Creating a windows detector failed and generates a lot of shards reaching the cluster limit everyday #509
Comments
mareban
changed the title
mareban
changed the title
|
For info, monitoring jobs, we have this kind of jobs always running : GET _cat/pending_tasks 3525231 120ms HIGH put-mapping [.opensearch-sap-windows-detectors-queries-000029/1OPPMM8SQoSHDX5WpdSHUw] shards example : Forgot to mention that before trying to create the windows log detector, we've created an _index_template for winlogbeat but we kept the _template as we did for the packetbeat and dns logs that seems to work (notification OK) and we don't have this issue of shards creation . Thanks for your help |
|
@mareban , Thank you for trying out Security Analytics. Can you share couple of sample log files (with the necessary redacted data). |
|
hi @mareban , do you have any ism policy defined for the index-pattern |
|
hi @mareban , i followed the following steps while running detectors on i created the index template first by exporting it. i faced 2 errors, field keys i then just ran i created a
|
|
hi @mareban , i can finally reproduce this issue & understand the problem. will explore options to fix it. |
Hello, Thx for your reply and sorry for the delay : There are almost 500 indices (one by day) |
Hello and Thx again Here is what we have when trying to create a windows detector :
For the mapping we have 2 field to map with our winlogbeat template ?
So , my understanding is that's a bug, and the fix will come soon hopefully :-) ! We are still in 2.8 , and it seems that upgrading to 2.9 will not fix our issue , correct ? Thank you very much for your help |
|
Fixed for 2.10 and beyond. We will backport this as part of patch release |
|
Thanks for the fix :-) ! We've just upgrade to 2.10 and still cannot create a windows detector using all sigma rules for winlogbeat (+500 indicies) ! We have now +60 fields to map, in 2.8 only 2 , and if we don't map anything the detector cannot be created !! _security_analytics/detectors, params: {} and : [2023-09-29T15:01:04,090][INFO ][o.o.a.t.TransportIndexMonitorAction] [opnscluster-n1] Central Percolation index .opensearch-sap-windows-detectors-queries created Do we need to do all the mapping ? Is it normal to extend the total field limit to this size ? Thanks for your help. |
|
hi @mareban , the issue actually is, your index do not have a field called |
|
Thanks a lot for your help So we've tried to delete the detectors and do the cleanup and now, if we try to create a DNS detector we've got an error : detection creation failed, double check the mapping , but the DNS detector is created ! So we've tried to create a windows detector, but it's still not work for US :-( ! We don't know what we can do now, we've upgraded hoping it will fix the problem, no more lot of sap queries indicies Thx, but still cannot create a windows detector on our cluster ! Any other suggestions are welcome ? Thanks for your help. [2023-10-01T15:11:34,224][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [opnscluster-n1] Detected cluster change event for destination migration [2023-10-01T15:34:49,147][INFO ][o.o.c.s.IndexScopedSettings] [opnscluster-n1] [.opensearch-sap-windows-detectors-queries-000001] updating [index.mapping.total_fields.limit] from [1000] to [5020008] |
|
hi @mareban , can you please specify the error you get while creating |
|
Closing the issue for now as it seems to be fixed. @mareban Feel free to reopen it if you have more concerns. |
…luding index patterns and visualisations) (opensearch-project#515) * Update detector details component opensearch-project#504 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Deleting detectors should delete all related dashboards (including index-patterns and visualisations) opensearch-project#509 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> --------- Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com>
Hello ,
We've tried to create a windows detector using all the rules ! It failed and ask to review the configuration !
So no detector is created, but we have a lot of .opensearch-sap-windows-detectors-queries* created each day :-(, and we don't know how to clean this and create the detector sucessfully !
How can one reproduce the bug?
create the windows detector with all rules selected on winlogbeat-* indices !
What is the expected behavior?
Create the detector and notify us on security events
What is your host/environment?
the 2.8.0 Opensearch cluster is running on Ubuntu 22.04.2
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
The text was updated successfully, but these errors were encountered: