"type": "keyword"
}
}
},
"region": {
"type": "keyword"
},
"resource.instanceDetails": {
"properties": {
"launchTime": {
"type": "date"
},
"networkInterfaces": {
"properties": {
"privateIpAddress": {
"type": "ip"
},
"publicIp": {
"type": "ip"
}
}
}
}
},
"service": {
"properties": {
"action.networkConnectionAction.remoteIpDetails": {
"properties": {
"geoLocation": {
"type": "geo_point"
},
"ipAddressV4": {
"type": "ip"
}
}
},
"count": {
"type": "long"
},
"eventFirstSeen": {
"type": "date"
},
"eventLastSeen": {
"type": "date"
}
}
},
"source": {
"type": "keyword"
},
"source_ip_address": {
"type": "ip"
},
"srcaddr": {
"type": "ip"
},
"start": {
"type": "date"
},
"updatedAt": {
"type": "date"
}
}
},
"azureSignInStatus": {
"properties": {
"additionalDetails": {
"type": "keyword"
},
"errorCode": {
"type": "integer"
},
"failureReason": {
"type": "keyword"
}
}
},
"cis": {
"properties": {
"benchmark": {
"type": "keyword"
},
"error": {
"type": "long"
},
"fail": {
"type": "long"
},
"group": {
"type": "keyword"
},
"notchecked": {
"type": "long"
},
"pass": {
"type": "long"
},
"result": {
"type": "keyword"
},
"rule_title": {
"type": "keyword"
},
"score": {
"type": "long"
},
"timestamp": {
"type": "keyword"
},
"unknown": {
"type": "long"
}
}
},
"command": {
"type": "keyword"
},
"data": {
"type": "keyword"
},
"docker": {
"properties": {
"Action": {
"type": "keyword"
},
"Actor": {
"properties": {
"Attributes": {
"properties": {
"image": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"Type": {
"type": "keyword"
},
"from": {
"type": "keyword"
}
}
},
"dstip": {
"type": "keyword"
},
"dstport": {
"type": "keyword"
},
"dstuser": {
"type": "keyword"
},
"extra_data": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"gcp": {
"properties": {
"jsonPayload": {
"properties": {
"authAnswer": {
"type": "keyword"
},
"queryName": {
"type": "keyword"
},
"responseCode": {
"type": "keyword"
},
"vmInstanceId": {
"type": "keyword"
},
"vmInstanceName": {
"type": "keyword"
}
}
},
"resource": {
"properties": {
"labels": {
"properties": {
"location": {
"type": "keyword"
},
"project_id": {
"type": "keyword"
},
"source_type": {
"type": "keyword"
}
}
},
"type": {
"type": "keyword"
}
}
},
"severity": {
"type": "keyword"
}
}
},
"github": {
"properties": {
"action": {
"type": "keyword"
},
"actor": {
"type": "keyword"
},
"actor_location": {
"properties": {
"country_code": {
"type": "keyword"
}
}
},
"org": {
"type": "keyword"
},
"repo": {
"type": "keyword"
}
}
},
"hardware": {
"properties": {
"cpu_cores": {
"type": "long"
},
"cpu_mhz": {
"type": "double"
},
"cpu_name": {
"type": "keyword"
},
"ram_free": {
"type": "long"
},
"ram_total": {
"type": "long"
},
"ram_usage": {
"type": "long"
},
"serial": {
"type": "keyword"
}
}
},
"id": {
"type": "keyword"
},
"integration": {
"type": "keyword"
},
"ms-graph": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"activationLockBypassCode": {
"type": "keyword"
},
"activity": {
"type": "keyword"
},
"activityDateTime": {
"type": "date"
},
"activityOperationType": {
"type": "keyword"
},
"activityResult": {
"type": "keyword"
},
"activityType": {
"type": "keyword"
},
"actor": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"applicationDisplayName": {
"type": "keyword"
},
"applicationId": {
"type": "keyword"
},
"auditActorType": {
"type": "keyword"
},
"ipAddress": {
"type": "keyword"
},
"servicePrincipalName": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"userId": {
"type": "keyword"
},
"userPermissions": {
"type": "text"
},
"userPrincipalName": {
"type": "keyword"
}
}
},
"actorDisplayName": {
"type": "keyword"
},
"alertWebUrl": {
"type": "keyword"
},
"androidSecurityPatchLevel": {
"type": "keyword"
},
"appliedConditionalAccessPolicies": {
"type": "keyword"
},
"assignedTo": {
"type": "keyword"
},
"azureADDeviceId": {
"type": "keyword"
},
"azureADRegistered": {
"type": "keyword"
},
"category": {
"type": "keyword"
},
"classification": {
"type": "keyword"
},
"comments": {
"type": "keyword"
},
"complianceGracePeriodExpirationDateTime": {
"type": "date"
},
"complianceState": {
"type": "keyword"
},
"componentName": {
"type": "keyword"
},
"configurationManagerClientEnabledFeatures": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"compliancePolicy": {
"type": "keyword"
},
"deviceConfiguration": {
"type": "keyword"
},
"inventory": {
"type": "keyword"
},
"modernApps": {
"type": "keyword"
},
"resourceAccess": {
"type": "keyword"
},
"windowsUpdateForBusiness": {
"type": "keyword"
}
},
"type": "nested"
},
"correlationId": {
"type": "keyword"
},
"createdDateTime": {
"type": "date"
},
"description": {
"type": "text"
},
"detectionSource": {
"type": "keyword"
},
"detectorId": {
"type": "keyword"
},
"determination": {
"type": "keyword"
},
"deviceActionResults": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"actionName": {
"type": "keyword"
},
"actionState": {
"type": "keyword"
},
"lastUpdatedDateTime": {
"type": "date"
},
"startDateTime": {
"type": "date"
}
},
"type": "nested"
},
"deviceCategoryDisplayName": {
"type": "keyword"
},
"deviceCount": {
"type": "integer"
},
"deviceEnrollmentType": {
"type": "keyword"
},
"deviceHealthAttestationState": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"attestationIdentityKey": {
"type": "keyword"
},
"bitLockerStatus": {
"type": "keyword"
},
"bootAppSecurityVersion": {
"type": "keyword"
},
"bootDebugging": {
"type": "keyword"
},
"bootManagerSecurityVersion": {
"type": "keyword"
},
"bootManagerVersion": {
"type": "keyword"
},
"bootRevisionListInfo": {
"type": "keyword"
},
"codeIntegrity": {
"type": "keyword"
},
"codeIntegrityCheckVersion": {
"type": "keyword"
},
"codeIntegrityPolicy": {
"type": "keyword"
},
"contentNamespaceUrl": {
"type": "keyword"
},
"contentVersion": {
"type": "keyword"
},
"dataExcutionPolicy": {
"type": "keyword"
},
"deviceHealthAttestationStatus": {
"type": "keyword"
},
"earlyLaunchAntiMalwareDriverProtection": {
"type": "keyword"
},
"healthAttestationSupportedStatus": {
"type": "keyword"
},
"healthStatusMismatchInfo": {
"type": "keyword"
},
"issuedDateTime": {
"type": "date"
},
"lastUpdateDateTime": {
"type": "date"
},
"operatingSystemKernelDebugging": {
"type": "keyword"
},
"operatingSystemRevListInfo": {
"type": "keyword"
},
"pcr0": {
"type": "keyword"
},
"pcrHashAlgorithm": {
"type": "keyword"
},
"resetCount": {
"type": "keyword"
},
"restartCount": {
"type": "keyword"
},
"safeMode": {
"type": "keyword"
},
"secureBoot": {
"type": "keyword"
},
"secureBootConfigurationPolicyFingerPrint": {
"type": "keyword"
},
"testSigning": {
"type": "keyword"
},
"tpmVersion": {
"type": "keyword"
},
"virtualSecureMode": {
"type": "keyword"
},
"windowsPE": {
"type": "keyword"
}
},
"type": "nested"
},
"deviceName": {
"type": "keyword"
},
"deviceRegistrationState": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"easActivated": {
"type": "keyword"
},
"easActivationDateTime": {
"type": "date"
},
"easDeviceId": {
"type": "keyword"
},
"emailAddress": {
"type": "keyword"
},
"enrolledDateTime": {
"type": "date"
},
"enrollmentProfileName": {
"type": "keyword"
},
"ethernetMacAddress": {
"type": "keyword"
},
"evidence": {
"properties": {
"_comment": {
"type": "keyword"
}
},
"type": "nested"
},
"exchangeAccessState": {
"type": "keyword"
},
"exchangeAccessStateReason": {
"type": "keyword"
},
"exchangeLastSuccessfulSyncDateTime": {
"type": "date"
},
"firstActivityDateTime": {
"type": "date"
},
"freeStorageSpaceInBytes": {
"type": "keyword"
},
"iccid": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"imei": {
"type": "keyword"
},
"incidentId": {
"type": "keyword"
},
"incidentWebUrl": {
"type": "keyword"
},
"isEncrypted": {
"type": "keyword"
},
"isSupervised": {
"type": "keyword"
},
"jailBroken": {
"type": "keyword"
},
"lastActivityDateTime": {
"type": "date"
},
"lastSyncDateTime": {
"type": "date"
},
"lastUpdateDateTime": {
"type": "date"
},
"managedDeviceName": {
"type": "keyword"
},
"managedDeviceOwnerType": {
"type": "keyword"
},
"managedDevices": {
"properties": {
"deviceName": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
},
"type": "nested"
},
"managementAgent": {
"type": "keyword"
},
"managementCertificateExpirationDate": {
"type": "date"
},
"manufacturer": {
"type": "keyword"
},
"meid": {
"type": "keyword"
