Wazuh Alert Bug Fix
Mockportal Wazuh Alerts Fix Summary
Issue
Mockportal alerts were being generated by Wazuh, but they were not visible in the Wazuh dashboard.
Root Cause
The Mockportal app was emitting nested JSON fields like this:
{
"data": {
"username": "admin",
"srcip": "203.0.113.48"
}
}
Wazuh decodes JSON logs under its own data.* namespace. Because of this, the nested field became:
data.data
The Wazuh index template expected data.data to be a keyword/string field, but Mockportal was sending it as an object. As a result, Filebeat failed to index those alerts into Wazuh Indexer with a mapper_parsing_exception.
Because of this, alerts existed in:
/var/ossec/logs/alerts/alerts.json
but did not appear in the dashboard or indexer.
Fix Applied
Updated Mockportal event generation in:
/root/mockportal/app.py
The app now emits flat detail fields instead of nested data objects.
Example new event format:
{
"app": "mockportal",
"event_type": "auth_failure",
"detail_username": "admin",
"detail_srcip": "203.0.113.48"
}
A backup was created at:
/root/mockportal/app.py.bak.index-schema-20260530
Service Cleanup
Older manually started Mockportal Python processes were still bound to port 80.
Those stale processes were stopped, and Mockportal was restarted cleanly under systemd.
Verified service state:
mockportal.service: active
port 80: listening
Verification
A fresh Mockportal login failure event was generated.
Confirmed that the Wazuh rule fired:
Rule ID: 120101
Description: Mock Portal authentication failure
Group: mockportal
Confirmed that the alert was indexed into:
wazuh-alerts-4.x-2026.05.30
Confirmed index query result:
rule.id:120101 -> count: 1
Dashboard Search Filters
Use a recent time range and search with one of the following filters:
rule.id:120101
rule.groups:mockportal
data.app:mockportal
Note
Older Mockportal alerts that used the nested data object were already rejected by Filebeat, so they will not appear in the dashboard.
New Mockportal alerts should now appear normally.
