Alerts not working (stack version 8.2)

ooaleksiienko · December 21, 2023, 8:32am

Problem with:
Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
when restarting Kibana

I've checked and can see that after fleet setup next Component Templates downloaded from Elastic (I've tried to delete this component templates - result the same):
.alerts-ecs-mappings
.alerts-security.alerts-mappings
.alerts-technical-mappings

But when creating .alerts-security.alerts-default index template there is an error (Logs from Kibana below)

I've try to reproduce this situation and when trying to create own template using component templates (.alerts-ecs-mappings,.alerts-security.alerts-mappings,.alerts-technical-mappings) error shows next:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
  "attributes": {
    "error": {
      "root_cause": [
        {
          "type": "illegal_argument_exception",
          "reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid"
        }
      ],
      "type": "illegal_argument_exception",
      "reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Limit of total fields [1500] has been exceeded"
        }
      }
    },
    "causes": [
      "invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
      "Limit of total fields [1500] has been exceeded"
    ]
  }
}

I've checked and saw that this limit came from Component Template:
.alerts-ecs-mappings

{
  "index": {
    "number_of_shards": "1",
    "mapping": {
      "total_fields": {
        "limit": "1500"
      }
    }
  }
}

Logs from kibana:

[2023-12-21T09:35:01.092+02:00] [INFO ] [plugins.ruleRegistry] [] Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
[2023-12-21T09:35:01.105+02:00] [ERROR] [plugins.ruleRegistry] [] RuleDataWriterInitializationError: There has been a catastrophic error trying to install namespace level resources for the following registration context: security.
    This may have been due to a non-additive change to the mappings, removal and type changes are not permitted. Full error: ResponseError: illegal_argument_exception: [illegal_argument_exception] Reason: composable template [.alerts-security.alerts-default-index-template] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid
    at prepareForWriting (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:166:17)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.bulk (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:185:33)
    at alertWithPersistence (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:98:32)
    at Object.bulkCreate (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.js:37:7)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.js:127:9
    at Object.executor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.js:81:22)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:264:31
    at Object.executor (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:29:21)
    at TaskRunner.executeAlerts (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:305:30)
    at promiseResult (/usr/share/kibana/x-pack/plugins/alerting/server/lib/result_type.js:44:17)
    at TaskRunner.loadRuleAttributesAndRun (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:541:14)
    at errorAsRuleTaskRunResult (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:1086:12)
    at TaskRunner.run (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:620:9)
    at TaskManagerRunner.run (/usr/share/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.js:299:22)
[2023-12-21T09:35:01.110+02:00] [ERROR] [plugins.ruleRegistry] [] The writer for the Rule Data Client for the security registration context was not initialized properly, bulk() cannot continue, and writing will be disabled.

system · January 18, 2024, 8:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.