},
"mitreTechniques": {
"type": "keyword"
},
"model": {
"type": "keyword"
},
"notes": {
"type": "keyword"
},
"operatingSystem": {
"type": "keyword"
},
"osVersion": {
"type": "keyword"
},
"partnerReportedThreatState": {
"type": "keyword"
},
"phoneNumber": {
"type": "keyword"
},
"physicalMemoryInBytes": {
"type": "keyword"
},
"platform": {
"type": "keyword"
},
"providerAlertId": {
"type": "keyword"
},
"publisher": {
"type": "keyword"
},
"relationship": {
"type": "keyword"
},
"remediationStatus": {
"type": "keyword"
},
"remoteAssistanceSessionErrorDetails": {
"type": "keyword"
},
"remoteAssistanceSessionUrl": {
"type": "keyword"
},
"requireUserEnrollmentApproval": {
"type": "keyword"
},
"resolvedDateTime": {
"type": "date"
},
"resource": {
"type": "keyword"
},
"resources": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"auditResourceType": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"modifiedProperties": {
"properties": {
"@odata.type": {
"type": "keyword"
},
"displayName": {
"type": "keyword"
},
"newValue": {
"type": "keyword"
},
"oldValue": {
"type": "keyword"
}
},
"type": "nested"
},
"resourceId": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
},
"type": "nested"
},
"roles": {
"type": "keyword"
},
"serialNumber": {
"type": "keyword"
},
"serviceSource": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"sizeInByte": {
"type": "keyword"
},
"status": {
"type": "keyword"
},
"subscriberCarrier": {
"type": "keyword"
},
"tenantId": {
"type": "keyword"
},
"threatDisplayName": {
"type": "keyword"
},
"threatFamilyName": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"totalStorageSpaceInBytes": {
"type": "keyword"
},
"udid": {
"type": "keyword"
},
"userDisplayName": {
"type": "keyword"
},
"userId": {
"type": "keyword"
},
"userPrincipalName": {
"type": "keyword"
},
"verdict": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"wiFiMacAddress": {
"type": "keyword"
}
}
},
"netinfo": {
"properties": {
"iface": {
"properties": {
"adapter": {
"type": "keyword"
},
"ipv4": {
"properties": {
"address": {
"type": "keyword"
},
"broadcast": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
}
}
},
"ipv6": {
"properties": {
"address": {
"type": "keyword"
},
"broadcast": {
"type": "keyword"
},
"dhcp": {
"type": "keyword"
},
"gateway": {
"type": "keyword"
},
"metric": {
"type": "long"
},
"netmask": {
"type": "keyword"
}
}
},
"mac": {
"type": "keyword"
},
"mtu": {
"type": "long"
},
"name": {
"type": "keyword"
},
"rx_bytes": {
"type": "long"
},
"rx_dropped": {
"type": "long"
},
"rx_errors": {
"type": "long"
},
"rx_packets": {
"type": "long"
},
"state": {
"type": "keyword"
},
"tx_bytes": {
"type": "long"
},
"tx_dropped": {
"type": "long"
},
"tx_errors": {
"type": "long"
},
"tx_packets": {
"type": "long"
},
"type": {
"type": "keyword"
}
}
}
}
},
"office365": {
"properties": {
"Actor": {
"properties": {
"ID": {
"type": "keyword"
}
}
},
"ClientIP": {
"type": "keyword"
},
"Operation": {
"type": "keyword"
},
"ResultStatus": {
"type": "keyword"
},
"Subscription": {
"type": "keyword"
},
"UserId": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"architecture": {
"type": "keyword"
},
"build": {
"type": "keyword"
},
"codename": {
"type": "keyword"
},
"display_version": {
"type": "keyword"
},
"hostname": {
"type": "keyword"
},
"major": {
"type": "keyword"
},
"minor": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"patch": {
"type": "keyword"
},
"platform": {
"type": "keyword"
},
"release": {
"type": "keyword"
},
"release_version": {
"type": "keyword"
},
"sysname": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"oscap": {
"properties": {
"check": {
"properties": {
"description": {
"type": "text"
},
"id": {
"type": "keyword"
},
"identifiers": {
"type": "text"
},
"oval": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"rationale": {
"type": "text"
},
"references": {
"type": "text"
},
"result": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"scan": {
"properties": {
"benchmark": {
"properties": {
"id": {
"type": "keyword"
}
}
},
"content": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"profile": {
"properties": {
"id": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"return_code": {
"type": "long"
},
"score": {
"type": "double"
}
}
}
}
},
"osquery": {
"properties": {
"action": {
"type": "keyword"
},
"calendarTime": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"pack": {
"type": "keyword"
}
}
},
"parameters": {
"properties": {
"extra_args": {
"type": "keyword"
}
}
},
"port": {
"properties": {
"inode": {
"type": "long"
},
"local_ip": {
"type": "ip"
},
"local_port": {
"type": "long"
},
"pid": {
"type": "long"
},
"process": {
"type": "keyword"
},
"protocol": {
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"remote_port": {
"type": "long"
},
"rx_queue": {
"type": "long"
},
"state": {
"type": "keyword"
},
"tx_queue": {
"type": "long"
}
}
},
"process": {
"properties": {
"args": {
"type": "keyword"
},
"cmd": {
"type": "keyword"
},
"egroup": {
"type": "keyword"
},
"euser": {
"type": "keyword"
},
"fgroup": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"nice": {
"type": "long"
},
"nlwp": {
"type": "long"
},
"pgrp": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"priority": {
"type": "long"
},
"processor": {
"type": "long"
},
"resident": {
"type": "long"
},
"rgroup": {
"type": "keyword"
},
"ruser": {
"type": "keyword"
},
"session": {
"type": "long"
},
"sgroup": {
"type": "keyword"
},
"share": {
"type": "long"
},
"size": {
"type": "long"
},
"start_time": {
"type": "long"
},
"state": {
"type": "keyword"
},
"stime": {
"type": "long"
},
"suser": {
"type": "keyword"
},
"tgid": {
"type": "long"
},
"tty": {
"type": "long"
},
"utime": {
"type": "long"
},
"vm_size": {
"type": "long"
}
}
},
"program": {
"properties": {
"architecture": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"format": {
"type": "keyword"
},
"install_time": {
"type": "keyword"
},
"location": {
"type": "keyword"
},
"multiarch": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"priority": {
"type": "keyword"
},
"section": {
"type": "keyword"
},
"size": {
"type": "long"
},
"source": {
"type": "keyword"
},
"vendor": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"protocol": {
"type": "keyword"
},
"sca": {
"properties": {
"check": {
"properties": {
"compliance": {
"properties": {
"cis": {
"type": "keyword"
},
"cis_csc": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"nist_800_53": {
"type": "keyword"
},
"pci_dss": {
"type": "keyword"
}
}
},
"description": {
"type": "keyword"
},
"directory": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"previous_result": {
"type": "keyword"
},
"process": {
"type": "keyword"
},
"rationale": {
"type": "keyword"
},
"reason": {
"type": "keyword"
},
"references": {
"type": "keyword"
},
"registry": {
"type": "keyword"
},
"remediation": {
"type": "keyword"
},
"result": {
"type": "keyword"
},
"title": {
"type": "keyword"
}
}
},
"description": {
"type": "keyword"
},
"failed": {
"type": "integer"
},
"file": {
"type": "keyword"
},
"invalid": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"passed": {
"type": "integer"
},
"policy": {
"type": "keyword"
},
"policy_id": {
"type": "keyword"
},
"scan_id": {
"type": "keyword"
},
"score": {
"type": "long"
},
"total_checks": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"scan_id": {
"type": "keyword"
},
"srcip": {
"type": "keyword"
},
"srcport": {
"type": "keyword"
},
"srcuser": {
"type": "keyword"
},
"system_name": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"title": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"uid": {
"type": "keyword"
},
"url": {
"type": "keyword"
},
"virustotal": {
"properties": {
"description": {
"type": "keyword"
},
"error": {
"type": "keyword"
},
"found": {
"type": "keyword"
},
"malicious": {
"type": "keyword"
},
"permalink": {
"type": "keyword"
},
"positives": {
"type": "keyword"
},
"scan_date": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
},
"source": {
"properties": {
"alert_id": {
"type": "keyword"
},
"file": {
"type": "keyword"
},
"md5": {
"type": "keyword"
},
"sha1": {
"type": "keyword"
}
}
},
"total": {
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"assigner": {
"type": "keyword"
},
"cve": {
