The Wazuh Dashboard is the primary visibility layer for security monitoring across endpoints, cloud workloads, and network telemetry collected by Wazuh.
It aggregates data such as agent health, security alerts, file integrity monitoring (FIM) events, vulnerability detection results, and compliance posture metrics into visual widgets powered by OpenSearch.
Typical dashboard statistics include:
- Active and disconnected agent counts
- Alert volume trends (by severity and rule groups)
- File integrity monitoring events (changes, deletions, additions)
- Compliance mappings (PCI DSS, NIST, CIS benchmarks)
- Endpoint and server-level security summaries
When these statistics go missing, or appear partially loaded, the issue is not cosmetic.
It represents a breakdown in the observability pipeline, often between ingestion, indexing, and visualization layers.
“Missing statistics” is critical because it creates false assurance of system health. Security teams may assume no alerts are being generated, when in reality data may be delayed, unindexed, or filtered out.
In production environments, this can result in:
- Undetected security incidents due to incomplete alert visibility
- Blind spots in endpoint coverage (agents appearing inactive when they are not)
- Misleading compliance dashboards that show partial or outdated posture
- Delayed incident response due to missing or lagging telemetry
This issue is often rooted in OpenSearch indexing behavior or pipeline congestion.
According to the OpenSearch Documentation on Indexing, ingestion delays or shard allocation failures can directly impact downstream aggregation and dashboard rendering.
For background on ingestion pipeline design, Wazuh’s official documentation also highlights the dependency chain between manager → indexer → dashboard:
Related Guides:
What “Missing Statistics” Means in Wazuh
“Missing statistics” in the Wazuh Dashboard does not always indicate data loss.
In most cases, it reflects a breakdown in aggregation, indexing, or visualization queries rather than absence of raw telemetry.
Common manifestations include:
Missing agent counts
The dashboard may show zero or significantly reduced active agents even though endpoints are connected.
This typically points to query or index pattern issues rather than agent failures.
Missing alerts or event graphs
Security alerts may still exist in indices but fail to populate visual widgets such as timelines, severity charts, or rule distribution graphs.
Empty or partially loaded dashboard widgets
Widgets may load indefinitely or display “no data available” even when indices contain relevant documents.
Delayed or incomplete data in visualizations
Charts may show time gaps or inconsistent event volumes caused by ingestion lag or refresh interval misalignment.
Differences between raw index data vs dashboard aggregation layer
A key diagnostic distinction:
- Raw index data (OpenSearch indices): may be fully populated
- Dashboard layer (aggregations/queries): may fail due to:
- incorrect query filters
- broken saved searches
- index pattern mismatch
- RBAC filtering restrictions
This divergence is common in OpenSearch-based architectures where visualization depends heavily on query-time aggregation rather than direct index reads.
Related Guides:
Common Causes of Missing Statistics in Wazuh Dashboard
Missing statistics typically arise from issues across ingestion, indexing, manager health, or visualization configuration layers.
OpenSearch Indexing Issues
Since Wazuh relies on OpenSearch as its backend datastore, indexing problems are one of the most frequent causes.
Typical issues include:
- Broken or missing
wazuh-alerts-* indices
Alerts may not be indexed due to pipeline failures or disk pressure. - Index lifecycle policy misconfiguration
Improper rollover or retention policies may delete or freeze active indices. - Shards in red/yellow state
Unassigned shards prevent complete aggregation and lead to missing dashboard data.
When shard allocation fails, OpenSearch may still accept writes but fail to serve complete queries, resulting in partial statistics.
Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer
Data Ingestion Delays
Even when indexing is functional, ingestion delays can distort dashboard statistics.
Common causes:
- High load on Wazuh manager
Rule evaluation bottlenecks delay event forwarding. - Log forwarding bottlenecks
Filebeat or agent buffers may backlog under high throughput. - Queue backlog in pipeline components
Events may accumulate in buffers before being indexed.
In high-volume environments, even a few minutes of delay can make dashboards appear empty or inconsistent.
Wazuh Manager or Agent Issues
Missing statistics may originate upstream at the endpoint layer.
Key scenarios:
- Agents disconnected or in “never connected” state
Leads to missing agent counts and incomplete endpoint visibility. - Stopped or degraded manager service
Event processing halts, breaking downstream ingestion. - Time drift between agents and manager
Events may fall outside expected time windows, causing them to disappear from time-based queries.
Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
Dashboard or Index Pattern Misconfiguration
Visualization layer misconfiguration is a frequent and underdiagnosed cause.
Common issues include:
- Incorrect index patterns (e.g., missing
wazuh-*)
Widgets query empty datasets. - Missing refresh interval settings
Dashboards appear stale even when data is flowing. - Broken saved searches or visualizations
Updates or upgrades can invalidate saved objects.
This is especially common after Wazuh version upgrades or dashboard migrations.
Related Guide: How to Fix “Wazuh Dashboard Server Is Not Ready Yet” (Step-by-Step)
OpenSearch / Wazuh App Compatibility Issues
Version mismatches between components often produce silent data inconsistencies.
Key causes:
- Wazuh manager, indexer, and dashboard version mismatch
Can break API responses used by dashboard widgets. - Plugin upgrade issues
Incomplete or partial upgrades may corrupt visualization logic. - Broken API responses affecting stats widgets
Dashboard relies on API endpoints for computed metrics, not just raw indices.
Incompatibility issues are especially common during rolling upgrades.
Authentication / RBAC Filtering
Role-based access control can unintentionally hide statistics.
Typical scenarios:
- User roles restricting index visibility
Some agents or alert indices are excluded from queries. - API-level filtering hiding data unintentionally
Dashboard widgets may receive partial datasets. - Index-level permissions mismatch
Users may see empty dashboards even though data exists.
This is often mistaken for ingestion failure when it is actually a permissions issue.
Related Guide: Troubleshooting Wazuh RBAC
Step-by-Step Troubleshooting Checklist
When “Missing Statistics in Wazuh Dashboard” occurs, the fastest way to isolate the issue is to validate each layer of the Wazuh pipeline: indexer → manager → agents → dashboard → API.
The goal is to determine where data stops flowing or becomes inaccessible.
Verify Index Health in OpenSearch
Start with OpenSearch, since dashboard statistics depend entirely on indexed data.
Key checks:
- Check cluster health (green/yellow/red)
A non-green cluster often indicates shard allocation issues that directly impact dashboards. - Inspect
wazuh-alerts-* indices
Ensure indices exist and are actively receiving documents. Missing or stale indices usually explain empty widgets. - Confirm document ingestion rate
A sudden drop in indexing throughput often signals pipeline or manager issues rather than visualization problems.
Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer
Validate Wazuh Manager Status
If indexing looks healthy, move upstream to the manager layer.
Checks:
- Ensure manager service is running
Confirm the service is active and not restarting or crashing. - Review
/var/ossec/logs/ossec.log
Look for:- rule evaluation delays
- queue overflow messages
- decoding errors
- dropped events
- Check for queue saturation or dropped events
A saturated queue causes delayed or missing statistics in the dashboard even if agents are active.
Related Guide: How to Fix Wazuh Active-Response Error 1204
Check Agent Connectivity
Missing statistics often come from endpoint-level disconnections.
Validate:
- List active vs disconnected agents
Identify whether agent counts match expectations. - Validate last keepalive timestamps
Agents with stale timestamps may still appear “active” but stop sending events. - Restart agents if needed
In some cases, re-establishing the connection restores event flow immediately.
Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
Inspect Dashboard Index Patterns
Even with healthy data ingestion, dashboard misconfiguration can hide statistics.
Steps:
- Confirm correct index patterns (e.g.,
wazuh-alerts-*)
A mismatch will result in empty visualizations. - Refresh field list
Ensure new fields introduced by updates are available to the dashboard. - Recreate broken index patterns
Corrupted saved objects often occur after upgrades or partial migrations.
Related Guide: How to Fix “Wazuh Dashboard Server Is Not Ready Yet” (Step-by-Step)
Test Data Flow End-to-End
This step validates the entire pipeline.
