# 🛠️ Wazuh Logs Advanced Log Troubleshooting (with JQ)

#   


The Wazuh Dashboard logs are JSON-formatted, but standard `journalctl` prepends timestamps that break JSON parsers. Use these commands to see perfectly formatted, readable logs.

<div class="page-content" id="bkmrk-1" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; line-height: 1.5; color: #24292e;"><div style="margin-top: 24px;"><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="background-color: #206afb; color: white; border-radius: 50%; width: 32px; height: 32px; display: flex; align-items: center; justify-content: center; font-weight: bold; margin-right: 12px; flex-shrink: 0;">1</div><div style="flex-grow: 1;">  
</div></div></div></div>### View Pretty-Printed JSON

The `-o cat` flag removes the OS timestamps, allowing `jq` to parse the dashboard's internal JSON correctly.

```
sudo journalctl -u wazuh-dashboard -o cat -f | jq '.'
```

<div class="page-content" id="bkmrk-2" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; line-height: 1.5; color: #24292e;"><div style="margin-top: 24px;"><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="flex-grow: 1;">  
</div></div><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="background-color: #206afb; color: white; border-radius: 50%; width: 32px; height: 32px; display: flex; align-items: center; justify-content: center; font-weight: bold; margin-right: 12px; flex-shrink: 0;">2</div><div style="flex-grow: 1;">  
</div></div></div></div>### Extract Only Timestamps and Messages

If you want a very clean list of just the time and the action being performed, use this `jq` filter.

```
sudo journalctl -u wazuh-dashboard -o cat -f | jq -r '"[\(."@timestamp")] \( .message)"'
```

<div class="page-content" id="bkmrk-3" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; line-height: 1.5; color: #24292e;"><div style="margin-top: 24px;"><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="flex-grow: 1;">  
</div></div><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="background-color: #206afb; color: white; border-radius: 50%; width: 32px; height: 32px; display: flex; align-items: center; justify-content: center; font-weight: bold; margin-right: 12px; flex-shrink: 0;">3</div><div style="flex-grow: 1;">  
</div></div></div></div>### Handling Non-JSON Errors

Sometimes the system outputs non-JSON errors (like service start failures). If the commands above fail, fall back to the raw log.

```
sudo journalctl -u wazuh-dashboard -e --no-pager
```

<div class="page-content" id="bkmrk-" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; line-height: 1.5; color: #24292e;"><div style="margin-top: 24px;"><div style="display: flex; align-items: flex-start; margin-bottom: 24px;"><div style="flex-grow: 1;">  
</div></div></div><div style="margin-top: 32px; padding: 16px; background-color: #e7f3ff; border: 1px solid #d1d5da; border-left: 6px solid #206afb; border-radius: 6px;">  
</div></div>#### ✅ Resulting Output

By using `-o cat`, you ensure that every line passed to `jq` starts with `{`, eliminating the `parse error` you encountered.