"type": "keyword"
},
"cve_version": {
"type": "keyword"
},
"cvss": {
"properties": {
"cvss2": {
"properties": {
"base_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
},
"impact_score": {
"type": "keyword"
},
"vector": {
"properties": {
"access_complexity": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"user_interaction": {
"type": "keyword"
}
}
}
}
},
"cvss3": {
"properties": {
"base_score": {
"type": "keyword"
},
"exploitability_score": {
"type": "keyword"
},
"impact_score": {
"type": "keyword"
},
"vector": {
"properties": {
"access_complexity": {
"type": "keyword"
},
"attack_vector": {
"type": "keyword"
},
"authentication": {
"type": "keyword"
},
"availability": {
"type": "keyword"
},
"confidentiality_impact": {
"type": "keyword"
},
"integrity_impact": {
"type": "keyword"
},
"privileges_required": {
"type": "keyword"
},
"scope": {
"type": "keyword"
},
"user_interaction": {
"type": "keyword"
}
}
}
}
}
}
},
"cwe_reference": {
"type": "keyword"
},
"package": {
"properties": {
"architecture": {
"type": "keyword"
},
"condition": {
"type": "keyword"
},
"generated_cpe": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"source": {
"type": "keyword"
},
"version": {
"type": "keyword"
}
}
},
"published": {
"type": "date"
},
"rationale": {
"type": "keyword"
},
"reference": {
"type": "keyword"
},
"scanner.reference": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"status": {
"type": "keyword"
},
"title": {
"type": "keyword"
},
"updated": {
"type": "date"
}
}
}
}
},
"decoder": {
"properties": {
"accumulate": {
"type": "long"
},
"fts": {
"type": "long"
},
"ftscomment": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"parent": {
"type": "keyword"
}
}
},
"full_log": {
"type": "text"
},
"host": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"input": {
"properties": {
"type": {
"type": "keyword"
}
}
},
"location": {
"type": "keyword"
},
"manager": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"predecoder": {
"properties": {
"hostname": {
"type": "keyword"
},
"program_name": {
"type": "keyword"
},
"timestamp": {
"type": "keyword"
}
}
},
"previous_log": {
"type": "text"
},
"previous_output": {
"type": "keyword"
},
"program_name": {
"type": "keyword"
},
"rule": {
"properties": {
"cis": {
"type": "keyword"
},
"cve": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"firedtimes": {
"type": "long"
},
"frequency": {
"type": "long"
},
"gdpr": {
"type": "keyword"
},
"gpg13": {
"type": "keyword"
},
"groups": {
"type": "keyword"
},
"hipaa": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"info": {
"type": "keyword"
},
"level": {
"type": "long"
},
"mail": {
"type": "boolean"
},
"mitre": {
"properties": {
"id": {
"type": "keyword"
},
"tactic": {
"type": "keyword"
},
"technique": {
"type": "keyword"
}
}
},
"nist_800_53": {
"type": "keyword"
},
"pci_dss": {
"type": "keyword"
},
"tsc": {
"type": "keyword"
}
}
},
"syscheck": {
"properties": {
"audit": {
"properties": {
"effective_user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"group": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"login_user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
},
"process": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"ppid": {
"type": "keyword"
}
}
},
"user": {
"properties": {
"id": {
"type": "keyword"
},
"name": {
"type": "keyword"
}
}
}
}
},
"diff": {
"type": "keyword"
},
"event": {
"type": "keyword"
},
"gid_after": {
"type": "keyword"
},
"gid_before": {
"type": "keyword"
},
"gname_after": {
"type": "keyword"
},
"gname_before": {
"type": "keyword"
},
"hard_links": {
"type": "keyword"
},
"inode_after": {
"type": "keyword"
},
"inode_before": {
"type": "keyword"
},
"md5_after": {
"type": "keyword"
},
"md5_before": {
"type": "keyword"
},
"mode": {
"type": "keyword"
},
"mtime_after": {
"format": "date_optional_time",
"type": "date"
},
"mtime_before": {
"format": "date_optional_time",
"type": "date"
},
"path": {
"type": "keyword"
},
"perm_after": {
"type": "keyword"
},
"perm_before": {
"type": "keyword"
},
"sha1_after": {
"type": "keyword"
},
"sha1_before": {
"type": "keyword"
},
"sha256_after": {
"type": "keyword"
},
"sha256_before": {
"type": "keyword"
},
"size_after": {
"type": "long"
},
"size_before": {
"type": "long"
},
"tags": {
"type": "keyword"
},
"uid_after": {
"type": "keyword"
},
"uid_before": {
"type": "keyword"
},
"uname_after": {
"type": "keyword"
},
"uname_before": {
"type": "keyword"
}
}
},
"timestamp": {
"format": "date_optional_time||epoch_millis",
"type": "date"
},
"title": {
"type": "keyword"
},
"type": {
"type": "text"
}
}
},
"order": 0,
"settings": {
"index.auto_expand_replicas": "0-1",
"index.mapping.total_fields.limit": 10000,
"index.number_of_replicas": "0",
"index.number_of_shards": "3",
"index.query.default_field": [
"GeoLocation.city_name",
"GeoLocation.continent_code",
"GeoLocation.country_code2",
"GeoLocation.country_code3",
"GeoLocation.country_name",
"GeoLocation.ip",
"GeoLocation.postal_code",
"GeoLocation.real_region_name",
"GeoLocation.region_name",
"GeoLocation.timezone",
"agent.id",
"agent.ip",
"agent.name",
"cluster.name",
"cluster.node",
"command",
"data",
"data.action",
"data.audit",
"data.audit.acct",
"data.audit.arch",
"data.audit.auid",
"data.audit.command",
"data.audit.cwd",
"data.audit.dev",
"data.audit.directory.inode",
"data.audit.directory.mode",
"data.audit.directory.name",
"data.audit.egid",
"data.audit.enforcing",
"data.audit.euid",
"data.audit.exe",
"data.audit.execve.a0",
"data.audit.execve.a1",
"data.audit.execve.a2",
"data.audit.execve.a3",
"data.audit.exit",
"data.audit.file.inode",
"data.audit.file.mode",
"data.audit.file.name",
"data.audit.fsgid",
"data.audit.fsuid",
"data.audit.gid",
"data.audit.id",
"data.audit.key",
"data.audit.list",
"data.audit.old-auid",
"data.audit.old-ses",
"data.audit.old_enforcing",
"data.audit.old_prom",
"data.audit.op",
"data.audit.pid",
"data.audit.ppid",
"data.audit.prom",
"data.audit.res",
"data.audit.session",
"data.audit.sgid",
"data.audit.srcip",
"data.audit.subj",
"data.audit.success",
"data.audit.suid",
"data.audit.syscall",
"data.audit.tty",
"data.audit.uid",
"data.aws.accountId",
"data.aws.account_id",
"data.aws.action",
"data.aws.actor",
"data.aws.aws_account_id",
"data.aws.description",
"data.aws.dstport",
"data.aws.errorCode",
"data.aws.errorMessage",
"data.aws.eventID",
"data.aws.eventName",
"data.aws.eventSource",
"data.aws.eventType",
"data.aws.id",
"data.aws.name",
"data.aws.requestParameters.accessKeyId",
"data.aws.requestParameters.bucketName",
"data.aws.requestParameters.gatewayId",
"data.aws.requestParameters.groupDescription",
"data.aws.requestParameters.groupId",
"data.aws.requestParameters.groupName",
"data.aws.requestParameters.host",
"data.aws.requestParameters.hostedZoneId",
"data.aws.requestParameters.instanceId",
"data.aws.requestParameters.instanceProfileName",
"data.aws.requestParameters.loadBalancerName",
"data.aws.requestParameters.loadBalancerPorts",
"data.aws.requestParameters.masterUserPassword",
"data.aws.requestParameters.masterUsername",
"data.aws.requestParameters.name",
"data.aws.requestParameters.natGatewayId",
"data.aws.requestParameters.networkAclId",
"data.aws.requestParameters.path",
"data.aws.requestParameters.policyName",
"data.aws.requestParameters.port",
"data.aws.requestParameters.stackId",
"data.aws.requestParameters.stackName",
"data.aws.requestParameters.subnetId",
"data.aws.requestParameters.subnetIds",
"data.aws.requestParameters.volumeId",
"data.aws.requestParameters.vpcId",
"data.aws.resource.accessKeyDetails.accessKeyId",
"data.aws.resource.accessKeyDetails.principalId",
"data.aws.resource.accessKeyDetails.userName",
"data.aws.resource.instanceDetails.instanceId",
"data.aws.resource.instanceDetails.instanceState",
"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName",
"data.aws.resource.instanceDetails.networkInterfaces.subnetId",
"data.aws.resource.instanceDetails.networkInterfaces.vpcId",
"data.aws.resource.instanceDetails.tags.value",
"data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId",
"data.aws.responseElements.description",
"data.aws.responseElements.instanceId",
"data.aws.responseElements.instances.instanceId",
"data.aws.responseElements.instancesSet.items.instanceId",
"data.aws.responseElements.listeners.port",
"data.aws.responseElements.loadBalancerName",
"data.aws.responseElements.loadBalancers.vpcId",
"data.aws.responseElements.loginProfile.userName",
"data.aws.responseElements.networkAcl.vpcId",
"data.aws.responseElements.ownerId",
"data.aws.responseElements.publicIp",
"data.aws.responseElements.user.userId",
"data.aws.responseElements.user.userName",
"data.aws.responseElements.volumeId",
"data.aws.service.serviceName",
"data.aws.severity",
"data.aws.source",
"data.aws.sourceIPAddress",
"data.aws.srcport",
"data.aws.userIdentity.accessKeyId",
"data.aws.userIdentity.accountId",
"data.aws.userIdentity.userName",
"data.aws.vpcEndpointId",
"data.command",
"data.cis.group",
"data.cis.rule_title",
"data.data",
"data.docker.Actor.Attributes.container",
"data.docker.Actor.Attributes.image",
"data.docker.Actor.Attributes.name",
"data.docker.Actor.ID",
"data.docker.id",
"data.docker.from",
"data.docker.message",
"data.docker.status",
"data.dstip",
"data.dstport",
"data.dstuser",
"data.extra_data",
"data.gcp.jsonPayload.queryName",
"data.gcp.jsonPayload.vmInstanceName",
"data.gcp.resource.labels.location",
"data.gcp.resource.labels.project_id",
"data.gcp.resource.labels.source_type",
"data.gcp.resource.type",
"data.github.org",
"data.github.actor",
"data.github.action",
"data.github.repo",
"data.hardware.serial",
"data.id",
"data.integration",
"data.netinfo.iface.adapter",
"data.netinfo.iface.ipv4.address",
"data.netinfo.iface.ipv6.address",
"data.netinfo.iface.mac",
"data.netinfo.iface.name",
"data.office365.Actor.ID",
"data.office365.UserId",
"data.office365.Operation",
"data.office365.ClientIP",
"data.ms-graph.relationship",
"data.ms-graph.classification",
"data.ms-graph.detectionSource",
"data.ms-graph.determination",
"data.ms-graph.remediationStatus",
"data.ms-graph.roles",
"data.ms-graph.verdict",
"data.ms-graph.serviceSource",
"data.ms-graph.severity",
"data.ms-graph.actorDisplayName",
"data.ms-graph.alertWebUrl",
"data.ms-graph.assignedTo",
"data.ms-graph.category",
"data.ms-graph.comments",
"data.ms-graph.description",
"data.ms-graph.detectorId",
"data.ms-graph.evidence._comment",
"data.ms-graph.id",
"data.ms-graph.incidentId",
"data.ms-graph.incidentWebUrl",
"data.ms-graph.mitreTechniques",
"data.ms-graph.providerAlertId",
"data.ms-graph.resource",
"data.ms-graph.status",
"data.ms-graph.tenantId",
"data.ms-graph.threatDisplayName",
"data.ms-graph.threatFamilyName",
"data.ms-graph.title",
"data.ms-graph.@odata.type",
"data.ms-graph.activationLockBypassCode",
"data.ms-graph.activity",
"data.ms-graph.activityOperationType",
"data.ms-graph.activityResult",
"data.ms-graph.activityType",
"data.ms-graph.actor.@odata.type",
"data.ms-graph.actor.applicationDisplayName",
"data.ms-graph.actor.applicationId",
"data.ms-graph.actor.auditActorType",
"data.ms-graph.actor.ipAddress",
"data.ms-graph.actor.servicePrincipalName",
"data.ms-graph.actor.type",
"data.ms-graph.actor.userId",
"data.ms-graph.actor.userPermissions",
"data.ms-graph.actor.userPrincipalName",
"data.ms-graph.androidSecurityPatchLevel",
"data.ms-graph.appliedConditionalAccessPolicies",
"data.ms-graph.azureADDeviceId",
"data.ms-graph.azureADRegistered",
"data.ms-graph.complianceState",
"data.ms-graph.componentName",
"data.ms-graph.configurationManagerClientEnabledFeatures.@odata.type",
"data.ms-graph.configurationManagerClientEnabledFeatures.compliancePolicy",
"data.ms-graph.configurationManagerClientEnabledFeatures.deviceConfiguration",
"data.ms-graph.configurationManagerClientEnabledFeatures.inventory",
"data.ms-graph.configurationManagerClientEnabledFeatures.modernApps",
"data.ms-graph.configurationManagerClientEnabledFeatures.resourceAccess",
"data.ms-graph.configurationManagerClientEnabledFeatures.windowsUpdateForBusiness",
"data.ms-graph.correlationId",
"data.ms-graph.deviceActionResults.@odata.type",
"data.ms-graph.deviceActionResults.actionName",
"data.ms-graph.deviceActionResults.actionState",
"data.ms-graph.deviceCategoryDisplayName",
"data.ms-graph.deviceEnrollmentType",
"data.ms-graph.deviceHealthAttestationState.@odata.type",
"data.ms-graph.deviceHealthAttestationState.attestationIdentityKey",
"data.ms-graph.deviceHealthAttestationState.bitLockerStatus",
"data.ms-graph.deviceHealthAttestationState.bootAppSecurityVersion",
"data.ms-graph.deviceHealthAttestationState.bootDebugging",
"data.ms-graph.deviceHealthAttestationState.bootManagerSecurityVersion",
"data.ms-graph.deviceHealthAttestationState.bootManagerVersion",
"data.ms-graph.deviceHealthAttestationState.bootRevisionListInfo",
"data.ms-graph.deviceHealthAttestationState.codeIntegrity",
"data.ms-graph.deviceHealthAttestationState.codeIntegrityCheckVersion",
"data.ms-graph.deviceHealthAttestationState.codeIntegrityPolicy",
"data.ms-graph.deviceHealthAttestationState.contentNamespaceUrl",
"data.ms-graph.deviceHealthAttestationState.contentVersion",
"data.ms-graph.deviceHealthAttestationState.dataExcutionPolicy",
"data.ms-graph.deviceHealthAttestationState.deviceHealthAttestationStatus",
"data.ms-graph.deviceHealthAttestationState.earlyLaunchAntiMalwareDriverProtection",
"data.ms-graph.deviceHealthAttestationState.healthAttestationSupportedStatus",
"data.ms-graph.deviceHealthAttestationState.healthStatusMismatchInfo",
"data.ms-graph.deviceHealthAttestationState.operatingSystemKernelDebugging",
"data.ms-graph.deviceHealthAttestationState.operatingSystemRevListInfo",
"data.ms-graph.deviceHealthAttestationState.pcr0",
"data.ms-graph.deviceHealthAttestationState.pcrHashAlgorithm",
"data.ms-graph.deviceHealthAttestationState.resetCount",
"data.ms-graph.deviceHealthAttestationState.restartCount",
"data.ms-graph.deviceHealthAttestationState.safeMode",
"data.ms-graph.deviceHealthAttestationState.secureBoot",
"data.ms-graph.deviceHealthAttestationState.secureBootConfigurationPolicyFingerPrint",
"data.ms-graph.deviceHealthAttestationState.testSigning",
"data.ms-graph.deviceHealthAttestationState.tpmVersion",
"data.ms-graph.deviceHealthAttestationState.virtualSecureMode",
"data.ms-graph.deviceHealthAttestationState.windowsPE",
"data.ms-graph.deviceName",
"data.ms-graph.deviceRegistrationState",
"data.ms-graph.displayName",
"data.ms-graph.easActivated",
"data.ms-graph.easDeviceId",
"data.ms-graph.emailAddress",
"data.ms-graph.enrollmentProfileName",
"data.ms-graph.ethernetMacAddress",
"data.ms-graph.exchangeAccessState",
"data.ms-graph.exchangeAccessStateReason",
"data.ms-graph.freeStorageSpaceInBytes",
"data.ms-graph.iccid",
"data.ms-graph.imei",
"data.ms-graph.isEncrypted",
"data.ms-graph.isSupervised",
"data.ms-graph.jailBroken",
"data.ms-graph.managedDeviceName",
"data.ms-graph.managedDevices.deviceName",
"data.ms-graph.managedDevices.id",
"data.ms-graph.managedDeviceOwnerType",
"data.ms-graph.managementAgent",
"data.ms-graph.manufacturer",
"data.ms-graph.meid",
"data.ms-graph.model",
"data.ms-graph.notes",
"data.ms-graph.operatingSystem",
"data.ms-graph.osVersion",
"data.ms-graph.partnerReportedThreatState",
"data.ms-graph.phoneNumber",
"data.ms-graph.physicalMemoryInBytes",
"data.ms-graph.platform",
"data.ms-graph.publisher",
"data.ms-graph.remoteAssistanceSessionErrorDetails",
"data.ms-graph.remoteAssistanceSessionUrl",
"data.ms-graph.requireUserEnrollmentApproval",
"data.ms-graph.resources.@odata.type",
"data.ms-graph.resources.auditResourceType",
"data.ms-graph.resources.displayName",
"data.ms-graph.resources.modifiedProperties.@odata.type",
"data.ms-graph.resources.modifiedProperties.displayName",
"data.ms-graph.resources.modifiedProperties.oldValue",
"data.ms-graph.resources.modifiedProperties.newValue",
"data.ms-graph.resources.resourceId",
"data.ms-graph.resources.type",
"data.ms-graph.serialNumber",
"data.ms-graph.sizeInByte",
"data.ms-graph.subscriberCarrier",
"data.ms-graph.totalStorageSpaceInBytes",
"data.ms-graph.udid",
"data.ms-graph.userDisplayName",
"data.ms-graph.userId",
"data.ms-graph.userPrincipalName",
"data.ms-graph.version",
"data.ms-graph.wiFiMacAddress",
"data.os.architecture",
"data.os.build",
"data.os.codename",
"data.os.hostname",
"data.os.major",
"data.os.minor",
"data.os.patch",
"data.os.name",
"data.os.platform",
"data.os.release",
"data.os.release_version",
"data.os.display_version",
