Hello every body,
I have a problem, The alerts have ceased to be generated today at the detection level, after checking I noticed that the rules are matched but the alerts are not generated and the siem-signals-default index has not increased since yesterday. Can you assist me in resolving this concern.
Thank you
Are you sure that your elastic agents and beats are alive and running and sending in the data to elasticsearch ?
Try going to fleet management -> Agents -> MACHINE_NAME -> Integration -> logs and see if you are getting data from your endpoints.
Detection rules mostly run on the data of the past few minutes so if there is nothing in the Index, alerts would execute successfully but no alert would trigger.
Just chiming in to say I had the same issue on 7.13, didn't have time to troubleshoot. Once I upgraded to 7.14, alerts started working again.
I had no failed rule executions, but didn't really dig any deeper.
Thanks nemhods and termcap for your replay, after verification, the problem was that the logs received late with 10 minutes while the rules were programmed for 5 min with loopback of 4 min
Thanks @frank_rib, for letting us know what caused your issue. Can you share how you resolved it? Sometimes ingestion pipeline delays are hard to control or eliminate.
We have included some troubleshooting tips in our docs.
They mention that missed alerts can occur when your ingestion pipeline delay exceeds 6 minutes.
It also mentions how you can eliminate the risk of missed alerts due to ingestion pipeline delay by specifying the Timestamp override field in your custom rules.
Thanks again for sharing your experience with us!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.