Elastalert container Missing #12280

lerou114 · 2024-01-30T18:37:03Z

lerou114
Jan 30, 2024

Version

2.4.40

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

64 GB

Storage for /

320GB

Storage for /nsm

1.8 TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

I have recently upgraded from 2.4.30 to 2.4.40 after a recent reboot of the grid. The elastalert container is showing up as missing. We do not have any customer elastalert rules. When examine the logs for elastalert I find nothing as far as errors. Any suggestions where I should look would be appreciated.

When I run so-elastalert-restart I get 2 highstate errors from salt:

Executing sudo docker images returns

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by lerou114

Feb 1, 2024

So I was able to get things back up and running. I kind of went a bit heavy handed and disabled all my playbook detections. I rebooted the search node and the container spun up on the manager and problem solved. I did not reboot my manager node. I had run into a similar issue before with experimental rules in the past so I decided to disable them. So, I am wondering was the issue of the container not starting up and timing out due to the search node rather than issue with a rule?

View full answer

cm-ops · 2024-01-31T17:21:50Z

cm-ops
Jan 31, 2024
Maintainer

What does so-elasticsearch-query _cat/shards | sort show?

3 replies

lerou114 Jan 31, 2024
Author

This is what it returned.
shards.txt

lerou114 Jan 31, 2024
Author

[root@secon2 playbook]# so-elasticsearch-query _cat/shards | sort
.apm-agent-configuration 0 p STARTED 0 248b 192.168.0..16 sn2
.apm-agent-configuration 0 r UNASSIGNED
.apm-custom-link 0 p STARTED 0 248b 192.168.0.16 sn2
.apm-custom-link 0 r UNASSIGNED
.apm-source-map 0 p STARTED 0 248b 192.168.0.16 sn2
.apm-source-map 0 r UNASSIGNED
.async-search 0 p STARTED 0 254b 192.168.0.16 sn2
.async-search 0 r UNASSIGNED
.ds-.fleet-actions-results-2024.01.09-000001 0 p STARTED 5667 1.1mb 192.168.0.16 sn2
.ds-.fleet-actions-results-2024.01.09-000001 0 r UNASSIGNED
.ds-ilm-history-5-2024.01.05-000001 0 p STARTED 1322 513.1kb 192.168.0.16 sn2
.ds-ilm-history-5-2024.01.05-000001 0 r UNASSIGNED
.ds-.kibana-event-log-8.10.4-2024.01.05-000001 0 p STARTED 8 48.6kb 192.168.0.16 sn2
.ds-.kibana-event-log-8.10.4-2024.01.05-000001 0 r UNASSIGNED
.ds-logs-elastic_agent-default-2024.01.05-000001 0 p STARTED 1120 904.3kb 192.168.0.16 sn2
.ds-logs-elastic_agent-default-2024.01.09-000002 0 p STARTED 9621 6mb 192.168.0.23 secon2
.ds-logs-elastic_agent-default-2024.01.09-000003 0 p STARTED 87695 31.6mb 192.168.0.16 sn2
.ds-logs-elastic_agent-default-2024.01.18-000004 0 p STARTED 125 192.7kb 192.168.0.16 sn2
.ds-logs-elastic_agent-default-2024.01.18-000005 0 p STARTED 266656 117.8mb 192.168.0.23 secon2
.ds-logs-elastic_agent.endpoint_security-default-2024.01.09-000001 0 p STARTED 5128085 1.1gb 192.168.0.23 secon2
.ds-logs-elastic_agent.endpoint_security-default-2024.01.18-000002 0 p STARTED 7083 3.2mb 192.168.0.16 sn2
.ds-logs-elastic_agent.endpoint_security-default-2024.01.18-000003 0 p STARTED 27599617 12.6gb 192.168.0.16 sn2
.ds-logs-elastic_agent.filebeat-default-2024.01.05-000001 0 p STARTED 334038 319.5mb 192.168.0.16 sn2