"data.os.sysname",
"data.os.version",
"data.oscap.check.description",
"data.oscap.check.id",
"data.oscap.check.identifiers",
"data.oscap.check.oval.id",
"data.oscap.check.rationale",
"data.oscap.check.references",
"data.oscap.check.result",
"data.oscap.check.severity",
"data.oscap.check.title",
"data.oscap.scan.benchmark.id",
"data.oscap.scan.content",
"data.oscap.scan.id",
"data.oscap.scan.profile.id",
"data.oscap.scan.profile.title",
"data.osquery.columns.address",
"data.osquery.columns.command",
"data.osquery.columns.description",
"data.osquery.columns.dst_ip",
"data.osquery.columns.gid",
"data.osquery.columns.hostname",
"data.osquery.columns.md5",
"data.osquery.columns.path",
"data.osquery.columns.sha1",
"data.osquery.columns.sha256",
"data.osquery.columns.src_ip",
"data.osquery.columns.user",
"data.osquery.columns.username",
"data.osquery.name",
"data.osquery.pack",
"data.port.process",
"data.port.protocol",
"data.port.state",
"data.process.args",
"data.process.cmd",
"data.process.egroup",
"data.process.euser",
"data.process.fgroup",
"data.process.name",
"data.process.rgroup",
"data.process.ruser",
"data.process.sgroup",
"data.process.state",
"data.process.suser",
"data.program.architecture",
"data.program.description",
"data.program.format",
"data.program.location",
"data.program.multiarch",
"data.program.name",
"data.program.priority",
"data.program.section",
"data.program.source",
"data.program.vendor",
"data.program.version",
"data.protocol",
"data.pwd",
"data.sca",
"data.sca.check.compliance.cis",
"data.sca.check.compliance.cis_csc",
"data.sca.check.compliance.pci_dss",
"data.sca.check.compliance.hipaa",
"data.sca.check.compliance.nist_800_53",
"data.sca.check.description",
"data.sca.check.directory",
"data.sca.check.file",
"data.sca.check.id",
"data.sca.check.previous_result",
"data.sca.check.process",
"data.sca.check.rationale",
"data.sca.check.reason",
"data.sca.check.references",
"data.sca.check.registry",
"data.sca.check.remediation",
"data.sca.check.result",
"data.sca.check.title",
"data.sca.description",
"data.sca.file",
"data.sca.invalid",
"data.sca.name",
"data.sca.policy",
"data.sca.policy_id",
"data.sca.scan_id",
"data.sca.total_checks",
"data.scan_id",
"data.script",
"data.src_ip",
"data.src_port",
"data.srcip",
"data.srcport",
"data.srcuser",
"data.status",
"data.system_name",
"data.title",
"data.tty",
"data.uid",
"data.url",
"data.virustotal.description",
"data.virustotal.error",
"data.virustotal.found",
"data.virustotal.permalink",
"data.virustotal.scan_date",
"data.virustotal.sha1",
"data.virustotal.source.alert_id",
"data.virustotal.source.file",
"data.virustotal.source.md5",
"data.virustotal.source.sha1",
"data.vulnerability.cve",
"data.vulnerability.cvss.cvss2.base_score",
"data.vulnerability.cvss.cvss2.exploitability_score",
"data.vulnerability.cvss.cvss2.impact_score",
"data.vulnerability.cvss.cvss2.vector.access_complexity",
"data.vulnerability.cvss.cvss2.vector.attack_vector",
"data.vulnerability.cvss.cvss2.vector.authentication",
"data.vulnerability.cvss.cvss2.vector.availability",
"data.vulnerability.cvss.cvss2.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss2.vector.integrity_impact",
"data.vulnerability.cvss.cvss2.vector.privileges_required",
"data.vulnerability.cvss.cvss2.vector.scope",
"data.vulnerability.cvss.cvss2.vector.user_interaction",
"data.vulnerability.cvss.cvss3.base_score",
"data.vulnerability.cvss.cvss3.exploitability_score",
"data.vulnerability.cvss.cvss3.impact_score",
"data.vulnerability.cvss.cvss3.vector.access_complexity",
"data.vulnerability.cvss.cvss3.vector.attack_vector",
"data.vulnerability.cvss.cvss3.vector.authentication",
"data.vulnerability.cvss.cvss3.vector.availability",
"data.vulnerability.cvss.cvss3.vector.confidentiality_impact",
"data.vulnerability.cvss.cvss3.vector.integrity_impact",
"data.vulnerability.cvss.cvss3.vector.privileges_required",
"data.vulnerability.cvss.cvss3.vector.scope",
"data.vulnerability.cvss.cvss3.vector.user_interaction",
"data.vulnerability.cwe_reference",
"data.vulnerability.package.source",
"data.vulnerability.package.architecture",
"data.vulnerability.package.condition",
"data.vulnerability.package.generated_cpe",
"data.vulnerability.package.name",
"data.vulnerability.package.version",
"data.vulnerability.rationale",
"data.vulnerability.reference",
"data.vulnerability.severity",
"data.vulnerability.status",
"data.vulnerability.title",
"data.vulnerability.assigner",
"data.vulnerability.cve_version",
"data.win.eventdata.auditPolicyChanges",
"data.win.eventdata.auditPolicyChangesId",
"data.win.eventdata.binary",
"data.win.eventdata.category",
"data.win.eventdata.categoryId",
"data.win.eventdata.data",
"data.win.eventdata.image",
"data.win.eventdata.ipAddress",
"data.win.eventdata.ipPort",
"data.win.eventdata.keyName",
"data.win.eventdata.logonGuid",
"data.win.eventdata.logonProcessName",
"data.win.eventdata.operation",
"data.win.eventdata.parentImage",
"data.win.eventdata.processId",
"data.win.eventdata.processName",
"data.win.eventdata.providerName",
"data.win.eventdata.returnCode",
"data.win.eventdata.service",
"data.win.eventdata.status",
"data.win.eventdata.subcategory",
"data.win.eventdata.subcategoryGuid",
"data.win.eventdata.subcategoryId",
"data.win.eventdata.subjectDomainName",
"data.win.eventdata.subjectLogonId",
"data.win.eventdata.subjectUserName",
"data.win.eventdata.subjectUserSid",
"data.win.eventdata.targetDomainName",
"data.win.eventdata.targetLinkedLogonId",
"data.win.eventdata.targetLogonId",
"data.win.eventdata.targetUserName",
"data.win.eventdata.targetUserSid",
"data.win.eventdata.workstationName",
"data.win.system.channel",
"data.win.system.computer",
"data.win.system.eventID",
"data.win.system.eventRecordID",
"data.win.system.eventSourceName",
"data.win.system.keywords",
"data.win.system.level",
"data.win.system.message",
"data.win.system.opcode",
"data.win.system.processID",
"data.win.system.providerGuid",
"data.win.system.providerName",
"data.win.system.securityUserID",
"data.win.system.severityValue",
"data.win.system.userID",
"decoder.ftscomment",
"decoder.name",
"decoder.parent",
"full_log",
"host",
"id",
"input",
"location",
"manager.name",
"message",
"offset",
"predecoder.hostname",
"predecoder.program_name",
"previous_log",
"previous_output",
"program_name",
"rule.cis",
"rule.cve",
"rule.description",
"rule.gdpr",
"rule.gpg13",
"rule.groups",
"rule.id",
"rule.info",
"rule.mitre.id",
"rule.mitre.tactic",
"rule.mitre.technique",
"rule.pci_dss",
"rule.hipaa",
"rule.nist_800_53",
"syscheck.audit.effective_user.id",
"syscheck.audit.effective_user.name",
"syscheck.audit.group.id",
"syscheck.audit.group.name",
"syscheck.audit.login_user.id",
"syscheck.audit.login_user.name",
"syscheck.audit.process.id",
"syscheck.audit.process.name",
"syscheck.audit.process.ppid",
"syscheck.audit.user.id",
"syscheck.audit.user.name",
"syscheck.diff",
"syscheck.event",
"syscheck.gid_after",
"syscheck.gid_before",
"syscheck.gname_after",
"syscheck.gname_before",
"syscheck.inode_after",
"syscheck.inode_before",
"syscheck.md5_after",
"syscheck.md5_before",
"syscheck.path",
"syscheck.mode",
"syscheck.perm_after",
"syscheck.perm_before",
"syscheck.sha1_after",
"syscheck.sha1_before",
"syscheck.sha256_after",
"syscheck.sha256_before",
"syscheck.tags",
"syscheck.uid_after",
"syscheck.uid_before",
"syscheck.uname_after",
"syscheck.uname_before",
"syscheck.arch",
"syscheck.value_name",
"syscheck.value_type",
"syscheck.changed_attributes",
"title"
],
"index.refresh_interval": "5s"
},
"version": 1
}
2026-01-02T14:38:57.326Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s)
2026-01-02T14:38:57.327Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2026-01-02T14:38:57.327Z INFO [publisher] pipeline/retry.go:223 done
2026-01-02T14:38:57.330Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026-01-02T14:39:18.712Z INFO fileset/pipelines.go:143 Elasticsearch pipeline with ID 'filebeat-7.10.2-wazuh-alerts-pipeline' loaded
2026-01-02T14:39:18.717Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2026-01-02T14:39:18.719Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2026/01/02 14:39:23 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished.
2026-01-02T14:39:46.901Z INFO template/load.go:109 template with name 'wazuh' loaded.
2026-01-02T14:39:46.901Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2026-01-02T14:39:46.901Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2026/01/02 14:39:50 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
2026-01-02T14:42:46.632Z INFO log/harvester.go:333 File is inactive: /var/ossec/logs/alerts/alerts.json. Closing because close_inactive of 5m0s reached.
#################################################################
docker logs wazuh-runtipi_synode-it-wazuh-certs-1
#################################################################
CERTS_INIT: Starting certificate initialization...
CERTS_INIT: Creating directories...
CERTS_INIT: Starting Super-Janitor Sweep...
CERTS_INIT: Generating new certificates...
Checking https://packages.wazuh.com/4.14/wazuh-certs-tool.sh ...
Downloaded wazuh-certs-tool.sh from https://packages.wazuh.com/4.14/
02/01/2026 14:36:36 INFO: Verbose logging redirected to //wazuh-certificates-tool.log
02/01/2026 14:36:37 INFO: Generating the root certificate.
02/01/2026 14:36:37 INFO: Generating Admin certificates.
02/01/2026 14:36:37 INFO: Admin certificates created.
02/01/2026 14:36:37 INFO: Generating Wazuh indexer certificates.
02/01/2026 14:36:38 INFO: Wazuh indexer certificates created.
02/01/2026 14:36:38 INFO: Generating Filebeat certificates.
02/01/2026 14:36:38 INFO: Wazuh Filebeat certificates created.
02/01/2026 14:36:38 INFO: Generating Wazuh dashboard certificates.
02/01/2026 14:36:38 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
CERTS_INIT: Creating certificate symlinks...
CERTS_INIT: Setting ownership and permissions...
CERTS_INIT: Certificates ready
#################################################################
docker logs wazuh-runtipi_synode-it-wazuh-dashboard-1
#################################################################
DASHBOARD_INIT: Starting dashboard initialization...
DASHBOARD_INIT: Ensuring custom config directory exists...
DASHBOARD_INIT: Creating default dashboard config...
DASHBOARD_INIT: Default dashboard config created
DASHBOARD_INIT: Creating symlink to custom config...
DASHBOARD_INIT: Configuration complete, starting dashboard...
Created OpenSearch Dashboards keystore in /usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-service"],"pid":59,"message":"Plugin \"applicationConfig\" is disabled."}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-service"],"pid":59,"message":"Plugin \"cspHandler\" is disabled."}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-service"],"pid":59,"message":"Plugin \"dataSource\" is disabled."}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-service"],"pid":59,"message":"Plugin \"visTypeXy\" is disabled."}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-service"],"pid":59,"message":"Plugin \"workspace\" is disabled."}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["warning","config","deprecation"],"pid":59,"message":"\"opensearch.requestHeadersWhitelist\" is deprecated and has been replaced by \"opensearch.requestHeadersAllowlist\""}
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","dynamic-config-service"],"pid":59,"message":"registering middleware to inject context to AsyncLocalStorage"}
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
{"type":"log","@timestamp":"2026-01-02T14:36:51Z","tags":["info","plugins-system"],"pid":59,"message":"Setting up [51] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,savedObjects,queryEnhancements,home,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,apmOss,management,indexPatternManagement,dataSourceManagement,reportsDashboards,indexManagementDashboards,customImportMapDashboards,anomalyDetectionDashboards,alertingDashboards,notificationsDashboards,console,advancedSettings,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"}
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","plugins","queryEnhancements"],"pid":59,"message":"queryEnhancements: Setup complete"}
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","dynamic-config-service"],"pid":59,"message":"initiating start()"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","dynamic-config-service"],"pid":59,"message":"finished start()"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","savedobjects-service"],"pid":59,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["error","opensearch","data"],"pid":59,"message":"[ConnectionError]: connect ECONNREFUSED 10.128.10.3:9200"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["error","savedobjects-service"],"pid":59,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2026-01-02T14:36:55Z","tags":["error","opensearch","data"],"pid":59,"message":"[ConnectionError]: connect ECONNREFUSED 10.128.10.3:9200"}
{"type":"log","@timestamp":"2026-01-02T14:36:57Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:00Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:02Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:05Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:07Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:10Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Starting saved objects migrations"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Creating index .kibana_1."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Pointing alias .kibana to .kibana_1."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Finished in 445ms."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["warning","cross-compatibility-service"],"pid":59,"message":"Starting cross compatibility service"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","plugins-system"],"pid":59,"message":"Starting [51] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,savedObjects,queryEnhancements,home,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,apmOss,management,indexPatternManagement,dataSourceManagement,reportsDashboards,indexManagementDashboards,customImportMapDashboards,anomalyDetectionDashboards,alertingDashboards,notificationsDashboards,console,advancedSettings,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"dashboard index: .kibana"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"App revision: 02"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"Total RAM: 11958MB"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:15Z","tags":["listening","info"],"pid":59,"message":"Server running at https://0.0.0.0:5601"}
{"type":"log","@timestamp":"2026-01-02T14:37:15Z","tags":["info","http","server","OpenSearchDashboards"],"pid":59,"message":"http server running at https://0.0.0.0:5601"}
{"type":"response","@timestamp":"2026-01-02T14:37:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":11,"contentLength":9},"message":"GET /app/wazuh 302 11ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:37:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":9,"contentLength":9},"message":"GET /app/wazuh 302 9ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:38:11Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":59,"message":"Updated the wazuh-statistics template"}
{"type":"response","@timestamp":"2026-01-02T14:38:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":5,"contentLength":9},"message":"GET /app/wazuh 302 5ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:38:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:39:04Z","tags":["info","plugins","wazuh","monitoring"],"pid":59,"message":"Updated the wazuh-agent template"}
{"type":"response","@timestamp":"2026-01-02T14:39:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:39:46Z","tags":["error","opensearch","data"],"pid":59,"message":"[resource_already_exists_exception]: index [wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:39:46Z","tags":["error","plugins","wazuh","monitoring"],"pid":59,"message":"Could not create wazuh-monitoring-2026.1w index: resource_already_exists_exception: [resource_already_exists_exception] Reason: index [wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:39:49Z","tags":["info","plugins","wazuh","monitoring"],"pid":59,"message":"Settings added to wazuh-monitoring-2026.1w index"}
{"type":"response","@timestamp":"2026-01-02T14:39:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /app/wazuh 302 4ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:40:03Z","tags":["error","opensearch","data"],"pid":59,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:40:05Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":59,"message":"wazuh-statistics-2026.1w index created"}
{"type":"response","@timestamp":"2026-01-02T14:40:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:40:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:41:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:41:51Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:42:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /app/wazuh 302 4ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:42:51Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /app/wazuh 302 2ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:43:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /app/wazuh 302 2ms - 9.0B"}
#################################################################
docker logs wazuh-runtipi_synode-it-wazuh-indexer-init-1
#################################################################
INDEXER_INIT: Starting security initialization...
INDEXER_INIT: Copying security configs...
cp: cannot create regular file '/mnt/host-security/config.yml': Permission denied
INDEXER_INIT: Starting security initialization...
INDEXER_INIT: Copying security configs...
INDEXER_INIT: Copied config.yml
INDEXER_INIT: Copied roles.yml
INDEXER_INIT: Copied roles_mapping.yml
INDEXER_INIT: Copied internal_users.yml
INDEXER_INIT: Copied action_groups.yml
INDEXER_INIT: Copied tenants.yml
INDEXER_INIT: Copied nodes_dn.yml
INDEXER_INIT: Copied whitelist.yml
INDEXER_INIT: Security files ready
INDEXER_INIT: Waiting for indexer to be available...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
OpenSearch Security not initialized.INDEXER_INIT: Indexer is ready, initializing security...
Security Admin v7
Will connect to wazuh.indexer:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.3
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /mnt/host-security/
Will update '/config' with /mnt/host-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /mnt/host-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /mnt/host-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /mnt/host-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /mnt/host-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /mnt/host-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /mnt/host-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /mnt/host-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success
INDEXER_INIT: Security initialization completed successfully
INDEXER_INIT: Initialization complete, container will remain alive
=========================================
WAZUH HEALTH CHECK - 2026-01-02 14:43:32
=========================================
Configuration:
Container prefix: wazuh-runtipi_synode-it
Data directory: /opt/runtipi/app-data/synode-it/wazuh-runtipi/data
Security directory: /opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-security
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. SERVICES HEALTH CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
certs: ✓ Running & Healthy
indexer: ✓ Running & Healthy
manager: ✓ Running & Healthy
dashboard: ✓ Running & Healthy
indexer-init: ✓ Running & Healthy (init complete)
Summary: 5 OK | 0 FAILED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1b. CONTAINER LOGS (Last 50 lines)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
═══════════════════════════════════════════════════
Container: wazuh-runtipi_synode-it-wazuh-certs-1
Status: running | Health: healthy
═══════════════════════════════════════════════════
CERTS_INIT: Starting certificate initialization...