Actions:
- Generate test alerts
Trigger known rules (e.g., failed SSH login attempts). - Confirm ingestion into OpenSearch
Verify documents appear in wazuh-alerts-* indices. - Validate visualization updates
Ensure dashboards reflect new events within expected refresh intervals.
This step helps isolate whether the issue is ingestion, indexing, or visualization.
Review API and Plugin Logs
If everything upstream looks correct, focus on API and dashboard layer issues.
Check:
- Wazuh API response errors
Missing or malformed responses can break statistics widgets. - Dashboard plugin logs for missing data calls
Look for failed queries or timeout errors from OpenSearch.
This layer is especially relevant after upgrades, where plugin incompatibilities can silently break dashboard widgets.
How to Fix Missing Statistics Based on Root Cause
Once the bottleneck is identified, apply targeted remediation instead of restarting services blindly.
Fixing Index Corruption or Gaps
If OpenSearch indices are missing or inconsistent:
- Reindex missing data
Restore consistency by rebuilding affected indices. - Restore snapshots if available
Use snapshot backups for critical historical data recovery.
Related Guide: How to Fix kibana server is not ready yet Using Wazuh
Fixing Ingestion Pipeline Delays
If data is delayed but not missing:
- Restart Filebeat / Wazuh indexer services
Clears stuck pipelines or backlogs. - Increase queue limits or buffer sizes
Prevent future ingestion bottlenecks under high load.
This is commonly required in high-throughput environments where log volume spikes exceed pipeline capacity.
Fixing Agent Reporting Issues
If statistics are missing due to endpoint problems:
- Re-enroll disconnected agents
Fix broken registration or authentication issues. - Sync time (NTP configuration)
Prevent timestamp mismatches that exclude data from queries.
Related Guide: Resolving Duplicate Name or IP Errors in Wazuh Agent Registration
Fixing Dashboard Configuration
If backend data is correct but UI is broken:
- Reset visualizations
Rebuild affected widgets from scratch. - Rebuild index patterns
Ensures compatibility with updated schemas. - Clear browser cache / dashboard cache
Eliminates stale UI state or cached queries.
Related Guide: Wazuh Dashboard Not Loading? Complete Troubleshooting Guide
Fixing Role-Based Visibility Issues
If only some users see missing statistics:
- Adjust RBAC permissions
Ensure roles include required index access. - Verify index access rules in OpenSearch security
Confirm no hidden filters are restricting data visibility.
Related Guide: Troubleshooting Wazuh RBAC
Advanced Debugging Techniques
When standard checks are insufficient, deeper inspection across system APIs is required.
Using OpenSearch _cat/indices and _cluster/health APIs
These endpoints help verify:
- Index existence and size
- Shard allocation state
- Cluster-wide health status
They are essential for identifying silent ingestion failures or shard imbalance.
Reference: OpenSearch Index and Cluster APIs
Checking Wazuh API /agents and /manager/status endpoints
These endpoints provide:
- Real-time agent status
- Manager health and queue metrics
- Connectivity diagnostics
They help confirm whether missing statistics originate before indexing.
Reference:
Wazuh API Reference
Debugging Kibana/Wazuh plugin logs
Dashboard-level logs often reveal:
- Failed aggregation queries
- Timeout errors
- Visualization rendering failures
These are critical when indices are healthy but dashboards remain empty.
Correlating timestamps across components
A common hidden issue is time desynchronization:
- Agent event time
- Manager processing time
- Indexing time
- Dashboard query time
Even small drift can cause events to fall outside dashboard query windows, producing “missing statistics” illusions.
Preventing Missing Statistics in the Future
Once you resolve “Missing Statistics in Wazuh Dashboard,” the focus should shift to preventing recurrence.
In most environments, this issue is not a one-time failure but a symptom of pipeline fragility across ingestion, indexing, and visualization layers.
Monitoring index health proactively
Continuously track OpenSearch cluster health rather than reacting to failures.
Key practices:
- Monitor cluster status (
green, yellow, red) continuously - Track shard allocation failures and relocation events
- Alert on missing or delayed
wazuh-alerts-* index creation
This helps detect indexing degradation before it impacts dashboard visibility.
Related Guide: How to Fix a Yellow Cluster Status in Wazuh Indexer
Setting up alerts for ingestion lag
Ingestion lag is one of the earliest indicators of missing statistics.
