How to Fix Missing Statistics in Wazuh Dashboard

The Wazuh Dashboard is the primary visibility layer for security monitoring across endpoints, cloud workloads, and network telemetry collected by Wazuh.

It aggregates data such as agent health, security alerts, file integrity monitoring (FIM) events, vulnerability detection results, and compliance posture metrics into visual widgets powered by OpenSearch.

Typical dashboard statistics include:

  • Active and disconnected agent counts
  • Alert volume trends (by severity and rule groups)
  • File integrity monitoring events (changes, deletions, additions)
  • Compliance mappings (PCI DSS, NIST, CIS benchmarks)
  • Endpoint and server-level security summaries

When these statistics go missing, or appear partially loaded, the issue is not cosmetic.

It represents a breakdown in the observability pipeline, often between ingestion, indexing, and visualization layers.

“Missing statistics” is critical because it creates false assurance of system health. Security teams may assume no alerts are being generated, when in reality data may be delayed, unindexed, or filtered out.

In production environments, this can result in:

  • Undetected security incidents due to incomplete alert visibility
  • Blind spots in endpoint coverage (agents appearing inactive when they are not)
  • Misleading compliance dashboards that show partial or outdated posture
  • Delayed incident response due to missing or lagging telemetry

This issue is often rooted in OpenSearch indexing behavior or pipeline congestion.

According to the OpenSearch Documentation on Indexing, ingestion delays or shard allocation failures can directly impact downstream aggregation and dashboard rendering.

For background on ingestion pipeline design, Wazuh’s official documentation also highlights the dependency chain between manager → indexer → dashboard:

Related Guides:


What “Missing Statistics” Means in Wazuh

“Missing statistics” in the Wazuh Dashboard does not always indicate data loss.

In most cases, it reflects a breakdown in aggregation, indexing, or visualization queries rather than absence of raw telemetry.

Common manifestations include:

Missing agent counts

The dashboard may show zero or significantly reduced active agents even though endpoints are connected.

This typically points to query or index pattern issues rather than agent failures.

Missing alerts or event graphs

Security alerts may still exist in indices but fail to populate visual widgets such as timelines, severity charts, or rule distribution graphs.

Empty or partially loaded dashboard widgets

Widgets may load indefinitely or display “no data available” even when indices contain relevant documents.

Delayed or incomplete data in visualizations

Charts may show time gaps or inconsistent event volumes caused by ingestion lag or refresh interval misalignment.

Differences between raw index data vs dashboard aggregation layer

A key diagnostic distinction:

  • Raw index data (OpenSearch indices): may be fully populated
  • Dashboard layer (aggregations/queries): may fail due to:
    • incorrect query filters
    • broken saved searches
    • index pattern mismatch
    • RBAC filtering restrictions

This divergence is common in OpenSearch-based architectures where visualization depends heavily on query-time aggregation rather than direct index reads.

Related Guides:


Common Causes of Missing Statistics in Wazuh Dashboard

Missing statistics typically arise from issues across ingestion, indexing, manager health, or visualization configuration layers.

OpenSearch Indexing Issues

Since Wazuh relies on OpenSearch as its backend datastore, indexing problems are one of the most frequent causes.

Typical issues include:

  • Broken or missing wazuh-alerts-* indices
    Alerts may not be indexed due to pipeline failures or disk pressure.
  • Index lifecycle policy misconfiguration
    Improper rollover or retention policies may delete or freeze active indices.
  • Shards in red/yellow state
    Unassigned shards prevent complete aggregation and lead to missing dashboard data.

When shard allocation fails, OpenSearch may still accept writes but fail to serve complete queries, resulting in partial statistics.

Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer

Data Ingestion Delays

Even when indexing is functional, ingestion delays can distort dashboard statistics.

Common causes:

  • High load on Wazuh manager
    Rule evaluation bottlenecks delay event forwarding.
  • Log forwarding bottlenecks
    Filebeat or agent buffers may backlog under high throughput.
  • Queue backlog in pipeline components
    Events may accumulate in buffers before being indexed.

In high-volume environments, even a few minutes of delay can make dashboards appear empty or inconsistent.

Wazuh Manager or Agent Issues

Missing statistics may originate upstream at the endpoint layer.

