Customers that use Elastic 8.2.x and have created new rules or edited existing rules with this version, these alerting rules will stop running upon upgrade to Elastic 8.3.
In order to mitigate this please follow one of two ways:
- Avoid upgrading to 8.3 until a fix is implemented in version 8.3.2.
- If you have already upgraded to 8.3, monitor rule execution and fix the affected rules as instructed below.
To resolve this issue, a new API Key must be generated for each rule as follows:
- In Stack Management, navigate to the Rules and Connectors tab. Then select the rules that you wish to fix, and select Manage rules -> Disable, followed by Manage rules -> Enable. This will generate a new API Key and reset the rule state. The Last Response value will change to Pending then to Active or OK. Note that this API key will be created using the credentials of the user who performed this operation.
- Alternatively, if your rules are security rules only, go to the Security app and select the rules that you wish to fix. Then select Bulk actions -> Disable, followed by Bulk actions -> Enable.
This issue is caused due to a new field named snoozeEndTime that was added in 8.2.0 and subsequently removed in 8.3.0. This resulted in failure to decrypt the rule saved object after upgrading to 8.3.x.