You should alert on:
- Increased queue size in Wazuh manager
- Delayed document indexing in OpenSearch
- Filebeat or forwarding pipeline backlog
A delay of even a few minutes can cause dashboard widgets to appear empty or inconsistent, especially for time-sensitive visualizations.
Reference (observability best practice):
Elastic Observability Best Practices (Indexing & Ingestion Monitoring)
Regular validation of dashboard widgets
Dashboards should be treated as code-dependent artifacts, not static UI components.
Recommended validation:
- Periodically verify key widgets (agents, alerts, FIM, compliance)
- Test after upgrades or configuration changes
- Confirm that visualizations return expected data ranges
Related Guide: Wazuh Dashboard Not Loading? Complete Troubleshooting Guide
Version alignment between Wazuh components
Version mismatches between:
- Wazuh Manager
- Wazuh Indexer (OpenSearch)
- Wazuh Dashboard
can silently break statistics aggregation.
Best practice:
- Keep all components on compatible release versions
- Avoid partial upgrades across the stack
- Validate plugin compatibility after upgrades
Misalignment often manifests as missing or incomplete dashboard widgets without clear backend errors.
Load testing and capacity planning
Under-provisioned environments frequently show missing statistics during traffic spikes.
You should:
- Simulate log bursts (load testing)
- Measure ingestion throughput limits
- Size OpenSearch heap and shards appropriately
- Ensure Filebeat/Wazuh pipelines can handle peak loads
This is especially important in environments with high EPS (events per second), such as cloud workloads or Kubernetes clusters.
Frequently Asked Questions (FAQ)
Question: Why does my Wazuh Dashboard show zero agents?
This usually indicates either:
- agent-manager disconnection
- indexing failure for agent status documents
- or incorrect index pattern filtering in the dashboard
It rarely means agents are actually offline.
Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
Question: Can missing statistics be caused by OpenSearch delays?
Yes. OpenSearch ingestion delays or shard congestion can prevent new data from being indexed in time, resulting in empty or stale dashboard widgets even when data is flowing upstream.
Question: How long does Wazuh take to update dashboard metrics?
In healthy systems, dashboard metrics typically update within seconds to a few minutes, depending on:
- ingestion rate
- index refresh interval
- cluster load
Delays beyond this usually indicate pipeline bottlenecks.
Question: Do index rebuilds fix missing statistics permanently?
No. Rebuilding indices may temporarily restore visibility, but if the root cause (pipeline, shard, or ingestion issue) is not fixed, the problem will recur.
Question: Can RBAC hide dashboard statistics unintentionally?
Yes. Role-based access control in OpenSearch or Wazuh can restrict access to certain indices or fields, causing partial or completely empty dashboards for specific users.
Related Guide: Troubleshooting Wazuh RBAC
Question: What logs should I check first?
Start with:
/var/ossec/logs/ossec.log (manager-side issues)- OpenSearch logs (indexing/shard issues)
- Wazuh dashboard plugin logs (UI/query failures)
These collectively provide a full pipeline view.
Question: Does restarting Wazuh fix missing dashboard data?
Sometimes temporarily, but not reliably. Restarting may flush queues or reconnect services, but it does not fix:
- broken indices
- RBAC misconfigurations
- ingestion bottlenecks
- or version mismatches
It should only be used as a short-term diagnostic step, not a solution.
Conclusion
Missing statistics in the Wazuh Dashboard is fundamentally a pipeline integrity problem, not just a UI issue.
In most cases, the breakdown occurs somewhere along the chain:
agent → manager → indexer → OpenSearch → dashboard
Failures at any stage—whether due to indexing issues, ingestion delays, misconfigured dashboards, or RBAC restrictions—can produce incomplete or misleading visualizations.
The most effective fixes consistently involve:
- validating OpenSearch cluster and index health
- ensuring stable manager and agent communication
- correcting ingestion pipeline bottlenecks
- aligning dashboard configurations and versions
Long-term stability depends on continuous monitoring of the entire telemetry pipeline, not just reactive troubleshooting when dashboards break.
Be First to Comment