Key scenarios:

  • Agents disconnected or in “never connected” state
    Leads to missing agent counts and incomplete endpoint visibility.
  • Stopped or degraded manager service
    Event processing halts, breaking downstream ingestion.
  • Time drift between agents and manager
    Events may fall outside expected time windows, causing them to disappear from time-based queries.

Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes

Dashboard or Index Pattern Misconfiguration

Visualization layer misconfiguration is a frequent and underdiagnosed cause.

Common issues include:

  • Incorrect index patterns (e.g., missing wazuh-*)
    Widgets query empty datasets.
  • Missing refresh interval settings
    Dashboards appear stale even when data is flowing.
  • Broken saved searches or visualizations
    Updates or upgrades can invalidate saved objects.

This is especially common after Wazuh version upgrades or dashboard migrations.

Related Guide: How to Fix “Wazuh Dashboard Server Is Not Ready Yet” (Step-by-Step)

OpenSearch / Wazuh App Compatibility Issues

Version mismatches between components often produce silent data inconsistencies.

Key causes:

  • Wazuh manager, indexer, and dashboard version mismatch
    Can break API responses used by dashboard widgets.
  • Plugin upgrade issues
    Incomplete or partial upgrades may corrupt visualization logic.
  • Broken API responses affecting stats widgets
    Dashboard relies on API endpoints for computed metrics, not just raw indices.

Incompatibility issues are especially common during rolling upgrades.

Authentication / RBAC Filtering

Role-based access control can unintentionally hide statistics.

Typical scenarios:

  • User roles restricting index visibility
    Some agents or alert indices are excluded from queries.
  • API-level filtering hiding data unintentionally
    Dashboard widgets may receive partial datasets.
  • Index-level permissions mismatch
    Users may see empty dashboards even though data exists.

This is often mistaken for ingestion failure when it is actually a permissions issue.

Related Guide: Troubleshooting Wazuh RBAC


Step-by-Step Troubleshooting Checklist

When “Missing Statistics in Wazuh Dashboard” occurs, the fastest way to isolate the issue is to validate each layer of the Wazuh pipeline: indexer → manager → agents → dashboard → API.

The goal is to determine where data stops flowing or becomes inaccessible.

Verify Index Health in OpenSearch

Start with OpenSearch, since dashboard statistics depend entirely on indexed data.

Key checks:

  • Check cluster health (green/yellow/red)
    A non-green cluster often indicates shard allocation issues that directly impact dashboards.
  • Inspect wazuh-alerts-* indices
    Ensure indices exist and are actively receiving documents. Missing or stale indices usually explain empty widgets.
  • Confirm document ingestion rate
    A sudden drop in indexing throughput often signals pipeline or manager issues rather than visualization problems.

Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer

Validate Wazuh Manager Status

If indexing looks healthy, move upstream to the manager layer.

Checks:

  • Ensure manager service is running
    Confirm the service is active and not restarting or crashing.
  • Review /var/ossec/logs/ossec.log
    Look for:
    • rule evaluation delays
    • queue overflow messages
    • decoding errors
    • dropped events
  • Check for queue saturation or dropped events
    A saturated queue causes delayed or missing statistics in the dashboard even if agents are active.

Related Guide: How to Fix Wazuh Active-Response Error 1204

Check Agent Connectivity

Missing statistics often come from endpoint-level disconnections.

Validate:

  • List active vs disconnected agents
    Identify whether agent counts match expectations.
  • Validate last keepalive timestamps
    Agents with stale timestamps may still appear “active” but stop sending events.
  • Restart agents if needed
    In some cases, re-establishing the connection restores event flow immediately.

Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes

Inspect Dashboard Index Patterns

Even with healthy data ingestion, dashboard misconfiguration can hide statistics.

Steps:

  • Confirm correct index patterns (e.g., wazuh-alerts-*)
    A mismatch will result in empty visualizations.
  • Refresh field list
    Ensure new fields introduced by updates are available to the dashboard.
  • Recreate broken index patterns
    Corrupted saved objects often occur after upgrades or partial migrations.

Related Guide: How to Fix “Wazuh Dashboard Server Is Not Ready Yet” (Step-by-Step)

Test Data Flow End-to-End

This step validates the entire pipeline.

