Hi,
after updating from 8.2.3 to 8.4 it's no longer possible to edit the existing rules.
Every time "Object type "siem.queryRule" is not registered." is shown.
Hope somebody has an idea how to fix.
GET _cat/aliases/.siem-signals-*?v
alias index filter routing.index routing.search is_write_index
.siem-signals-default .siem-signals-default-000010 - - - false
.siem-signals-default .siem-signals-default-000011 - - - false
GET _cat/shards/.siem-signals-*?v
index shard prirep state docs store ip node
.siem-signals-default-000010 0 p STARTED 2 48.5kb 10.88.0.1 elasticsearch
.siem-signals-default-000011 0 p STARTED 963 958.5kb 10.88.0.1 elasticsearch
The .siem-signals index was the index name used pre-8.0 for writing security solution alerts. In 8.0 it's expected that it is now aliased to the new security solution alerts index, so
GET _cat/aliases/.siem-signals-*?v
should result in something like:
alias index filter routing.index routing.search is_write_index
.siem-signals-default .internal.alerts-security.alerts-default-000001 - - - false
This should have all occurred in the initial upgrade to 8.x.
Hi Romain,
that fixed the issue that I was not able to edit the rules in the security section.
There is still the issue with the "Object type "siem.queryRule" is not registered." when I open rules in the stack management section .
Hi Yara,
I cannot find any index beginning with .internal*
So it looks like that it hasn't occured in the initial upgrade.
One more time updating was not successful
Any idea how to fix ?
Best regrads
Uwe
@UweW the .internal index is created once the first alert is written. That may be why you don't see it yet. If rules are running but no alerts have been generated, it won't yet exist.
As for the issues with viewing rules in stack management - I am asking around to see if it's a known issue. Luckily, most all actions you would need to take can be done through the security solution rules management interface.
I'll follow back around as soon as I hopefully find out more on the stack management side
Hi Yara,
yes, this is the issue I have.
8.4.2 was released today. Even if I can't find a hint in the release notes I can confirm that it fixes this bug on two Lab installations.
Many thanks for your support.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.