.ds-logs-elastic_agent.filebeat-default-2024.01.09-000002 0 p STARTED 17308 17.4mb 192.168.0.16 sn2
.ds-logs-elastic_agent.filebeat-default-2024.01.09-000003 0 p STARTED 6359102 2.3gb 192.168.0.16 sn2
.ds-logs-elastic_agent.filebeat-default-2024.01.18-000004 0 p STARTED 7855 4.2mb 192.168.0.16 sn2
.ds-logs-elastic_agent.filebeat-default-2024.01.18-000005 0 p STARTED 27830535 10.3gb 192.168.0.16 sn2
.ds-logs-elastic_agent.fleet_server-default-2024.01.05-000001 0 p STARTED 8471 17.5mb 192.168.0.16 sn2
.ds-logs-elastic_agent.fleet_server-default-2024.01.09-000002 0 p STARTED 1562 1.7mb 192.168.0.23 secon2
.ds-logs-elastic_agent.fleet_server-default-2024.01.09-000003 0 p STARTED 224146 264.3mb 192.168.0.16 sn2
.ds-logs-elastic_agent.fleet_server-default-2024.01.18-000004 0 p STARTED 183 501.1kb 192.168.0.23 secon2
.ds-logs-elastic_agent.fleet_server-default-2024.01.18-000005 0 p STARTED 956299 400.7mb 192.168.0.16 sn2
.ds-logs-elastic_agent.metricbeat-default-2024.01.05-000001 0 p STARTED 240 297.5kb 192.168.0.16 sn2
.ds-logs-elastic_agent.metricbeat-default-2024.01.09-000002 0 p STARTED 2501 2.4mb 192.168.0.16 sn2
.ds-logs-elastic_agent.metricbeat-default-2024.01.18-000003 0 p STARTED 258 551.6kb 192.168.0.16 sn2
.ds-logs-elastic_agent.osquerybeat-default-2024.01.05-000001 0 p STARTED 77177 88mb 192.168.0.23 secon2
.ds-logs-elastic_agent.osquerybeat-default-2024.01.09-000002 0 p STARTED 3142 4.6mb 192.168.0.16 sn2
.ds-logs-elastic_agent.osquerybeat-default-2024.01.09-000003 0 p STARTED 2243510 1.1gb 192.168.0.16 sn2
.ds-logs-elastic_agent.osquerybeat-default-2024.01.18-000004 0 p STARTED 3174 2.6mb 192.168.0.16 sn2
.ds-logs-elastic_agent.osquerybeat-default-2024.01.18-000005 0 p STARTED 11068160 4.1gb 192.168.0.16 sn2
.ds-logs-elasticsearch.server-default-2024.01.05-000001 0 p STARTED 4635735 645.1mb 192.168.0.16 sn2
.ds-.logs-endpoint.diagnostic.collection-default-2024.01.31-000080 0 p STARTED 1690 21.1mb 192.168.0.23 secon2
.ds-.logs-endpoint.diagnostic.collection-default-2024.01.31-000080 0 r STARTED 1690 21.2mb 192.168.0.16 sn2
.ds-logs-endpoint.events.api-default-2024.01.17-000001 0 p STARTED 1694 1.6mb 192.168.0.16 sn2
.ds-logs-endpoint.events.file-default-2024.01.09-000001 0 p STARTED 200061164 39.8gb 192.168.0.16 sn2
.ds-logs-endpoint.events.file-default-2024.01.21-000002 0 p STARTED 200387335 42.7gb 192.168.0.16 sn2
.ds-logs-endpoint.events.file-default-2024.01.27-000003 0 p STARTED 141768068 32.5gb 192.168.0.16 sn2
.ds-logs-endpoint.events.library-default-2024.01.09-000001 0 p STARTED 181529973 91.4gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.09-000001 0 p STARTED 200415934 38gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.17-000002 0 p STARTED 201226158 40.8gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.18-000003 0 p STARTED 200576621 41.2gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.19-000004 0 p STARTED 201874212 41.7gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.19-000005 0 p STARTED 201005900 41.2gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.20-000006 0 p STARTED 200929268 40.6gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.21-000007 0 p STARTED 201258388 41.1gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.22-000008 0 p STARTED 200416559 40.4gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.23-000009 