Problem with:
Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
when restarting Kibana
I've checked and can see that after fleet setup next Component Templates downloaded from Elastic (I've tried to delete this component templates - result the same):
.alerts-ecs-mappings
.alerts-security.alerts-mappings
.alerts-technical-mappings
But when creating .alerts-security.alerts-default index template there is an error (Logs from Kibana below)
I've try to reproduce this situation and when trying to create own template using component templates (.alerts-ecs-mappings,.alerts-security.alerts-mappings,.alerts-technical-mappings) error shows next:
{
"statusCode": 400,
"error": "Bad Request",
"message": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
"attributes": {
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid"
}
],
"type": "illegal_argument_exception",
"reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Limit of total fields [1500] has been exceeded"
}
}
},
"causes": [
"invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
"Limit of total fields [1500] has been exceeded"
]
}
}
I've checked and saw that this limit came from Component Template:
.alerts-ecs-mappings
{
"index": {
"number_of_shards": "1",
"mapping": {
"total_fields": {
"limit": "1500"
}
}
}
}
Logs from kibana:
[2023-12-21T09:35:01.092+02:00] [INFO ] [plugins.ruleRegistry] [] Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
[2023-12-21T09:35:01.105+02:00] [ERROR] [plugins.ruleRegistry] [] RuleDataWriterInitializationError: There has been a catastrophic error trying to install namespace level resources for the following registration context: security.
This may have been due to a non-additive change to the mappings, removal and type changes are not permitted. Full error: ResponseError: illegal_argument_exception: [illegal_argument_exception] Reason: composable template [.alerts-security.alerts-default-index-template] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid
at prepareForWriting (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:166:17)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at Object.bulk (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:185:33)
at alertWithPersistence (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:98:32)
at Object.bulkCreate (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.js:37:7)
at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.js:127:9
at Object.executor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.js:81:22)
at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:264:31
at Object.executor (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:29:21)
at TaskRunner.executeAlerts (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:305:30)
at promiseResult (/usr/share/kibana/x-pack/plugins/alerting/server/lib/result_type.js:44:17)
at TaskRunner.loadRuleAttributesAndRun (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:541:14)
at errorAsRuleTaskRunResult (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:1086:12)
at TaskRunner.run (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:620:9)
at TaskManagerRunner.run (/usr/share/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.js:299:22)
[2023-12-21T09:35:01.110+02:00] [ERROR] [plugins.ruleRegistry] [] The writer for the Rule Data Client for the security registration context was not initialized properly, bulk() cannot continue, and writing will be disabled.