CERTS_INIT: Creating directories...
CERTS_INIT: Starting Super-Janitor Sweep...
CERTS_INIT: Generating new certificates...
Checking https://packages.wazuh.com/4.14/wazuh-certs-tool.sh ...
Downloaded wazuh-certs-tool.sh from https://packages.wazuh.com/4.14/
02/01/2026 14:36:36 INFO: Verbose logging redirected to //wazuh-certificates-tool.log
02/01/2026 14:36:37 INFO: Generating the root certificate.
02/01/2026 14:36:37 INFO: Generating Admin certificates.
02/01/2026 14:36:37 INFO: Admin certificates created.
02/01/2026 14:36:37 INFO: Generating Wazuh indexer certificates.
02/01/2026 14:36:38 INFO: Wazuh indexer certificates created.
02/01/2026 14:36:38 INFO: Generating Filebeat certificates.
02/01/2026 14:36:38 INFO: Wazuh Filebeat certificates created.
02/01/2026 14:36:38 INFO: Generating Wazuh dashboard certificates.
02/01/2026 14:36:38 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
CERTS_INIT: Creating certificate symlinks...
CERTS_INIT: Setting ownership and permissions...
CERTS_INIT: Certificates ready
═══════════════════════════════════════════════════
Container: wazuh-runtipi_synode-it-wazuh-indexer-1
Status: running | Health: healthy
═══════════════════════════════════════════════════
[2026-01-02T14:38:57,493][INFO ][o.o.i.i.MetadataService ] [wazuh.indexer] Move metadata has finished.
[2026-01-02T14:38:57,753][ERROR][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Failed to create index .plugins-ml-config
org.opensearch.cluster.metadata.ProcessClusterEventTimeoutException: failed to process cluster event (create-index [.plugins-ml-config], cause [api]) within 30s
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$0(MasterService.java:217) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) [?:?]
at org.opensearch.cluster.service.MasterService$Batcher.lambda$onTimeout$1(MasterService.java:216) [opensearch-2.19.3.jar:2.19.3]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:955) [opensearch-2.19.3.jar:2.19.3]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2026-01-02T14:38:59,576][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2026-01-02T14:39:04,498][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:04,505][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[vlaaL8FtSia5a8qDi4vjaw/3wzIY1EHS4KoekVq3SpMug]
[2026-01-02T14:39:04,513][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:04,515][INFO ][o.o.m.e.i.MLIndicesHandler] [wazuh.indexer] Skip creating the Index:.plugins-ml-config that is already created by another parallel request
[2026-01-02T14:39:18,704][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [14209ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [4] unchanged indices
[2026-01-02T14:39:18,705][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [14.2s] publication of cluster state version [22] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:18,716][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g]
[2026-01-02T14:39:18,724][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-monitoring-2026.1w] creating index, cause [api], templates [wazuh-agent], shards [1]/[0]
[2026-01-02T14:39:33,245][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [14610ms] which is above the warn threshold of [10s]; wrote global metadata [false] and metadata for [1] indices and skipped [4] unchanged indices
[2026-01-02T14:39:33,246][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [14.6s] publication of cluster state version [23] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:33,249][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g]
[2026-01-02T14:39:35,505][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[TQemaB2DTUm7p-qowv4Yhg/BC4Y1JkxTeO7dfDmAktF2A]
[2026-01-02T14:39:35,568][INFO ][o.o.c.m.MetadataIndexTemplateService] [wazuh.indexer] adding template [wazuh] for index patterns [wazuh-alerts-4.x-*, wazuh-archives-4.x-*]
[2026-01-02T14:39:46,892][WARN ][o.o.g.PersistedClusterStateService] [wazuh.indexer] writing cluster state took [11415ms] which is above the warn threshold of [10s]; wrote global metadata [true] and metadata for [0] indices and skipped [5] unchanged indices
[2026-01-02T14:39:46,893][INFO ][o.o.c.c.C.CoordinatorPublication] [wazuh.indexer] after [11.4s] publication of cluster state version [24] is still waiting for {wazuh.indexer}{jeO_mKrESxWeD0COXlnc_w}{vldCRbqtQmWErKtkCVcYIA}{10.128.10.3}{10.128.10.3:9300}{dimr}{shard_indexing_pressure_enabled=true} [SENT_PUBLISH_REQUEST]
[2026-01-02T14:39:49,292][INFO ][o.o.c.m.MetadataUpdateSettingsService] [wazuh.indexer] updating number_of_replicas to [0] for indices [wazuh-monitoring-2026.1w]
[2026-01-02T14:39:49,307][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:49,393][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02] creating index, cause [auto(bulk api)], templates [wazuh], shards [3]/[0]
[2026-01-02T14:39:49,418][INFO ][o.o.m.c.MLSyncUpCron ] [wazuh.indexer] ML configuration initialized successfully
[2026-01-02T14:39:50,623][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:55,429][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-alerts-4.x-2026.01.02][1], [wazuh-alerts-4.x-2026.01.02][2]]]).
[2026-01-02T14:39:56,461][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:56,518][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:39:57,747][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:57,785][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:39:59,688][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:39:59,726][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:00,025][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:00,065][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q] update_mapping [_doc]
[2026-01-02T14:40:01,242][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:01,249][INFO ][o.o.c.m.MetadataCreateIndexService] [wazuh.indexer] [wazuh-statistics-2026.1w] creating index, cause [api], templates [wazuh-statistics], shards [1]/[0]
[2026-01-02T14:40:02,396][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:03,121][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-alerts-4.x-2026.01.02/18MchhZsSju3qq9i1Y5H5Q]
[2026-01-02T14:40:04,894][INFO ][o.o.c.r.a.AllocationService] [wazuh.indexer] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-statistics-2026.1w][0]]]).
[2026-01-02T14:40:05,857][INFO ][o.o.p.PluginsService ] [wazuh.indexer] PluginService:onIndexModule index:[wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A]
[2026-01-02T14:40:05,871][INFO ][o.o.c.m.MetadataMappingService] [wazuh.indexer] [wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A] update_mapping [_doc]
[2026-01-02T14:41:57,062][INFO ][o.o.j.s.JobSweeper ] [wazuh.indexer] Running full sweep
[2026-01-02T14:41:57,485][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [wazuh.indexer] Canceling sweep ism plugin version job
[2026-01-02T14:42:59,058][WARN ][o.o.s.a.BackendRegistry ] [wazuh.indexer] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
═══════════════════════════════════════════════════
Container: wazuh-runtipi_synode-it-wazuh-indexer-init-1
Status: running | Health: healthy
═══════════════════════════════════════════════════
INDEXER_INIT: Copying security configs...
cp: cannot create regular file '/mnt/host-security/config.yml': Permission denied
INDEXER_INIT: Starting security initialization...
INDEXER_INIT: Copying security configs...
INDEXER_INIT: Copied config.yml
INDEXER_INIT: Copied roles.yml
INDEXER_INIT: Copied roles_mapping.yml
INDEXER_INIT: Copied internal_users.yml
INDEXER_INIT: Copied action_groups.yml
INDEXER_INIT: Copied tenants.yml
INDEXER_INIT: Copied nodes_dn.yml
INDEXER_INIT: Copied whitelist.yml
INDEXER_INIT: Security files ready
INDEXER_INIT: Waiting for indexer to be available...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
INDEXER_INIT: Indexer not ready, retrying in 5 seconds...
OpenSearch Security not initialized.INDEXER_INIT: Indexer is ready, initializing security...
Security Admin v7
Will connect to wazuh.indexer:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.19.3
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /mnt/host-security/
Will update '/config' with /mnt/host-security/config.yml
SUCC: Configuration for 'config' created or updated
Will update '/roles' with /mnt/host-security/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /mnt/host-security/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /mnt/host-security/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /mnt/host-security/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /mnt/host-security/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /mnt/host-security/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /mnt/host-security/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","actiongroups","config","internalusers"]) due to: null
Done with success
INDEXER_INIT: Security initialization completed successfully
INDEXER_INIT: Initialization complete, container will remain alive
═══════════════════════════════════════════════════
Container: wazuh-runtipi_synode-it-wazuh-manager-1
Status: running | Health: healthy
═══════════════════════════════════════════════════
"syscheck.audit.process.name",
"syscheck.audit.process.ppid",
"syscheck.audit.user.id",
"syscheck.audit.user.name",
"syscheck.diff",
"syscheck.event",
"syscheck.gid_after",
"syscheck.gid_before",
"syscheck.gname_after",
"syscheck.gname_before",
"syscheck.inode_after",
"syscheck.inode_before",
"syscheck.md5_after",
"syscheck.md5_before",
"syscheck.path",
"syscheck.mode",
"syscheck.perm_after",
"syscheck.perm_before",
"syscheck.sha1_after",
"syscheck.sha1_before",
"syscheck.sha256_after",
"syscheck.sha256_before",
"syscheck.tags",
"syscheck.uid_after",
"syscheck.uid_before",
"syscheck.uname_after",
"syscheck.uname_before",
"syscheck.arch",
"syscheck.value_name",
"syscheck.value_type",
"syscheck.changed_attributes",
"title"
],
"index.refresh_interval": "5s"
},
"version": 1
}
2026-01-02T14:38:57.326Z INFO [publisher_pipeline_output] pipeline/output.go:145 Attempting to reconnect to backoff(elasticsearch(https://wazuh.indexer:9200)) with 3 reconnect attempt(s)
2026-01-02T14:38:57.327Z INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer
2026-01-02T14:38:57.327Z INFO [publisher] pipeline/retry.go:223 done
2026-01-02T14:38:57.330Z INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.10.2
2026-01-02T14:39:18.712Z INFO fileset/pipelines.go:143 Elasticsearch pipeline with ID 'filebeat-7.10.2-wazuh-alerts-pipeline' loaded
2026-01-02T14:39:18.717Z INFO template/load.go:183 Existing template will be overwritten, as overwrite is enabled.