Actions:

  • Generate test alerts
    Trigger known rules (e.g., failed SSH login attempts).
  • Confirm ingestion into OpenSearch
    Verify documents appear in wazuh-alerts-* indices.
  • Validate visualization updates
    Ensure dashboards reflect new events within expected refresh intervals.

This step helps isolate whether the issue is ingestion, indexing, or visualization.

Review API and Plugin Logs

If everything upstream looks correct, focus on API and dashboard layer issues.

Check:

  • Wazuh API response errors
    Missing or malformed responses can break statistics widgets.
  • Dashboard plugin logs for missing data calls
    Look for failed queries or timeout errors from OpenSearch.

This layer is especially relevant after upgrades, where plugin incompatibilities can silently break dashboard widgets.


How to Fix Missing Statistics Based on Root Cause

Once the bottleneck is identified, apply targeted remediation instead of restarting services blindly.

Fixing Index Corruption or Gaps

If OpenSearch indices are missing or inconsistent:

  • Reindex missing data
    Restore consistency by rebuilding affected indices.
  • Restore snapshots if available
    Use snapshot backups for critical historical data recovery.

Related Guide: How to Fix kibana server is not ready yet Using Wazuh

Fixing Ingestion Pipeline Delays

If data is delayed but not missing:

  • Restart Filebeat / Wazuh indexer services
    Clears stuck pipelines or backlogs.
  • Increase queue limits or buffer sizes
    Prevent future ingestion bottlenecks under high load.

This is commonly required in high-throughput environments where log volume spikes exceed pipeline capacity.

Fixing Agent Reporting Issues

If statistics are missing due to endpoint problems:

  • Re-enroll disconnected agents
    Fix broken registration or authentication issues.
  • Sync time (NTP configuration)
    Prevent timestamp mismatches that exclude data from queries.

Related Guide: Resolving Duplicate Name or IP Errors in Wazuh Agent Registration


Fixing Dashboard Configuration

If backend data is correct but UI is broken:

  • Reset visualizations
    Rebuild affected widgets from scratch.
  • Rebuild index patterns
    Ensures compatibility with updated schemas.
  • Clear browser cache / dashboard cache
    Eliminates stale UI state or cached queries.

Related Guide: Wazuh Dashboard Not Loading? Complete Troubleshooting Guide

 Fixing Role-Based Visibility Issues

If only some users see missing statistics:

  • Adjust RBAC permissions
    Ensure roles include required index access.
  • Verify index access rules in OpenSearch security
    Confirm no hidden filters are restricting data visibility.

Related Guide: Troubleshooting Wazuh RBAC 


Advanced Debugging Techniques

When standard checks are insufficient, deeper inspection across system APIs is required.

Using OpenSearch _cat/indices and _cluster/health APIs

These endpoints help verify:

  • Index existence and size
  • Shard allocation state
  • Cluster-wide health status

They are essential for identifying silent ingestion failures or shard imbalance.

Reference: OpenSearch Index and Cluster APIs

Checking Wazuh API /agents and /manager/status endpoints

These endpoints provide:

  • Real-time agent status
  • Manager health and queue metrics
  • Connectivity diagnostics

They help confirm whether missing statistics originate before indexing.

Reference:
Wazuh API Reference

Debugging Kibana/Wazuh plugin logs

Dashboard-level logs often reveal:

  • Failed aggregation queries
  • Timeout errors
  • Visualization rendering failures

These are critical when indices are healthy but dashboards remain empty.

Correlating timestamps across components

A common hidden issue is time desynchronization:

  • Agent event time
  • Manager processing time
  • Indexing time
  • Dashboard query time

Even small drift can cause events to fall outside dashboard query windows, producing “missing statistics” illusions.


Preventing Missing Statistics in the Future

Once you resolve “Missing Statistics in Wazuh Dashboard,” the focus should shift to preventing recurrence.

In most environments, this issue is not a one-time failure but a symptom of pipeline fragility across ingestion, indexing, and visualization layers.

Monitoring index health proactively

Continuously track OpenSearch cluster health rather than reacting to failures.

Key practices:

  • Monitor cluster status (green, yellow, red) continuously
  • Track shard allocation failures and relocation events
  • Alert on missing or delayed wazuh-alerts-* index creation

This helps detect indexing degradation before it impacts dashboard visibility.

Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer

Setting up alerts for ingestion lag

Ingestion lag is one of the earliest indicators of missing statistics.

You should alert on:

  • Increased queue size in Wazuh manager
  • Delayed document indexing in OpenSearch
  • Filebeat or forwarding pipeline backlog

A delay of even a few minutes can cause dashboard widgets to appear empty or inconsistent, especially for time-sensitive visualizations.

Reference (observability best practice):
Elastic Observability Best Practices (Indexing & Ingestion Monitoring)

Regular validation of dashboard widgets

Dashboards should be treated as code-dependent artifacts, not static UI components.

Recommended validation:

  • Periodically verify key widgets (agents, alerts, FIM, compliance)
  • Test after upgrades or configuration changes
  • Confirm that visualizations return expected data ranges

Related Guide: Wazuh Dashboard Not Loading? Complete Troubleshooting Guide

Version alignment between Wazuh components

Version mismatches between:

  • Wazuh Manager
  • Wazuh Indexer (OpenSearch)
  • Wazuh Dashboard

can silently break statistics aggregation.

Best practice:

  • Keep all components on compatible release versions
  • Avoid partial upgrades across the stack
  • Validate plugin compatibility after upgrades

Misalignment often manifests as missing or incomplete dashboard widgets without clear backend errors.

Load testing and capacity planning

Under-provisioned environments frequently show missing statistics during traffic spikes.

You should:

  • Simulate log bursts (load testing)
  • Measure ingestion throughput limits
  • Size OpenSearch heap and shards appropriately
  • Ensure Filebeat/Wazuh pipelines can handle peak loads

This is especially important in environments with high EPS (events per second), such as cloud workloads or Kubernetes clusters.


Frequently Asked Questions (FAQ)

 

Question: Why does my Wazuh Dashboard show zero agents?

This usually indicates either:

  • agent-manager disconnection
  • indexing failure for agent status documents
  • or incorrect index pattern filtering in the dashboard

It rarely means agents are actually offline.

Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes

Question: Can missing statistics be caused by OpenSearch delays?

Yes. OpenSearch ingestion delays or shard congestion can prevent new data from being indexed in time, resulting in empty or stale dashboard widgets even when data is flowing upstream.

Question: How long does Wazuh take to update dashboard metrics?

In healthy systems, dashboard metrics typically update within seconds to a few minutes, depending on:

  • ingestion rate
  • index refresh interval
  • cluster load

Delays beyond this usually indicate pipeline bottlenecks.

Question: Do index rebuilds fix missing statistics permanently?

No. Rebuilding indices may temporarily restore visibility, but if the root cause (pipeline, shard, or ingestion issue) is not fixed, the problem will recur.

Question: Can RBAC hide dashboard statistics unintentionally?

Yes. Role-based access control in OpenSearch or Wazuh can restrict access to certain indices or fields, causing partial or completely empty dashboards for specific users.

Related Guide: Troubleshooting Wazuh RBAC

Question: What logs should I check first?

Start with:

  • /var/ossec/logs/ossec.log (manager-side issues)
  • OpenSearch logs (indexing/shard issues)
  • Wazuh dashboard plugin logs (UI/query failures)

These collectively provide a full pipeline view.

Question: Does restarting Wazuh fix missing dashboard data?

Sometimes temporarily, but not reliably. Restarting may flush queues or reconnect services, but it does not fix:

  • broken indices
  • RBAC misconfigurations
  • ingestion bottlenecks
  • or version mismatches

It should only be used as a short-term diagnostic step, not a solution.


Conclusion

Missing statistics in the Wazuh Dashboard is fundamentally a pipeline integrity problem, not just a UI issue.

In most cases, the breakdown occurs somewhere along the chain:

agent → manager → indexer → OpenSearch → dashboard

Failures at any stage—whether due to indexing issues, ingestion delays, misconfigured dashboards, or RBAC restrictions—can produce incomplete or misleading visualizations.

The most effective fixes consistently involve:

  • validating OpenSearch cluster and index health
  • ensuring stable manager and agent communication
  • correcting ingestion pipeline bottlenecks
  • aligning dashboard configurations and versions

Long-term stability depends on continuous monitoring of the entire telemetry pipeline, not just reactive troubleshooting when dashboards break.

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *