Howto: Fix Wazuh dashboard not starting

By SecBurg

I’m currently experimenting with Wazuh, an Open Source Security Platform featuring XDR and SIEM protection, in my homelab.

I’ve installed it in my Proxmox environment a long time ago using the OVA image and then continuosly updated the installation manually via yum update.

Pro-Tip: after importing the OVA into Proxmox, switch the HD-interface from IDE to SCSI! Otherwise you’ll get an performance hit.

After one of the latest updates, the web interface (dashboard) was no longer working. It only displayed a generic message:

Wazuh dashboard server is not ready yet

After digging into the logfiles with

journalctl -u wazuh-dashboard |grep -i -E "$(date +%F).*(error|warn)"

I’ve observed the following messages:

Jun 06 09:08:30 wazuh-server opensearch-dashboards[539]: {"type":"log","@timestamp":"2025-06-06T09:08:30Z","tags":["error","opensearch","data"],"pid":539,"message":"[resource_already_exists_exception]: index [.kibana_4/TqmIutDlTQyZT_XDQsgZMg] already exists"}
Jun 06 09:08:30 wazuh-server opensearch-dashboards[539]: {"type":"log","@timestamp":"2025-06-06T09:08:30Z","tags":["warning","savedobjects-service"],"pid":539,"message":"Another OpenSearch Dashboards instance appears to be migrating the index. Waiting for that migration to complete. If no other OpenSearch Dashboards instance is attempting migrations, you can get past this message by deleting index .kibana_4 and restarting OpenSearchDashboards."}

[... followed by ...]

Jun 06 09:25:11 wazuh-server opensearch-dashboards[1229]: {"type":"log","@timestamp":"2025-06-06T09:25:11Z","tags":["info","savedobjects-service"],"pid":1229,"message":"Detected mapping change in \"properties.query\""}
[... repeating itself ...]

Searching through the Internet, I found some solutions - but neither of them worked for my situation.

Here’s what worked for me:

  1. login via ssh to the Wazuh server/VM and switch to root
  2. show all current indices:
curl -k -u admin:admin  https://localhost:9200/_cat/indices/.kib*
  1. stop the dashboard service:
systemctl stop wazuh-dashboard.service
  1. delete ALL existing indices (I had four of them):
curl -k -X DELETE -u admin:admin https://127.0.0.1:9200/.kibana_1
curl -k -X DELETE -u admin:admin https://127.0.0.1:9200/.kibana_2
curl -k -X DELETE -u admin:admin https://127.0.0.1:9200/.kibana_3
curl -k -X DELETE -u admin:admin https://127.0.0.1:9200/.kibana_4
  1. restart the dashboard service:
systemctl start wazuh-dashboard.service

After this procedure, my Wazuh dashboard was working again!