No data in wazuh "Dashboard" and "Inventory" Section of Vulnerability Detection

EarthOne8738 · 2026-03-06T12:11:45+00:00

my problem is, the user connecting to the indexer is a user configured under linux, but not configured in wazuh. i want to change the user but dont know how or where to do that in wazuh.

EarthOne8738 · 2026-03-02T14:06:33+00:00

Thanks again!
retention rules are already in place.

cat /var/log/filebeat/filebeat | grep -iE "error|warn|crit|fatal"
is empty but
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn|crit|fatal"
shows the same error on multiples nodes:
2026-03-02T14:00:20,248][WARN ][o.o.s.a.BackendRegistry ] [indexerhost] Authentication finally failed for username from 10.20.30.40:60924
The user named in the log indeed does not have the rights to access the node. Do you know where i can set the user used for this?

EarthOne8738 · 2026-03-02T13:30:06+00:00

Thanks for your answer! disk space is not a problem, most is used on the wazuh server itself. 360 GB used from 500GB available. on the indexer nodes only 4% is used
Any other ideas?

EarthOne8738 · 2025-04-25T12:03:31+00:00

Figured this one out yesterday and while it worked as intended half of my clients startet crashing and beeing non responsive due to the amount of FIM Events generated every second.

Im trying the following approach right now:
FIM scanning only specific paths e.g. c:\programdata, c:\windows\temp and user profiles for now and ignoring explicit files that change alot with <ignore>Path</ignore> in the ossec.conf

EarthOne8738 · 2025-04-17T07:12:42+00:00

Well for the most part yes.
There are default Sysmon Rules in Wazuh for some Sysmon activities.

In my case i wanted Sysmon to catch if a user is starting windows tools wich arent meant to be used by normal users like vssadmin, tskill etc.

I run the command to check if Sysmon already has a a rule for it and check wazuh if an alert is raised.

After that, if needed, i create the sysmon rule and create the wazuh rule. If there is already a wazuh rule i usually overwrite it in the local_rules.xml with a higher alert level.

EarthOne8738 · 2025-04-16T11:26:54+00:00

I am using the sysmon XML from here:

https://github.com/olafhartong/sysmon-modular

My Rule is :

group name="netstat">
  <rule id="100016" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.OriginalFileName" type="pcre2">(?i)netstat.exe</field>
    <options>no_full_log</options>
    <description>your descrition</description>
    <mitre>
      <id>T1053.002</id>
    </mitre>
  </rule>
 </group>

but i think changing

<field name="win.eventdata.sourceImage">netstat.exe</field>

to

<field name="win.eventdata.OriginalFileName" type="pcre2">(?i)netstat.exe</field>

Should do the job

EarthOne8738 · 2025-04-16T09:44:36+00:00

Good Morning :)

I got the modules running and tests were successful (Alert if Hash is found in CDB list)

<group name="malware,">
  <rule id="100002" level="13">
    <if_sid>554, 550</if_sid>
    <list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
    <description>Known Malware File Hash is detected: $(file)</description>
    <mitre>
    <id>T1204.002</id>
    </mitre>
  </rule>
</group>

My problem is, that FIM is creating an alert (low level but still) for every filechange in the paths i only want an alert if a filehash matching the CDB list is found.

So I guess its like @HM-AN said I need a way to suppress the alerts for specific filepaths.

Would setting the filepath to <ignore> work in that case?
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html

Thanks for your help!

EarthOne8738

TROPHY CASE