年前突然发现elastic上无法查看任何来自wazuh的事件记录，由于我之前从未使用过wazuh，
所以只能尽量收集报错信息，来这里请教各位，希望能得到完整的解决方法。

我收集到的报错信息如下：

Dec 29, 2021 @ 12:55:00  ERROR  Error searching or creating 'wazuh-statistics-2021.53w' due to 'validation_exception'
Dec 29, 2021 @ 12:55:00  ERROR  Error searching or creating 'wazuh-statistics-2021.53w' due to 'validation_exception'
Dec 29, 2021 @ 13:00:01  ERROR  Error searching or creating 'wazuh-statistics-2021.53w' due to 'validation_exception'
Dec 29, 2021 @ 13:00:01  ERROR  Error searching or creating 'wazuh-statistics-2021.53w' due to 'validation_exception'
Dec 29, 2021 @ 13:00:01  ERROR  Could not create wazuh-monitoring-2021.12.29 index on elasticsearch due to validation_exception
Dec 29, 2021 @ 13:00:01  ERROR  index_not_found_exception

Dec 29, 2021 @ 14:44:52.000 ossec-integratord ERROR  Unable to run integration for custom-iplfeishu -> /var/ossec/integrations/custom-iplfeishu
Dec 29, 2021 @ 14:44:52.000 ossec-integratord ERROR  While running custom-iplfeishu -> /var/ossec/integrations/custom-iplfeishu. Output: KeyError: 'syscheck'
Dec 29, 2021 @ 14:44:52.000 ossec-integratord ERROR  Exit status was: 1
Dec 29, 2021 @ 14:44:34.000 wazuh-modulesd:syscollector INFO  Evaluation finished.
Dec 29, 2021 @ 14:44:26.000 wazuh-modulesd:syscollector INFO  Starting evaluation.

Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.
Remediation
Edit or create a file in the /etc/modprobe.d/directory ending in .conf. Example: vim /etc/modprobe.d/cramfs.confand add the following line: install cramfs /bin/true. Run the following command to unload the cramfs module: rmmod cramfs
Description
The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
Checks (Condition: all)
c:modprobe -n -v cramfs
r:install /bin/true|Module cramfs not found not c:lsmod
r:cramfs

Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
Remediation
Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true. Run the following command to unload the squashfs module: rmmod squashfs
Description
The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image.
Checks (Condition: all)
c:modprobe -n -v squashfs
r:install /bin/true|Module squashfs not found not c:lsmod
r:squashfs

服务器内：
[admin@Wazuh-manager usr]$ service --status-all
● cfn-hup.service - SYSV: Runs user-specified actions when a
   Loaded: loaded (/etc/rc.d/init.d/cfn-hup; bad; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-06-24 20:55:07 CST; 6 months 5 days ago
     Docs: https://www.elastic.co/products/beats/filebeat
 Main PID: 16173 (filebeat)
    Tasks: 10
   Memory: 24.9M
   CGroup: /system.slice/filebeat.service
           └─16173 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/lo...
kibana is not running
netconsole module not loaded
Configured devices:
lo eth0
Currently active devices:
lo eth0 docker0
/etc/init.d/wazuh-manager: line 17: /etc/ossec-init.conf: Permission denied
[admin@Wazuh-manager usr]$
[admin@Wazuh-manager usr]$
[admin@Wazuh-manager usr]$
[admin@Wazuh-manager usr]$ service --status-all | grep running
   Active: active (running) since Thu 2021-06-24 20:55:07 CST; 6 months 5 days ago
kibana is not running
/etc/init.d/wazuh-manager: line 17: /etc/ossec-init.conf: Permission denied
[admin@Wazuh-manager usr]$

Could not create wazuh-monitoring-2021.12.29 index on elasticsearch due to validation_exception

配置文件中有中文,导致乱码,主要是编码格式的问题,?

这个是第一个问题！
Could not create wazuh-monitoring-2021.12.29 index on elasticsearch due to validation_exception

解决方案

Logstash报错： Could not index event to Elasticsearch_懵懂无知的蜗牛的博客-CSDN博客 一、环境说明Logstash 7.3ElasticSearch 7.3二、现象logstash/logs/logstash-plain.log大量警告[2020-12-28T00:00:01,217][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>" https://blog.csdn.net/qq_25646191/article/details/111860572

这个文件的第17行是什么内容 /etc/init.d/wazuh-manager: line 17: /etc/ossec-init.conf: Permission denied

Dec 29, 2021 @ 13:00:01 ERROR Could not create wazuh-monitoring-2021.12.29 index on elasticsearch due to validation_exception这个问题，你看下elasticsearch和kibana是不是版本问题

/etc/init.d/wazuh-manager: line 17: /etc/ossec-init.conf: Permission denied这个问题你可以试下：
添加单独的用户组，单独的用户，并给权限
groupadd elsearch
useradd elsearch -g elsearch
chown -R elsearch:elsearch elasticsearch-5.6.3
su elsearch

修改用户密码

passwd elsearch

权限问题，看看是否隐私政策有更新，后台执行相关操作试试

那个谁有空最好可以直接私信加我远程，我对这东西真的可以说一无所知。。。

在kibana -> 开发者工具 -> Console页签下执行
PUT /_cluster/settings
{
"persistent": {
"cluster": {
"max_shards_per_node":10000
}
}
并且给wazuh用户分配权限

wazuh用户分配权限是对的

参考下https://www.elastic.co/cn/blog/improve-security-analytics-with-the-elastic-stack-wazuh-and-ids

https://download.csdn.net/download/weixin_42099815/18702359?spm=1005.2026.3001.5635&utm_medium=distribute.pc_relevant_ask_down.none-task-download-2~default~OPENSEARCH~Rate-5.pc_feed_download_top3ask&depth_1-utm_source=distribute.pc_relevant_ask_down.none-task-download-2~default~OPENSEARCH~Rate-5.pc_feed_download_top3ask

第一个异常发生在无效