Detection rule execution failure: "Rule registry writing is disabled due to an error during Rule Data Client initialization."

bil15 · February 13, 2023, 6:31am

Hello!

I am struggling with error that leads to detection rules execution failure.

For the context: I am creating new detection rules in separate Space with limited permissions, so I am not an admin.

When a detection rule does not hit any results, it executes successfully:

But when there are some results returned by a rule, meaning alert creation is expected, it fails to run with error:

An error occurred during rule execution: message: "Rule registry writing is disabled due to an error during Rule Data Client initialization."

image1536×208 29.6 KB

I suspect that my account has insufficient permissions, but the admin claims he gave me all permissions required according to Elastic Docs.
Also, we tried restarting Kibana, but no result.
Do you have any ideas on how to fix this issue? My progress is kind of stucked because of this error...

Marshall_Main · February 14, 2023, 5:32pm

Hi,

This error often occurs if the mappings or settings for the alerts indices have been modified in some way. However, there are other possible causes as well. The Rule Data Client will log the detailed error message with more information about the root cause the first time it tries to write a new alert after Kibana restarts. Would you be able to look in the logs for this root cause message? It may include the string "There has been a catastrophic error".

bil15 · February 14, 2023, 5:49pm

Hello,
Could you advise where these logs can be found? Stack Monitoring?

Marshall_Main · February 14, 2023, 6:46pm

Yes, if you've set up monitoring then the logs can be accessed through Stack Monitoring. Instructions for setting up monitoring on ESS can be found here.

system · March 14, 2023, 6:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.