0 p STARTED 200487798 40.2gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.23-000010 0 p STARTED 200399390 39.5gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.24-000011 0 p STARTED 200537252 39.6gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.25-000012 0 p STARTED 200710921 38.6gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.27-000013 0 p STARTED 200298000 40.8gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.29-000014 0 p STARTED 200286796 41.3gb 192.168.0.16 sn2
.ds-logs-endpoint.events.network-default-2024.01.30-000015 0 p STARTED 200646482 43.6gb 192.168.0.23 secon2
.ds-logs-endpoint.events.network-default-2024.01.31-000016 0 p STARTED 45311911 9.7gb 192.168.0.23 secon2
.ds-logs-endpoint.events.process-default-2024.01.09-000001 0 p STARTED 98899850 50gb 192.168.0.23 secon2
.ds-logs-endpoint.events.process-default-2024.01.18-000002 0 p STARTED 96730367 50gb 192.168.0.16 sn2
.ds-logs-endpoint.events.process-default-2024.01.20-000003 0 p STARTED 96504223 50gb 192.168.0.23 secon2
.ds-logs-endpoint.events.process-default-2024.01.22-000004 0 p STARTED 96737855 50gb 192.168.0.16 sn2
.ds-logs-endpoint.events.process-default-2024.01.24-000005 0 p STARTED 98142567 50gb 192.168.0.16 sn2
.ds-logs-endpoint.events.process-default-2024.01.27-000006 0 p STARTED 96855173 50gb 192.168.0.23 secon2
.ds-logs-endpoint.events.process-default-2024.01.30-000007 0 p STARTED 33448436 17.3gb 192.168.0.23 secon2
.ds-logs-endpoint.events.registry-default-2024.01.09-000001 0 p STARTED 200110227 35.3gb 192.168.0.16 sn2
.ds-logs-endpoint.events.registry-default-2024.01.23-000002 0 p STARTED 177313875 33.5gb 192.168.0.16 sn2
.ds-logs-endpoint.events.security-default-2024.01.09-000001 0 p STARTED 200014765 25.3gb 192.168.0.16 sn2
.ds-logs-endpoint.events.security-default-2024.01.27-000002 0 p STARTED 65907019 8.8gb 192.168.0.23 secon2
.ds-logs-idh-so-2024.01.08-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.ds-logs-kratos-so-2024.01.05-000001 0 p STARTED 200862 394.4mb 192.168.0.16 sn2
.ds-logs-osquery_manager.result-default-2024.01.16-000001 0 p STARTED 38422 12.4mb 192.168.0.16 sn2
.ds-logs-playbook.alerts-so-2024.01.09-000001 0 p STARTED 70896227 50gb 192.168.0.16 sn2
.ds-logs-playbook.alerts-so-2024.01.26-000002 0 p STARTED 971620 676.2mb 192.168.0.23 secon2
.ds-logs-soc-so-2024.01.05-000001 0 p STARTED 5156130 2.3gb 192.168.0.16 sn2
.ds-logs-strelka-so-2024.01.05-000001 0 p STARTED 27703 171.3mb 192.168.0.16 sn2
.ds-logs-suricata-so-2024.01.05-000001 0 p STARTED 5070379 50gb 192.168.0.16 sn2
.ds-logs-suricata-so-2024.01.11-000002 0 p STARTED 5224378 50gb 192.168.0.16 sn2
.ds-logs-suricata-so-2024.01.15-000003 0 p STARTED 5146432 50gb 192.168.0.16 sn2
.ds-logs-suricata-so-2024.01.18-000004 0 p STARTED 5397895 50gb 192.168.0.23 secon2
.ds-logs-suricata-so-2024.01.21-000005 0 p STARTED 5092158 50gb 192.168.0.16 sn2
.ds-logs-suricata-so-2024.01.24-000006 0 p STARTED 3906993 38.4gb 192.168.0.16 sn2
.ds-logs-syslog-so-2024.01.09-000001 0 p STARTED 74017104 50gb 192.168.0.23 secon2
.ds-logs-syslog-so-2024.01.17-000002 0 p STARTED 70514658 50gb 192.168.0.16 sn2
.ds-logs-syslog-so-2024.01.25-000003 0 p STARTED 51431718 37.2gb 192.168.0.23 secon2
.ds-logs-system.application-default-2024.01.09-000001 0 p STARTED 5437616 1.9gb 192.168.0.16 sn2
.ds-logs-system.auth-default-2024.01.05-000001 0 p STARTED 478759 197.5mb 192.168.0.16 sn2
.ds-logs-system.security-default-2024.01.09-000001 0 p STARTED 103203101 50gb 192.168.0.16 sn2
.ds-logs-system.security-default-2024.01.18-000002 0 p STARTED 89877672 50gb 192.168.0.23 secon2
.ds-logs-system.security-default-2024.01.20-000003 0 p STARTED 88479264 50gb 192.168.0.16 sn2
.ds-logs-system.security-default-2024.01.22-000004 0 p STARTED 88306216 50gb 192.168.0.16 sn2
.ds-logs-system.security-default-2024.01.24-000005 0 p STARTED 89868914 50gb 192.168.0.16 sn2
.ds-logs-system.security-default-2024.01.27-000006 0 p STARTED 87880893 49.9gb 192.168.0.23 secon2
.ds-logs-system.security-default-2024.01.30-000007 0 p STARTED 51300795 39.5gb 192.168.0.16 sn2
.ds-logs-system.syslog-default-2024.01.05-000001 0 p STARTED 67591632 14.6gb 192.168.0.23 secon2
.ds-logs-system.system-default-2024.01.09-000001 0 p STARTED 9433967 3.4gb 192.168.0.23 secon2
.ds-logs-windows.forwarded-default-2024.01.16-000001 0 p STARTED 124793920 42.6gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.09-000001 0 p STARTED 82971382 50gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.18-000002 0 p STARTED 75873937 50.2gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.20-000003 0 p STARTED 76752593 50.2gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.22-000004 0 p STARTED 76874588 50gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.24-000005 0 p STARTED 76210412 50.1gb 192.168.0.23 secon2
.ds-logs-windows.powershell-default-2024.01.27-000006 0 p STARTED 74716349 50.1gb 192.168.0.16 sn2
.ds-logs-windows.powershell-default-2024.01.30-000007 0 p STARTED 36273737 26gb 192.168.0.23 secon2
.ds-logs-windows.powershell_operational-default-2024.01.09-000001 0 p STARTED 77604073 50.3gb 192.168.0.16 sn2
.ds-logs-windows.powershell_operational-default-2024.01.16-000002 0 p STARTED 72869071 50.2gb 192.168.0.16 sn2
.ds-logs-windows.powershell_operational-default-2024.01.18-000003 0 p STARTED 72060817 50gb 192.168.0.16 sn2
.ds-logs-windows.powershell_operational-default-2024.01.20-000004 0 p STARTED 73394921 50gb 192.168.0.16 sn2
.ds-logs-windows.powershell_operational-default-2024.01.22-000005 0 p STARTED 73429175 50.1gb 192.168.0.16 sn2
.ds-logs-windows.powershell_operational-default-2024.01.23-000006 0 p STARTED 73034263 51gb 192.168.0.23 secon2
.ds-logs-windows.powershell_operational-default-2024.01.26-000007 0 p STARTED 71049848 50gb 192.168.0.23 secon2
.ds-logs-windows.powershell_operational-default-2024.01.29-000008 0 p STARTED 69816763 50gb 192.168.0.23 secon2
.ds-logs-windows.powershell_operational-default-2024.01.31-000009 0 p STARTED 11982479 8.7gb 192.168.0.23 secon2
.ds-logs-windows.sysmon_operational-default-2024.01.16-000001 0 p STARTED 165940102 50gb 192.168.0.16 sn2
.ds-logs-windows.sysmon_operational-default-2024.01.20-000002 0 p STARTED 160252115 50gb 192.168.0.16 sn2
.ds-logs-windows.sysmon_operational-default-2024.01.24-000003 0 p STARTED 157011125 50.1gb 192.168.0.23 secon2
.ds-logs-windows.sysmon_operational-default-2024.01.27-000004 0 p STARTED 149884133 50gb 192.168.0.23 secon2
.ds-logs-windows.sysmon_operational-default-2024.01.30-000005 0 p STARTED 34890050 14.2gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.05-000001 0 p STARTED 44938103 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.05-000001 1 p STARTED 44939446 49.9gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.12-000002 0 p STARTED 44104901 49.8gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.12-000002 1 p STARTED 44106173 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.14-000003 0 p STARTED 43780395 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.14-000003 1 p STARTED 43781881 49.9gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.17-000004 0 p STARTED 43456489 50gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.17-000004 1 p STARTED 43462641 49.9gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.19-000005 0 p STARTED 43559319 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.19-000005 1 p STARTED 43546995 49.9gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.21-000006 0 p STARTED 42815728 50.1gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.21-000006 1 p STARTED 42825537 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.23-000007 0 p STARTED 42773857 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.23-000007 1 p STARTED 42766631 50gb 192.168.0.23 secon2
.ds-logs-zeek-so-2024.01.26-000008 0 p STARTED 13655677 16.1gb 192.168.0.16 sn2
.ds-logs-zeek-so-2024.01.26-000008 1 p STARTED 13648090 16gb 192.168.0.23 secon2
.ds-metrics-endpoint.metadata-default-2024.01.09-000001 0 p STARTED 11391 16.8mb 192.168.0.16 sn2
.ds-metrics-endpoint.metadata-default-2024.01.09-000001 0 r UNASSIGNED
.ds-metrics-endpoint.metrics-default-2024.01.09-000001 0 p STARTED 11391 163.9mb 192.168.0.16 sn2
.ds-metrics-endpoint.metrics-default-2024.01.09-000001 0 r UNASSIGNED
.ds-metrics-endpoint.policy-default-2024.01.09-000001 0 p STARTED 9075 26.7mb 192.168.0.16 sn2
.ds-metrics-endpoint.policy-default-2024.01.09-000001 0 r UNASSIGNED
elastalert 0 p STARTED 71577936 100.6gb 192.168.0.16 sn2
elastalert_error 0 p STARTED 497152 576.6mb 192.168.0.16 sn2
elastalert_past 0 p STARTED 0 248b 192.168.0.16 sn2
elastalert_silence 0 p STARTED 0 248b 192.168.0.23 secon2
elastalert_status 0 p STARTED 2891396 443.4mb 192.168.0.23 secon2
.fleet-actions-7 0 p STARTED 80 212kb 192.168.0.16 sn2
.fleet-actions-7 0 r UNASSIGNED
.fleet-agents-7 0 p STARTED 413 1.7mb 192.168.0.16 sn2
.fleet-agents-7 0 r UNASSIGNED
.fleet-artifacts-7 0 p STARTED 15 14.8kb 192.168.0.16 sn2
.fleet-artifacts-7 0 r UNASSIGNED
.fleet-enrollment-api-keys-7 0 p STARTED 9 59.1kb 192.168.0.16 sn2
.fleet-enrollment-api-keys-7 0 r UNASSIGNED
.fleet-policies-7 0 p STARTED 280 3.7mb 192.168.0.16 sn2
.fleet-policies-7 0 r UNASSIGNED
.fleet-policies-leader-7 0 p STARTED 9 34.2kb 192.168.0.16 sn2
.fleet-policies-leader-7 0 r UNASSIGNED
.fleet-servers-7 0 p STARTED 5 115.9kb 192.168.0.16 sn2
.fleet-servers-7 0 r UNASSIGNED
.geoip_databases 0 p STARTED 43 43.3mb 192.168.0.16 sn2
.geoip_databases 0 r UNASSIGNED
.internal.alerts-observability.apm.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-observability.apm.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-observability.logs.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-observability.logs.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-observability.metrics.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-observability.metrics.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-observability.slo.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-observability.slo.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-observability.uptime.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-observability.uptime.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-security.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-security.alerts-default-000001 0 r UNASSIGNED
.internal.alerts-stack.alerts-default-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.internal.alerts-stack.alerts-default-000001 0 r UNASSIGNED
.kibana_8.10.4_001 0 p STARTED 849 160.8kb 192.168.0.16 sn2
.kibana_8.10.4_001 0 r UNASSIGNED
.kibana_alerting_cases_8.10.4_001 0 p STARTED 1 6.8kb 192.168.0.16 sn2
.kibana_alerting_cases_8.10.4_001 0 r UNASSIGNED
.kibana_analytics_8.10.4_001 0 p STARTED 8809 5.9mb 192.168.0.16 sn2
.kibana_analytics_8.10.4_001 0 r UNASSIGNED
.kibana_ingest_8.10.4_001 0 p STARTED 8075 84.2mb 192.168.0.16 sn2
.kibana_ingest_8.10.4_001 0 r UNASSIGNED
.kibana-observability-ai-assistant-conversations-000001 0 p STARTED 0 248b 192.168.0.16 sn2
.kibana-observability-ai-assistant-conversations-000001 0 r UNASSIGNED
.kibana_security_session_1 0 p STARTED 1 6.7kb 192.168.0.16 sn2
.kibana_security_session_1 0 r UNASSIGNED
.kibana_security_solution_8.10.4_001 0 p STARTED 2751 4mb 192.168.0.16 sn2
.kibana_security_solution_8.10.4_001 0 r UNASSIGNED
.kibana_task_manager_8.10.4_001 0 p STARTED 25 147.4kb 192.168.0.16 sn2
.kibana_task_manager_8.10.4_001 0 r UNASSIGNED
.logs-osquery_manager.action.responses-default 0 p STARTED 5329 952.9kb 192.168.0.23 secon2
.logs-osquery_manager.actions-default 0 p STARTED 3 251.9kb 192.168.0.16 sn2
logs-ti_anomali_latest.threatstream-2 0 p STARTED 0 248b 192.168.0.16 sn2
logs-ti_anomali_latest.threatstream-2 0 r UNASSIGNED
logs-ti_otx_latest.dest_pulses_subscribed-1 0 p STARTED 0 248b 192.168.0.16 sn2
logs-ti_otx_latest.dest_pulses_subscribed-1 0 r UNASSIGNED
logs-ti_recordedfuture_latest.threat-1 0 p STARTED 0 248b 192.168.0.16 sn2
logs-ti_recordedfuture_latest.threat-1 0 r UNASSIGNED
metrics-endpoint.metadata_current_default 0 p STARTED 389 577.3kb 192.168.0.16 sn2
metrics-endpoint.metadata_current_default 0 r UNASSIGNED
.metrics-endpoint.metadata_united_default 0 p STARTED 413 3.1mb 192.168.0.16 sn2
.metrics-endpoint.metadata_united_default 0 r UNASSIGNED
.security-7 0 p STARTED 574 663.2kb 192.168.0.16 sn2
.security-7 0 r UNASSIGNED
.security-profile-8 0 p STARTED 3 26.9kb 192.168.0.16 sn2
.security-profile-8 0 r UNASSIGNED
.slo-observability.sli-v2 0 p STARTED 0 248b 192.168.0.16 sn2
.slo-observability.sli-v2 0 r UNASSIGNED
.slo-observability.summary-v2 0 p STARTED 0 248b 192.168.0.16 sn2
.slo-observability.summary-v2 0 r UNASSIGNED
.slo-observability.summary-v2.temp 0 p STARTED 0 248b 192.168.0.16 sn2
.slo-observability.summary-v2.temp 0 r UNASSIGNED
.tasks 0 p STARTED 12 53.1kb 192.168.0.16 sn2
.tasks 0 r UNASSIGNED
.transform-internal-007 0 p STARTED 270 194.9kb 192.168.0.16 sn2
.transform-internal-007 0 r UNASSIGNED
.transform-notifications-000002 0 p STARTED 894 252.8kb 192.168.0.16 sn2
.transform-notifications-000002 0 r UNASSIGNED

lerou114 Feb 1, 2024
Author

I dug back further in the elastalert logs and I found these errors
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/base.py", line 315, in _raise_error
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'document_parsing_exception', "[1:157] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '5esSQ40BRvuDQXRQ52-1'. Preview of field's value: 'Binary Data'")
2024-01-26 00:02:08,978 WARNING elasticsearch POST https://secon2:9200/elastalert/_doc [status:400 request:0.002s]
2024-01-26 00:02:08,978 ERROR elastalert Error writing alert info to Elasticsearch: RequestError(400, 'document_parsing_exception', "[1:157] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '6OsSQ40BRvuDQXRQ52_S'. Preview of field's value: 'Binary Data'")
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 1461, in writeback
res = self.writeback_es.index(index=index, body=body)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/utils.py", line 152, in _wrapped
return func(*args, params=params, headers=headers, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/init.py", line 398, in index
return self.transport.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 392, in perform_request
raise e
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 358, in perform_request
status, headers_response, data = connection.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/http_requests.py", line 199, in perform_request
self._raise_error(response.status_code, raw_data)
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/base.py", line 315, in _raise_error
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'document_parsing_exception', "[1:157] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '6OsSQ40BRvuDQXRQ52_S'. Preview of field's value: 'Binary Data'")
2024-01-26 00:02:09,015 WARNING elasticsearch POST https://secon2:9200/elastalert/_doc [status:400 request:0.002s]
2024-01-26 00:02:09,015 ERROR elastalert Error writing alert info to Elasticsearch: RequestError(400, 'document_parsing_exception', "[1:171] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '7usSQ40BRvuDQXRQ52_2'. Preview of field's value: 'en-US'")
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 1461, in writeback
res = self.writeback_es.index(index=index, body=body)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/utils.py", line 152, in _wrapped
return func(*args, params=params, headers=headers, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/init.py", line 398, in index
return self.transport.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 392, in perform_request
raise e
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 358, in perform_request
status, headers_response, data = connection.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/http_requests.py", line 199, in perform_request
self._raise_error(response.status_code, raw_data)
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/base.py", line 315, in _raise_error
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'document_parsing_exception', "[1:171] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '7usSQ40BRvuDQXRQ52_2'. Preview of field's value: 'en-US'")
2024-01-26 00:02:09,052 WARNING elasticsearch POST https://secon2:9200/elastalert/_doc [status:400 request:0.003s]
2024-01-26 00:02:09,052 ERROR elastalert Error writing alert info to Elasticsearch: RequestError(400, 'document_parsing_exception', "[1:157] failed to parse field [match_body.registry.data.strings] of type [long] in document with id '8usSQ40BRvuDQXRQ6G8b'. Preview of field's value: 'Binary Data'")
Traceback (most recent call last):

lerou114 · 2024-02-01T21:56:09Z

lerou114
Feb 1, 2024
Author

So I was able to get things back up and running. I kind of went a bit heavy handed and disabled all my playbook detections. I rebooted the search node and the container spun up on the manager and problem solved. I did not reboot my manager node. I had run into a similar issue before with experimental rules in the past so I decided to disable them. So, I am wondering was the issue of the container not starting up and timing out due to the search node rather than issue with a rule?

1 reply

samuel809 Feb 14, 2024

i would guess some heap memory issue.

please share heap memory config details.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Elastalert container Missing #12280

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Elastalert container Missing #12280

Uh oh!

lerou114 Jan 30, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments · 4 replies

Uh oh!

cm-ops Jan 31, 2024 Maintainer

Uh oh!

lerou114 Jan 31, 2024 Author

Uh oh!

lerou114 Jan 31, 2024 Author

Uh oh!

lerou114 Feb 1, 2024 Author

Uh oh!

lerou114 Feb 1, 2024 Author

Uh oh!

samuel809 Feb 14, 2024

lerou114
Jan 30, 2024

Replies: 2 comments 4 replies

cm-ops
Jan 31, 2024
Maintainer

lerou114 Jan 31, 2024
Author

lerou114 Jan 31, 2024
Author

lerou114 Feb 1, 2024
Author

lerou114
Feb 1, 2024
Author