WARNING elasticsearch POST https://securityonion:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.018s] #13224
Replies: 1 comment 1 reply
-
|
It's a warning, in 2.4 we switched from straight Lucene to EQL for Elastlaert queries. When you run an EQL query, ES does some checks before actually running the query - one of them is whether or not the fields in the query exist in a template mapping. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for the explanation. Things like that make me sweat a bit. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.70
Installation Method
Security Onion ISO image
Description
upgrading
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
20
RAM
18GB
Storage for /
166G
Storage for /nsm
3.4TB
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
My elastalert.log is full of "WARNING elasticsearch POST https://securityonion:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.018s]" warnings. This coincides with upgrading from 2.4.60 to 2.4.70. I'm not sure what is going on. Any help is appreciated.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions