Hello, i have some problem with rules in ElasticSIEM. I have a lot of indexies but in on of them rules don't working. Messages about error rules are absent. WIth one index rule are working but when i write rule for other index it no workig.
Hi, can you give us some details, please? What are the indices on which it doesn't work named. Perhaps a screenshot of the Rule configuration would also be useful.
Using https://discuss.elastic.co/t/bulkresponse-had-errors-with-response-statuses-counts-of/226492 i made this. Afther that i see that i have problem with fieds in my index:
I changed host field name using logstash, and is workig!
Thank you for getting back to us @Nazarenko and letting us know what the issue was. We have recently changed that error reporting for the log files for the backend here:
And that will be part of a release starting in 7.8.0 moving forward. Glad to see we have a concrete use case for testing out error reporting for when we push signals into the backend at this point.