Detection rule execution failure: "Rule registry writing is disabled due to an error during Rule Data Client initialization."

Elastic Security
1

Hello!

I am struggling with error that leads to detection rules execution failure.

For the context: I am creating new detection rules in separate Space with limited permissions, so I am not an admin.

When a detection rule does not hit any results, it executes successfully:

image
image1060×68 6.17 KB

But when there are some results returned by a rule, meaning alert creation is expected, it fails to run with error:

An error occurred during rule execution: message: "Rule registry writing is disabled due to an error during Rule Data Client initialization."

image
image1536×208 29.6 KB

I suspect that my account has insufficient permissions, but the admin claims he gave me all permissions required according to Elastic Docs.
Also, we tried restarting Kibana, but no result.
Do you have any ideas on how to fix this issue? My progress is kind of stucked because of this error...

2

Hi,

This error often occurs if the mappings or settings for the alerts indices have been modified in some way. However, there are other possible causes as well. The Rule Data Client will log the detailed error message with more information about the root cause the first time it tries to write a new alert after Kibana restarts. Would you be able to look in the logs for this root cause message? It may include the string "There has been a catastrophic error".

3

Hello,
Could you advise where these logs can be found? Stack Monitoring?

4

Yes, if you've set up monitoring then the logs can be accessed through Stack Monitoring. Instructions for setting up monitoring on ESS can be found here.