mapper predecoder.timestamp error on 4.3.3

[jplangford]

mapper predecoder.timestamp error on 4.3.3

Hi, I am attempting to deploy containerised Wazuh v 4.3.3 and am seeing this error in the wazuh-indexer docker logs output:

[2022-06-10T13:49:44,532][INFO ][o.o.a.b.TransportShardBulkAction] [wazuh.indexer] [wazuh-alerts-4.x-2022.06.10][2] mapping update rejected by primary
java.lang.IllegalArgumentException: mapper [predecoder.timestamp] cannot be changed from type [keyword] to [text]
        at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:110) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:74) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.ObjectMapper.doMerge(ObjectMapper.java:585) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.ObjectMapper.merge(ObjectMapper.java:544) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.ObjectMapper.doMerge(ObjectMapper.java:571) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.RootObjectMapper.doMerge(RootObjectMapper.java:330) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.ObjectMapper.merge(ObjectMapper.java:544) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.RootObjectMapper.merge(RootObjectMapper.java:325) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.Mapping.merge(Mapping.java:127) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.DocumentMapper.merge(DocumentMapper.java:306) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:567) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:512) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.index.mapper.MapperService.merge(MapperService.java:453) ~[opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.bulk.TransportShardBulkAction.executeBulkItemRequest(TransportShardBulkAction.java:372) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.bulk.TransportShardBulkAction$2.doRun(TransportShardBulkAction.java:212) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:276) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:165) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:98) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.action.support.replication.TransportWriteAction$1.doRun(TransportWriteAction.java:220) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:792) [opensearch-1.2.4.jar:1.2.4]
        at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:50) [opensearch-1.2.4.jar:1.2.4]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
        at java.lang.Thread.run(Thread.java:832) [?:?]

I have tried:

• Switching to v4.3.4
• Checked that my wazuh-template.json is up to date in my wazuh container and that filebeat.yml is pointing to it correctly
• Searched through the wazuh-indexer image in case there was another wazuh-template.json somwhere that was causing a conflict - there wasn't
• Rebuilding the system on a clean virtual machine with the same result

The Wazuh UI loads and shows the agents in the main screen but there are no alerts of any kind. Any suggestions gratefully received.

Thank you.

Please find my docker-compose.yml file below:

---
version: "3.5"
services:
wazuh.manager:
    restart: always
    image: gcr.io/<project-id>/wazuh/wazuh-manager:4.3.4
    labels:
    - com.acme.app=wazuh
    volumes:
    - /data/wazuh/ossec_api_configuration:/var/ossec/api/configuration
    - /data/wazuh/ossec_etc:/var/ossec/etc
    - /data/elasticsearch/ssl_certs:/var/ossec/ssl_certs
    - /data/wazuh/ossec_logs:/var/ossec/logs
    - /data/wazuh/ossec_queue:/var/ossec/queue
    - /data/wazuh/ossec_var_multigroups:/var/ossec/var/multigroups
    - /data/wazuh/ossec_integrations:/var/ossec/integrations
    - /data/wazuh/ossec_active_response:/var/ossec/active-response/bin
    - /data/wazuh/ossec_agentless:/var/ossec/agentless
    - /data/wazuh/ossec_wodles:/var/ossec/wodles
    - /data/wazuh/filebeat_etc:/etc/filebeat
    - /data/wazuh/filebeat_var:/var/lib/filebeat
    - /data/wazuh/filebeat_log:/var/log/filebeat
    ports:
    - 1514:1514
    - 1515:1515
    - 55000:55000
    environment:
    - "INDEXER_URL=https://wazuh.indexer:9200"
    - "INDEXER_USERNAME='admin'"
    - "INDEXER_PASSWORD='VLTEpd6FyAvCgTvMeD4DcyBt3fYkr4ux"
    - "FILEBEAT_SSL_VERIFICATION_MODE=full"
    - "SSL_CERTIFICATE_AUTHORITIES=/var/ossec/ssl_certs/root-ca.pem"
    - "SSL_CERTIFICATE=/var/ossec/ssl_certs/filebeat.pem"
    - "SSL_KEY=/var/ossec/ssl_certs/filebeat.key"
    - "API_USERNAME=wazuh-wui"
    - "API_PASSWORD=MyS3cr37P450r-"
    hostname: wazuh.manager
    logging:
    driver: "json-file"
    options:
        max-size: "50m"
        max-file: "4"

wazuh.indexer:
    restart: always
    image: gcr.io/<project-id>/wazuh/wazuh-indexer:4.3.4
    labels:
    - com.acme.app=indexer
    volumes:
    - /data/elasticsearch/config:/usr/share/wazuh-indexer/config
    - /data/elasticsearch/ssl_certs:/usr/share/wazuh-indexer/config/ssl_certs
    - /data/elasticsearch/ssl_certs:/usr/share/wazuh-indexer/config/certs
    - /data/elasticsearch/index:/usr/share/wazuh-indexer/data
    - /data/elasticsearch/logs:/usr/share/wazuh-indexer/logs
    - /data/elasticsearch/tmp:/usr/share/wazuh-indexer/tmp
    - /data/elasticsearch/wazuh-indexer:/var/lib/wazuh-indexer
    - /data/elasticsearch/config/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
    ports:
    - 9200:9200
    environment:
    - "discovery.type=single-node"
    - "cluster.name=wazuh-cluster"
    - "network.host=0.0.0.0"
    - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
    - "bootstrap.memory_lock=true"
    - "OPENSEARCH_TMPDIR=/usr/share/wazuh-indexer/tmp/"
    - "CACERT=/usr/share/wazuh-indexer/config/ssl_certs/root-ca.pem"
    - "CERT=/usr/share/wazuh-indexer/config/ssl_certs/admin.pem"
    - "KEY=/usr/share/wazuh-indexer/config/ssl_certs/admin.key"
    - "JAVA_HOME=/usr/share/wazuh-indexer/jdk"
    hostname: wazuh.indexer
    ulimits:
    memlock:
        soft: -1
        hard: -1
    nofile:
        soft: 65536
        hard: 65536
    logging:
    driver: "json-file"
    options:
        max-size: "50m"
        max-file: "4"

wazuh.dashboard:
    restart: always
    image: gcr.io/<project-id>/wazuh/wazuh-dashboard:4.3.4
    labels:
    - com.acme.app=dashboard
    volumes:
    - /data/kibana/config:/usr/share/wazuh-dashboard/config
    - /data/elasticsearch/ssl_certs:/usr/share/wazuh-dashboard/config/ssl_certs
    ports:
    - 443:5601
    environment:
    - "DASHBOARD_USERNAME=wz_kibana"
    - "DASHBOARD_PASSWORD=YJnwCuSqznVu8Z3tQeBB6rdF3Mc63Qmz"
    - "SERVER_SSL_ENABLED=true"
    - "SERVER_SSL_CERTIFICATE=/usr/share/wazuh-dashboard/config/ssl_certs/wazuh.dashboard.pem"
    - "SERVER_SSL_KEY=/usr/share/wazuh-dashboard/config/ssl_certs/wazuh.dashboard.pem"
    - "WAZUH_API_URL=https://wazuh.manager"
    - "API_USERNAME=wazuh-wui"
    - "API_PASSWORD=MyS3cr37P450r-"
    depends_on:
    - wazuh.indexer
    hostname: wazuh.dashboard
    logging:
    driver: "json-file"
    options:
        max-size: "50m"
        max-file: "4"

Wazuh dashboard logs:

An OpenSearch Dashboards keystore already exists. Overwrite? [y/N] Setting opensearch.username already exists, exiting without modifying keystore.
Setting opensearch.password already exists, exiting without modifying keystore.
{"type":"log","@timestamp":"2022-06-10T14:48:13Z","tags":["info","plugins-service"],"pid":43,"message":"Plugin \"visTypeXy\" is disabled."}
{"type":"log","@timestamp":"2022-06-10T14:48:14Z","tags":["info","plugins-system"],"pid":43,"message":"Setting up [42] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,ganttChartDashboards,visualize,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,discover,wazuh,savedObjectsManagement,bfetch]"}
{"type":"log","@timestamp":"2022-06-10T14:48:14Z","tags":["info","savedobjects-service"],"pid":43,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
{"type":"log","@timestamp":"2022-06-10T14:48:14Z","tags":["error","opensearch","data"],"pid":43,"message":"[ConnectionError]: connect ECONNREFUSED 172.21.0.4:9200"}
{"type":"log","@timestamp":"2022-06-10T14:48:15Z","tags":["error","savedobjects-service"],"pid":43,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2022-06-10T14:48:17Z","tags":["error","opensearch","data"],"pid":43,"message":"[ConnectionError]: connect ECONNREFUSED 172.21.0.4:9200"}
{"type":"log","@timestamp":"2022-06-10T14:48:19Z","tags":["error","opensearch","data"],"pid":43,"message":"[ConnectionError]: connect ECONNREFUSED 172.21.0.4:9200"}
{"type":"log","@timestamp":"2022-06-10T14:48:22Z","tags":["error","opensearch","data"],"pid":43,"message":"[ConnectionError]: connect ECONNREFUSED 172.21.0.4:9200"}
{"type":"log","@timestamp":"2022-06-10T14:48:24Z","tags":["error","opensearch","data"],"pid":43,"message":"[ConnectionError]: connect ECONNREFUSED 172.21.0.4:9200"}
{"type":"log","@timestamp":"2022-06-10T14:48:27Z","tags":["error","opensearch","data"],"pid":43,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-06-10T14:48:29Z","tags":["error","opensearch","data"],"pid":43,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-06-10T14:48:32Z","tags":["error","opensearch","data"],"pid":43,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-06-10T14:48:35Z","tags":["error","opensearch","data"],"pid":43,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-06-10T14:48:37Z","tags":["error","opensearch","data"],"pid":43,"message":"[ResponseError]: Response Error"}

