[Dashboard error] [WazuhError]: x_content_parse_exception: [x_content_parse_exception] Reason: [1:1362] [bool] failed to parse field [filter]

[StensonSimon]

|Wazuh 4.8.0|Component|Installed directly in Ubuntu 22.04|Ubuntu 22.04|Wazuh Dashboard | Manager

I just installed Wazuh following the Quickstart documentation and when i loaded up the dashboard, I am getting this error:

_[WazuhError]: x_content_parse_exception: [x_content_parseexception] Reason: [1:1362] [bool] failed to parse field [filter]

What could be the reason for this?

Thanks

[movilla1976]

Same error here!

BR,

Javi

[cyber-nexus-75]

Same issue here as well.

[symmcom]

Exactly same issue for me too. Fresh 3 node distributed Wazuh deployment. No configuration has been done. I just logged in to the dashboard and seeing these errors.

[jeanstephan]

Did anyone found a solution ? please advise.

[rm-w3kufe]

Same error here. might be an error of the version. what does it mean?

[teboarte]

Same issue |Debian 12 | bookworm|App version: 4.8.0 | App revision: 12 |Install date: Jul 17, 2024

[jnasselle]

Hello everyone,

I could not make this work on a clean Ubuntu 22.04 VM + quickstart install as stated, but some of you had agents connected to it, so my question is: this is happening on clean environments with already enrolled agents? If positive, what are the agent's versions and OS family?

[symmcom]

I am not sure if it is solution but I have found a work around that I have tried repeatedly and it works. I had these errors on fresh installed Wazuh no matter how many times I installed. Only way I found the errors to go away completely is by enabling Cluster on the server. You dont necessarily have to add 2nd wazuh server or anything. Just enable it

This is the portion you have to edit. I found this on Wazuh cluster URL: https://documentation.wazuh.com/current/user-manual/manager/wazuh-server-cluster.html

`

wazuh

<node_name>master-node</node_name>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<node_type>master</node_type>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
    <node>MASTER_NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>

`

As soon cluster is enabled after restarting wazuh-server, all errors on the Dashboard went away.

Hope this helps.

[jeanstephan]

Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.

[symmcom]

Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.

Although I primarily use Debian, I have installed Wazuh on Ubuntu 22, 24 while I was trying to figure out the issue. All had the similar issue and the enabling cluster fixed the errors on both Ubuntu and Debian. I have settled with Debian 12 for the final Wazuh deployment. I do not use single node deployment, but distributed Wazuh with 1 Dashboard, 1 Server and 1 Indexer. No errors.

[rm-w3kufe]

I was able to make it work on Ubuntu 22.04 (Proxmox CT/ LXC) and Wazuh version 4.8.0, Setting up indexer, manager and dashboard on that order.

[movilla1976]

Do not install on ubuntu v24 stay on v22, and do not update once you install wazuh.

Although I primarily use Debian, I have installed Wazuh on Ubuntu 22, 24 while I was trying to figure out the issue. All had the similar issue and the enabling cluster fixed the errors on both Ubuntu and Debian. I have settled with Debian 12 for the final Wazuh deployment. I do not use single node deployment, but distributed Wazuh with 1 Dashboard, 1 Server and 1 Indexer. No errors.

That worked for me as well. Wazuh 4.8.1 + Ubuntu 24.04 LTS. Thanks!

Javi

[asteriscos]

I have tried to replicate it in several different environments with and without cluster mode, but couldn't. Can you please provide additional information on this?

We may find some additional context in Wazuh dashboard logs:

journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

Get index template: In Wazuh dashboard go to Server management / Dev tools then please get the mapping of an alert index and provide the output.

You can check your indexes in the following way: GET _cat/indices and then check some index to see if you have all the fields as follows GET <index>/_mapping Example GET wazuh-alerts-4.x-2024.06.28/_mapping

The request made to the indexer will also be useful:

- Open the browser dev tools. Usually F12 or ctrl+shift+i does the trick. - Identify the request made to the indexer and share the payload and response like in the following screenshot: 

[VT194]

Asteriscos,

I have experienced the same issue when I installed the assisted install of wazuh in ubuntu 22(jellyfish) version it was with a clean install, I did not do any nodes or any cluster. I only did 1 live agent for a test run to install a wazuh agent which I did get on the Wazuh dashboard but the dashboard itself recived errors like this 

[lionetcom]

Hi I have the same issue Please anyone found a solution ?

[symmcom]

I have 3 node distributed deployment with 1 Dashboard, 1 Manager and 1 Indexer. Enabling Cluster fixed all these Bad Request issue for me. I did not add any extra nodes, simply enabled it following the Wazuh documentation on cluster creation.

[HPringles]

Also having this issue on a new install, it's happened on every version/OS/deployment type I've tried. Anybody got a fix?

Have tried:

• Ubuntu 22.04, 24.04
• Debian 12 / Turnkey Debian 12
• Docker Deployment
• Version 4.7 to see if it's a new bug
• Enabling cluster

[MBPotier]

Having this issue on a fresh install via the quickstart script. Ubuntu 22.04 OS.

[Desvelao]

Hi, I tried to replicate the problem but I could not get the errors. Other co-workers tried to replicate it with the same result. I assume the provided information could not be enough to replicate the problem and something could be missing.

According to the comments, it seems the problem is related to Wazuh server has the cluster mode disabled.

The errors are coming from requests related the stats from LAST 24 HOURS ALERTS panel, that display the alerts count grouped by severity. These requests seem to have a problem in the query syntax and according to this evidence https://github.com/user-attachments/assets/5cc018bf-6c6a-4e78-8a57-33329fe9c64d, a match_phrase filter has not a value.

Each stat defines a query that includes a filter depending on if the Wazuh server cluster is enabled or not:

• Cluster mode enabled: filter by cluster.name
• Cluster mode disabled: filter by manager.name

The query uses match_phrase with some of these fields and a value that should be the Wazuh server cluster name or Wazuh server manager name (depending on the status of the Wazuh server cluster).

Taking into account the problem occurs when the Wazuh server cluster is disabled, then it could be caused by the value of the Wazuh server manager name.

I was analyzing the source code and the value of the Wazuh server manager name could come from the manager property of a cookie (clusterInfo) stored in the browser and this is coming from the backend side of Wazuh dashboard, that gets it from the Wazuh server API request:

GET /agents?agents_list=000

So, maybe, the cause it is related to the hostname of the Wazuh server manager.

I have some questions:

1. Does the error happen each time you access to the Home > Overview application of Wazuh dashboard or this only happens once? Does refreshing the page or navigating solve the problem if you access to the same view where the errors appeared previously?
2. Does accessing to another application related to the Wazuh plugin for Wazuh dashboard such as Threat Hunting display a filter under the search bar with the field manager.name and has a value? (Wazuh server cluster should be disabled, else a filter with cluster.name will be included instead)
3. Does cleaning the browser cache file solve the problem?
4. What is the hostname of the Wazuh server host?
5. Provide the value of clusterInfo cookie. This can be obtained using the browser dev tools so this could vary depending on the browser. In Google Chrome (or variants): Application > Cookies. In Firefox: Storage > Cookies
6. Provide the request payload of the request related to the stats from the LAST 24 HOURS ALERTS. This can be obtained following the details drop-down of https://github.com/wazuh/wazuh-dashboard-plugins/issues/6861#issuecomment-2252989590.
7. Get the manager property for the Wazuh server agent. Go to Server management > Dev Tools and run the following Wazuh server API request:

   GET /agents?agents_list=000&select=manager

[VT194]

Desvelao,

ok I think I have it figured it out for me I didn't follow the steps properly here is a video link on youtube that this guy does 1 node and the cluster is disabled (this is to test out wazuh) https://www.youtube.com/watch?v=3CfjoCQmpo8 called Wazuh All-in-One Server Installation Guide: Boost Your Security!

He uses a VM but you can use it on your vm or a spare laptop to download the OS I used Ubuntu Jammy Jellyfish version, once you have the OS installed and get curl installed here is what I did for the command terminal

curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml nothing happens no install or download just the next command you need Next you type this command sudo nano config.yml

You will see this pic

it should look like this in your terminal curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml sudo nano config.yml

Otherwise it won't show up

once you have that yml file type your IP address for your VM or laptop. I did my local IP address type the command "ip a s" you type in your ip address in the inserted slot delete you don't need the just the IP address

you do that for the indexer, server and the dashboard and leave the names alone you don't need to mess with that once you have that done hold ctrl and x to exit out it will ask you to save it press y and hit enter

once that is done the next command is this bash wazuh-install.sh --generate-config-files (let that finish install) next command is sudo bash./wazuh-install.sh -a
(this will take a bit maybe 20 minutes or more for me) let it install all the way and you will get an admin as user name and password that was given to you and that should be it. here are the command lines I used hope this helps and good luck

curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh curl -sO https://packages.wazuh.com/4.8/config.yml sudo nano config.yml bash wazuh-install.sh --generate-config-files sudo bash./wazuh-install.sh -a

[asteriscos]

We were unable to replicate the issue, therefore I will close it. If you can provide additional information about this feel free to open it again.

[xuduo18]

Followed https://documentation.wazuh.com/current/quickstart.html on a clean ubuntu 24. Exact the same issue.

https://192.168.2.207/app/threat-hunting#/overview/?tab=general&tabView=dashboard&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'wazuh-alerts-*',key:GeoLocation.area_code,negate:!f,params:(query:'1312321321'),type:phrase),query:(match_phrase:(GeoLocation.area_code:'1312321321')))),query:(language:kuery,query:''))