Detection Failiure in ELK7.8 SIEM

jancodenew · March 4, 2021, 11:03am

Hello,

It is noticed that detection rule is getting failed by showing the bellow error message.
"Consider increasing your look back time or adding more Kibana instances."

I have tried increasing the look back time from 1 minute to 5minute. But still there are multiple instances getting failed.

Kindly let me know why we need to consider about adding more kibana instances in this situation? According to my understanding querying more rules will be taking more resources in elasticsearch and not in kibana instance resource.

Thanks

Frank_Hassanabad · March 5, 2021, 10:18pm

It depends on how many rules you are running. Adding more Kibana instances is recommended when you have a large set of rules running and some of the rules are running very slow. More than one Kibana instance share the rule runs, they do not duplicate rule runs. They basically can coordinate with each other.

Right now for most people, the best course of action is to scale out Elasticsearch and/or tune their existing Elastic instance when their rules are not running as performant as they want them to run. If they cannot do that they should turn off some of the rules to keep the gaps from happening.

Gaps are indicating the rules cannot keep up.

Without knowing a lot of details about your system it is tricky to tell you what to do but in most cases looking at your current Elastic monitoring and scaling out Elastic is usually what most people do when they begin activating more and more rules before increasing their number of Kibana instances.

system · April 2, 2021, 10:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.