2026-01-02T14:39:18.719Z INFO template/load.go:117 Try loading template wazuh to Elasticsearch
2026/01/02 14:39:23 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished.
2026-01-02T14:39:46.901Z INFO template/load.go:109 template with name 'wazuh' loaded.
2026-01-02T14:39:46.901Z INFO [index-management] idxmgmt/std.go:298 Loaded index template.
2026-01-02T14:39:46.901Z INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://wazuh.indexer:9200)) established
2026/01/02 14:39:50 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
2026-01-02T14:42:46.632Z INFO log/harvester.go:333 File is inactive: /var/ossec/logs/alerts/alerts.json. Closing because close_inactive of 5m0s reached.
═══════════════════════════════════════════════════
Container: wazuh-runtipi_synode-it-wazuh-dashboard-1
Status: running | Health: healthy
═══════════════════════════════════════════════════
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
[agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","dynamic-config-service"],"pid":59,"message":"initiating start()"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","dynamic-config-service"],"pid":59,"message":"finished start()"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["info","savedobjects-service"],"pid":59,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["error","opensearch","data"],"pid":59,"message":"[ConnectionError]: connect ECONNREFUSED 10.128.10.3:9200"}
{"type":"log","@timestamp":"2026-01-02T14:36:52Z","tags":["error","savedobjects-service"],"pid":59,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2026-01-02T14:36:55Z","tags":["error","opensearch","data"],"pid":59,"message":"[ConnectionError]: connect ECONNREFUSED 10.128.10.3:9200"}
{"type":"log","@timestamp":"2026-01-02T14:36:57Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:00Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:02Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:05Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:07Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:10Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Starting saved objects migrations"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Creating index .kibana_1."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Pointing alias .kibana to .kibana_1."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","savedobjects-service"],"pid":59,"message":"Finished in 445ms."}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["warning","cross-compatibility-service"],"pid":59,"message":"Starting cross compatibility service"}
{"type":"log","@timestamp":"2026-01-02T14:37:13Z","tags":["info","plugins-system"],"pid":59,"message":"Starting [51] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,savedObjects,queryEnhancements,home,dashboard,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,apmOss,management,indexPatternManagement,dataSourceManagement,reportsDashboards,indexManagementDashboards,customImportMapDashboards,anomalyDetectionDashboards,alertingDashboards,notificationsDashboards,console,advancedSettings,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,savedObjectsManagement,securityDashboards,wazuhCore,wazuhCheckUpdates,wazuh,bfetch]"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"dashboard index: .kibana"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"App revision: 02"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["info","plugins","wazuh","initialize"],"pid":59,"message":"Total RAM: 11958MB"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:14Z","tags":["error","opensearch","data"],"pid":59,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2026-01-02T14:37:15Z","tags":["listening","info"],"pid":59,"message":"Server running at https://0.0.0.0:5601"}
{"type":"log","@timestamp":"2026-01-02T14:37:15Z","tags":["info","http","server","OpenSearchDashboards"],"pid":59,"message":"http server running at https://0.0.0.0:5601"}
{"type":"response","@timestamp":"2026-01-02T14:37:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":11,"contentLength":9},"message":"GET /app/wazuh 302 11ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:37:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":9,"contentLength":9},"message":"GET /app/wazuh 302 9ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:38:11Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":59,"message":"Updated the wazuh-statistics template"}
{"type":"response","@timestamp":"2026-01-02T14:38:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":5,"contentLength":9},"message":"GET /app/wazuh 302 5ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:38:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:39:04Z","tags":["info","plugins","wazuh","monitoring"],"pid":59,"message":"Updated the wazuh-agent template"}
{"type":"response","@timestamp":"2026-01-02T14:39:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:39:46Z","tags":["error","opensearch","data"],"pid":59,"message":"[resource_already_exists_exception]: index [wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:39:46Z","tags":["error","plugins","wazuh","monitoring"],"pid":59,"message":"Could not create wazuh-monitoring-2026.1w index: resource_already_exists_exception: [resource_already_exists_exception] Reason: index [wazuh-monitoring-2026.1w/DYh62qctQ3arcGYuH_i56g] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:39:49Z","tags":["info","plugins","wazuh","monitoring"],"pid":59,"message":"Settings added to wazuh-monitoring-2026.1w index"}
{"type":"response","@timestamp":"2026-01-02T14:39:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /app/wazuh 302 4ms - 9.0B"}
{"type":"log","@timestamp":"2026-01-02T14:40:03Z","tags":["error","opensearch","data"],"pid":59,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2026.1w/DQ_OR2__Qb68RA67hy0X-A] already exists"}
{"type":"log","@timestamp":"2026-01-02T14:40:05Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":59,"message":"wazuh-statistics-2026.1w index created"}
{"type":"response","@timestamp":"2026-01-02T14:40:20Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:40:50Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:41:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:41:51Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":3,"contentLength":9},"message":"GET /app/wazuh 302 3ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:42:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":4,"contentLength":9},"message":"GET /app/wazuh 302 4ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:42:51Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /app/wazuh 302 2ms - 9.0B"}
{"type":"response","@timestamp":"2026-01-02T14:43:21Z","tags":[],"pid":59,"method":"get","statusCode":302,"req":{"url":"/app/wazuh","method":"get","headers":{"host":"localhost:5601","user-agent":"curl/8.11.1","accept":"*/*"},"remoteAddress":"127.0.0.1","userAgent":"curl/8.11.1"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /app/wazuh 302 2ms - 9.0B"}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. DISK USAGE CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
App directory: /opt/runtipi/app-data/synode-it/wazuh-runtipi
Size: 7,4G (7 GB) - ✓ OK (expected ~5GB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. SECURITY FILES CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Security directory: /opt/runtipi/app-data/synode-it/wazuh-runtipi/data/indexer-security
config.yml: ✓ Present
roles.yml: ✓ Present
roles_mapping.yml: ✓ Present
internal_users.yml: ✓ Present
action_groups.yml: ✓ Present
tenants.yml: ✓ Present
nodes_dn.yml: ✓ Present
whitelist.yml: ✓ Present
Summary: 8/8 files present
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. NETWORK CONNECTIVITY CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Testing dashboard → indexer connectivity...
DNS resolution (wazuh.indexer): ✓ OK
HTTP connectivity: ✓ OK (HTTP 401)
Shared network: ✓ OK (wazuh-runtipi_synode-it_network)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. DASHBOARD CONFIGURATION CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Config file exists: ✓ YES
Config has content: ✓ YES
opensearch.hosts configured: ✓ opensearch.hosts: https://wazuh.indexer:9200
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. MANAGER CONFIGURATION CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Main config exists: ✓ YES
Custom config exists: ✓ YES
Main config is symlink: ✓ YES (Bug #3 fixed)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6b. FILEBEAT CHECK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Environment Variables (Official Wazuh Method):
FILEBEAT_SSL_VERIFICATION_MODE: ✓ full
SSL_CERTIFICATE_AUTHORITIES: ✓ /var/ossec/etc/certs/root-ca.pem
SSL_CERTIFICATE: ✓ /var/ossec/etc/certs/server.pem
SSL_KEY: ✓ /var/ossec/etc/certs/server-key.pem
Generated Filebeat Configuration:
Filebeat config exists: ✓ YES
Config has indexer https URL: ✓ YES
SSL verification enabled: ✗ NO (SSL not configured in filebeat.yml)
⚠ Check if cont-init.d/1-config-filebeat ran successfully
Seccomp fix for pthread: ✓ YES (pthread_create fix present)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6c. KNOWN ERRORS DETECTION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Scanning manager logs for known errors...
pthread_create error: ✓ Not found
x509 certificate error: ✓ Not found
SIGABRT crash: ✓ Not found
Filebeat ownership error: ✓ Not found
No known errors detected in manager logs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. OVERALL HEALTH SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✓ Services: All services healthy
✓ Disk: Usage normal (~5GB)
✓ Security: All 8 security files present
=========================================
✓✓✓ WAZUH IS HEALTHY - PRODUCTION READY ✓✓✓
=========================================
root@tipi:~#
Reference in New Issue View Git Blame Copy Permalink