@UweW - Hi there,
Can you run
GET _cat/aliases/.siem-signals-*?v and
GET _cat/shards/.siem-signals-*?v and share the results with us?
Hi @UweW - could you run this and check if this solves the problem?
.siem-signals index was the index name used pre-8.0 for writing security solution alerts. In 8.0 it's expected that it is now aliased to the new security solution alerts index, so
should result in something like:
alias index filter routing.index routing.search is_write_index
.siem-signals-default .internal.alerts-security.alerts-default-000001 - - - false
This should have all occurred in the initial upgrade to 8.x.
GET /.siem-signals* - can you share what the top portion of that return looks like. We would expect to see something like:
In 8.x we should no longer be writing to
that fixed the issue that I was not able to edit the rules in the security section.
There is still the issue with the "Object type "siem.queryRule" is not registered." when I open rules in the stack management section .
this is how it looks:
"source": "if(doc['host.os.name'].size()!=0) emit(doc['host.os.name'].value.toLowerCase());",
I cannot find any index beginning with .internal*
So it looks like that it hasn't occured in the initial upgrade.
One more time updating was not successful
Any idea how to fix ?
PS: the update path was 8.3.3 -> 8.4.0 -> 8.4.1
.internal index is created once the first alert is written. That may be why you don't see it yet. If rules are running but no alerts have been generated, it won't yet exist.
As for the issues with viewing rules in stack management - I am asking around to see if it's a known issue. Luckily, most all actions you would need to take can be done through the security solution rules management interface.
I'll follow back around as soon as I hopefully find out more on the stack management side
Here is the issue that was tracked for this error you're encountering - Security Rule details page doesn't load up in Stack Management · Issue #138639 · elastic/kibana · GitHub
It looks like it may not have made it in 8.4.1, but is in for 8.4.2.
yes, this is the issue I have.
8.4.2 was released today. Even if I can't find a hint in the release notes I can confirm that it fixes this bug on two Lab installations.
Many thanks for your support.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.