[jplangford]

I should also mention that this is a single node cluster. If that was not already obvious.

[vcerenu]

Hello @jplangford

I would need to know if this error is the only one that is generated in order to verify the status of the stack. Could you attach the logs of the 3 containers to see what happens at the beginning?

The images you are using I see that you get them from another repository, are these the same as the official ones pushed to your own repository or do they have any changes?

Regarding the configurations, are you attaching the opensearch.yml and opensearch_dashboards.yml files on the volumes? Or are you just passing the settings through environment variables? If you are using the configuration files, could you attach them?

Also know what certificates you are using, if they are self-signed and created by the script we provide, know if you are using the same .yml that we provide, with the corresponding ip or dns.

[jplangford]

Hi @vcerenu, thank you for your reply.

Please find attached the logs from the containers (logs.tar.gz). The wazuh container log was full of errors like this one:

2022-06-14T09:02:30.731Z        WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc0a23189267cfe23, ext:84823491, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"2c2e9223-07a7-439c-a63d-4d86155275ef","hostname":"wazuh.manager","id":"46b7957e-2fd5-4748-aa0f-360ad613e474","name":"wazuh.manager","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"wazuh.manager"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":3941977},"message":"{\"timestamp\":\"2022-06-14T09:01:41.383+0000\",\"rule\":{\"level\":7,\"description\":\"New dpkg (Debian Package) installed.\",\"id\":\"2902\",\"firedtimes\":1,\"mail\":false,\"groups\":[\"syslog\",\"dpkg\",\"config_changed\"],\"pci_dss\":[\"10.6.1\",\"10.2.7\"],\"gpg13\":[\"4.10\"],\"gdpr\":[\"IV_35.7.d\"],\"hipaa\":[\"164.312.b\"],\"nist_800_53\":[\"AU.6\",\"AU.14\"],\"tsc\":[\"CC7.2\",\"CC7.3\",\"CC6.8\",\"CC8.1\"]},\"agent\":{\"id\":\"001\",\"name\":\"dev-wazuh-manager\",\"ip\":\"192.168.1.2\"},\"manager\":{\"name\":\"wazuh.manager\"},\"id\":\"1655197301.6521556\",\"full_log\":\"2022-06-14 09:01:40 status installed google-cloud-ops-agent:amd64 2.16.0~ubuntu20.04\",\"decoder\":{\"name\":\"dpkg-decoder\"},\"data\":{\"dpkg_status\":\"status installed\",\"package\":\"google-cloud-ops-agent\",\"arch\":\"amd64\",\"version\":\"2.16.0~ubuntu20.04\"},\"location\":\"/var/log/dpkg.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::7078029-2064", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0008336c0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:3942753, Timestamp:time.Time{wall:0xc0a23189267137f5, ext:84051861, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x6c008d, Device:0x810}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","reason":"mapper [decoder.name] cannot be changed from type [keyword] to [text]"}

However I have redacted them as they have details of our network I am prohibited from sharing.

The images I am using, I download from the official repository and push to our own, there are no modifications. They are simply retagged.

I am using configuration files. The certificates I am using are not generated using your container. I had issues with it a few days back which turned out to be a kernel bug. But by the time I realised that was what was happening, I had rewritten the logic to generate the certificates in Ansible. I would prefer to keep the logic outside containers due to complexities of our environment which I won't bore you with.

I have tar'ed up a development system's configuration for your perusal, please find it attached (config.tar.gz).

Thanks again.

[jplangford]

logs.tar.gz config.tar.gz

[vcerenu]

Hello

We should check if the Wazuh templates are inserted in indexer: curl -XGET "https://wazuh.indexer:9200/_cat/templates" -u admin:<admin_password> -k -s

I was checking the configuration files and within the opensearch.yml file you don't have full paths to the location of the certificates. Inside the file that we add to the deployment we use the environment variable $OPENSEARCH_PATH_CONF, which contains the path of the configuration files:

plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem

I ask you to check this in your opensearch.yml file and check if the dn is correct.

[jplangford]

Hello again,

Here is the output from the curl command, I think this says that it has loaded the template?

jonathan.langford@dev-wazuh-manager:~$ curl -XGET "https://wazuh.indexer:9200/_cat/templates" -u 'admin:<admin_password>' -k -s
wazuh-statistics [wazuh-statistics-*]                       0   
wazuh            [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] 0 1 
wazuh-agent      [wazuh-monitoring-*]                       0

And here is the diff against the opensearch.yml file per your suggestion:

jonathan.langford@dev-wazuh-manager:~$ sudo diff /data/elasticsearch/config/opensearch.yml /data/elasticsearch/config/opensearch.yml.bak
17,19c17,19
< plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
< plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
< plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
---
> plugins.security.ssl.transport.pemcert_filepath: ssl_certs/wazuh.indexer.pem
> plugins.security.ssl.transport.pemkey_filepath: ssl_certs/wazuh.indexer.key
> plugins.security.ssl.transport.pemtrustedcas_filepath: ssl_certs/root-ca.pem
22,24c22,24
< plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
< plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
< plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
---
> plugins.security.ssl.http.pemcert_filepath: ssl_certs/wazuh.indexer.pem
> plugins.security.ssl.http.pemkey_filepath: ssl_certs/wazuh.indexer.key
> plugins.security.ssl.http.pemtrustedcas_filepath: ssl_certs/root-ca.pem
jonathan.langford@dev-wazuh-manager:~$ 

Unfortunately it is still saying the same thing :(

Here are the DNs from the certificates:

jonathan.langford@dev-wazuh-manager:~$ for cert in `ls /data/elasticsearch/ssl_certs/*.pem`; do echo $cert; openssl x509 -in $cert -noout -text | grep Subject | head -1 ; done
/data/elasticsearch/ssl_certs/admin.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = DevOps, CN = admin
/data/elasticsearch/ssl_certs/filebeat.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = DevOps, CN = filebeat
/data/elasticsearch/ssl_certs/root-ca.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = CA, CN = root-ca
/data/elasticsearch/ssl_certs/wazuh.dashboard.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = DevOps, CN = wazuh.dashboard
/data/elasticsearch/ssl_certs/wazuh.indexer.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = DevOps, CN = wazuh.indexer
/data/elasticsearch/ssl_certs/wazuh.manager.pem
        Subject: DC = com, DC = acme, O = my_gcp_project_id, OU = DevOps, CN = wazuh.manager

[vcerenu]

Hello @jplangford

In the opensearch.yml file I see that you have two indexer nodes configured:

plugins.security.nodes_dn:
-CN=wazuh.indexer,OU=DevOps,O=my_gcp_project_id,DC=acme,DC=com
-CN=filebeat,OU=DevOps,O=my_gcp_project_id,DC=acme,DC=com

but you have discovery.type: single-node, is this configuration like this for something special?

I also see that it is missing parameters from the configuration file that we use in the deployment, did you eliminate them for something special? all the configurations that we add to the opensearch.yml file are necessary

Could you try to start your environment with the single-node/config/wazuh_indexer/wazuh.indexer.yml file from thewazuh-docker repository? You should modify the paths of the certificates and the corresponding dn

[jplangford]

Hi @vcerenu ,

That appears to have done the trick. There are no indexing errors in the wazuh-indexer container logs or in the wazuh-manager output and the various screens in the Wazuh UI now actually populate with data. I confess to being entirely perplexed. I have no idea why what you've suggested has fixed it. Here is the opensearch.yml file for future reference:

jonathan.langford@dev-wazuh-manager:~$ cat /data/elasticsearch/config/opensearch.yml
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- CN=admin,OU=DevOps,O=my_gcp_project_id,DC=acme,DC=com
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- CN=wazuh.indexer,OU=DevOps,O=my_gcp_project_id,DC=acme,DC=com
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

[jplangford]

Hello,

This issue is resolved so I'm closing it. Thank you again for your assistance.

I have confirmed that removing the compatibility.override_main_response_version setting from the opensearch.yml file is sufficient to reproduce this. It appears to be related to https://github.com/opensearch-project/OpenSearch/issues/667 and https://github.com/opensearch-project/OpenSearch/issues/693.

So in summary if you are running containerised Wazuh with the opensearch.yml file mounted from the host filesystem and you see that events are not being indexed then check for the stack traces I've listed in the wazuh.indexer docker container log output.

If you see them then the chances are you've not included the compatibility.override_main_response_version setting in the opensearch.yml.

Thanks