Replies: 2 comments
-
|
What is the output of the following commands?
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I was able to solve the issue. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.150
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
12
RAM
24
Storage for /
314 GB
Storage for /nsm
772 GB
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
No, one or more services are failed (please provide detail below)
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
I have distributed SO installed with 3 nodes. After reboot the Elastalert is unable to start on the Manager node.
so-elastalert-start --force results:
I tried this fix for resolve the Pending status, but this fails:
https://docs.securityonion.net/en/2.4/elasticsearch.html#status-pending
"sudo so-elasticsearch-query _cat/shards | grep UN" command execution results:
.security-7 0 r UNASSIGNED
.kibana_task_manager_8.14.3_001 0 r UNASSIGNED
.fleet-policies-7 0 r UNASSIGNED
.fleet-agents-7 0 r UNASSIGNED
.kibana_8.14.3_001 0 r UNASSIGNED
.ds-.fleet-actions-results-2025.06.06-000006 0 r UNASSIGNED
.transform-notifications-000002 0 r UNASSIGNED
.async-search 0 r UNASSIGNED
.kibana_usage_counters_8.17.3_001 0 r UNASSIGNED
.kibana_alerting_cases_8.14.3_001 0 r UNASSIGNED
.kibana_analytics_8.14.3_001 0 r UNASSIGNED
.kibana_ingest_8.14.3_001 0 r UNASSIGNED
.transform-internal-007 0 r UNASSIGNED
.fleet-actions-7 0 r UNASSIGNED
If I try to use this command as reccomended, but this fails for all the above indexes e.g.:
so-elasticsearch-query .kibana_task_manager_8.14.3_001/_settings -d '{"number_of_replicas":0}' -XPUT results:
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/settings/update] is unauthorized for user [so_elastic] with effective roles [superuser] on restricted indices [.kibana_task_manager_8.14.3_001], this action is granted by the index privileges [manage,all]"}],"type":"security_exception","reason":"action [indices:admin/settings/update] is unauthorized for user [so_elastic] with effective roles [superuser] on restricted indices [.kibana_task_manager_8.14.3_001], this action is granted by the index privileges [manage,all]"},"status":403}
`"sudo salt-call pillar.get global:influxdb_host" results:
local:
so-manager
/opt/so/log/elasticsearch/securityonion.log results:
"cat /opt/so/log/elasticsearch/securityonion.log | grep ERROR" results:
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [Fk5adlhQaU1VUXBpM1JnNjBFME8yU2ccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU4MA==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FjcxMzdobVJfVE1PZ3FzTDNBOTM3VmccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzY0NQ==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FlMtWm1ranVsUXpHTE0yZVhUYS1BbFEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU2NQ==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FlpkdF9IWW1JU2lLSmlGVlFJcS1reWccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU4NA==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FnlyQjNRbmFVU1Etc1p2UWtDaFBpRXccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU4Ng==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [Fjg0LXRNMnJOVHBTcjFaTmpQSmJnNVEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU5MQ==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FjZ1ZkczREl5UjJxdFZ2RWVMSkdnZnccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU2Mw==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FjYzOTBlUXBCVFRhV01STTNNMVlsWkEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3NDYzMA==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [Fm1uRFgxV3BuUVBPMGNmcFlBUWJsSmccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU3Mg==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [Fl9XekE3MTkxU1BLVFRQX3djX3BEWEEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzY0NA==]
[2025-06-27T05:05:08,316][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FkxXS0FzRkJfUWd1eFY2VWxvckNNeXccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzY0Ng==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FjhDd21hSGtxUlBLN3dFal9ZWjJmVVEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU3OA==]
[2025-06-27T05:05:08,317][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FlRIUjFYajByVEVlcHJrZFdZeU51Z0EcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU2MA==]
[2025-06-27T05:05:08,317][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FnYwR2VMd2ZiUmFhT2JZc1NOOFdUTFEcVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU4Mg==]
[2025-06-27T05:05:08,315][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [FllUUklKb0dHUzVtdFNrOGp2N2ZMVGccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzU3Ng==]
[2025-06-27T05:05:08,317][ERROR][org.elasticsearch.xpack.search.TransportGetAsyncStatusAction] failed to update expiration time for async-search [Fmo2VzB0MEMxU1ItRjNtTDdzcGYwRmccVjc3UWU2eGRSZHVWUkU4SGRXZVNUQTo3MzY0Mw==]
"cat /opt/so/log/elasticsearch/securityonion.log | grep WARN" results:
[2025-06-27T05:06:20,765][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.registry-%2Clogs-windows.sysmon_operational-%2Cendgame-%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.registry-,logs-windows.sysmon_operational-,endgame-,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:20,781][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:20,781][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:20,789][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:20,789][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:20,789][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:20,789][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:20,818][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:20,819][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:20,825][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:20,825][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,007][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,008][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.file-%2Clogs-windows.sysmon_operational-%2Cendgame-%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.file-,logs-windows.sysmon_operational-,endgame-,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,010][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,010][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,017][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,018][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,024][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,025][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,026][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,026][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,031][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,032][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,037][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,038][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.file-%2Clogs-windows.sysmon_operational-%2Cendgame-%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.file-,logs-windows.sysmon_operational-,endgame-,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,038][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,038][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Clogs-system.%2Cendgame-%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,logs-system.,endgame-,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,039][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,039][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,051][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,051][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,053][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,054][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,058][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,058][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,060][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,060][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.file-%2Clogs-windows.sysmon_operational-%2Cendgame-%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.file-,logs-windows.sysmon_operational-,endgame-,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,065][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,065][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,074][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,074][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,075][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.file-%2Clogs-windows.sysmon_operational-%2Cendgame-%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.file-,logs-windows.sysmon_operational-,endgame-,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,075][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,081][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,082][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Clogs-system.%2Cendgame-%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,logs-system.,endgame-,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,087][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,087][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,089][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,091][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,091][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,091][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,101][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,102][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,113][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,114][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,125][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,125][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,126][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,127][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,129][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,130][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Clogs-system.%2Cendgame-%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,logs-system.,endgame-,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,133][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,134][WARN ][rest.suppressed ] path: /logs-endpoint.events.process-%2Cwinlogbeat-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-sentinel_one_cloud_funnel.%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=logs-endpoint.events.process-,winlogbeat-,logs-windows.,endgame-,logs-system.security*,logs-sentinel_one_cloud_funnel.,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,135][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,135][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Cendgame-%2Clogs-system.security*%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,endgame-,logs-system.security,logs-m365_defender.event-}, status: 503
[2025-06-27T05:06:28,178][WARN ][org.elasticsearch.xpack.eql.plugin.RestEqlSearchAction] Request failed with status [SERVICE_UNAVAILABLE]:
[2025-06-27T05:06:28,179][WARN ][rest.suppressed ] path: /winlogbeat-%2Clogs-endpoint.events.process-%2Clogs-windows.%2Clogs-system.%2Cendgame-%2Clogs-m365_defender.event-/_eql/search, params: {allow_no_indices=true, index=winlogbeat-,logs-endpoint.events.process-,logs-windows.,logs-system.,endgame-,logs-m365_defender.event-*}, status: 503
[2025-06-27T05:06:59,831][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.tasks][0] marking unavailable shards as stale: [YnMBjfzrSKW4cP7oMnOfsw]
[2025-06-27T05:07:00,003][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.security-profile-8][0] marking unavailable shards as stale: [0C9g6CC6Ssyt-jUWocDEJQ]
[2025-06-27T05:07:00,550][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.kibana_security_session_1][0] marking unavailable shards as stale: [JwsFZfu6RJCnJ78fjQr1uw]
[2025-06-27T05:07:00,756][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.kibana_security_solution_8.14.3_001][0] marking unavailable shards as stale: [e7lZ56BtS_i4LRkoL8TfNw]
[2025-06-27T05:07:01,432][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.ds-.fleet-actions-results-2025.05.07-000004][0] marking unavailable shards as stale: [8TvQjWIGSk65pto7OCKx8Q]
[2025-06-27T05:07:01,553][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.inference][0] marking unavailable shards as stale: [CAlnV8noSoScZ4fEG8jtPw]
[2025-06-27T05:07:01,929][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.ds-.fleet-actions-results-2025.04.07-000003][0] marking unavailable shards as stale: [j4eVkRDzQHq6s7xwA3ZS-w]
[2025-06-27T05:07:02,048][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.secrets-inference][0] marking unavailable shards as stale: [ZkEFEc73ReSFKfZxPpVYgA]
[2025-06-27T05:07:02,498][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.ds-.fleet-actions-results-2025.03.06-000002][0] marking unavailable shards as stale: [MnNtUBSXSHefZkZyI7Rthw]
[2025-06-27T05:07:02,937][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.geoip_databases][0] marking unavailable shards as stale: [cV6OdMc4QKyN6FY3xGiHMg]
[2025-06-27T05:07:03,057][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.fleet-secrets-7][0] marking unavailable shards as stale: [TiPLSLCTT6mTtKpKnwBK7w]
[2025-06-27T05:07:03,450][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.fleet-servers-7][0] marking unavailable shards as stale: [_ylWCkNeSBe0acrElY2bnA]
[2025-06-27T05:07:03,551][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.fleet-policies-leader-7][0] marking unavailable shards as stale: [oI8mf0GbRsSMzu72nkPoJA]
[2025-06-27T05:07:03,897][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.fleet-artifacts-7][0] marking unavailable shards as stale: [WCJbjHcJQru9ogWeneuiyg]
[2025-06-27T05:07:04,055][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.fleet-enrollment-api-keys-7][0] marking unavailable shards as stale: [qBvf3tybSv2zzZh4-ruLTg]
[2025-06-27T05:07:04,846][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [so-case][0] marking unavailable shards as stale: [TL3T_j0WR6aChT51vXDLnw]
[2025-06-27T05:07:04,959][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [so-casehistory][0] marking unavailable shards as stale: [NBL48n-RSxWVIkcSg7FKqA]
[2025-06-27T05:07:05,271][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [so-detectionhistory][0] marking unavailable shards as stale: [E5-tDCMPRpic3dOloi21Eg]
[2025-06-27T05:07:05,633][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [so-detection][0] marking unavailable shards as stale: [ZbwTX4SMR-mrZktjHQ58eQ]
[2025-06-27T05:07:06,743][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.apm-custom-link][0] marking unavailable shards as stale: [TLJ8WUzuTCSbxeOjP8vJoA]
[2025-06-27T05:07:06,744][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.reporting-2025-02-23][0] marking unavailable shards as stale: [BcjkOvbSSwWPJEaOFGaw_A]
[2025-06-27T05:07:07,198][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-observability.threshold.alerts-default-000001][0] marking unavailable shards as stale: [9j4XUpoIQAiP4mj18OZ9Mg]
[2025-06-27T05:07:07,287][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.apm-agent-configuration][0] marking unavailable shards as stale: [xlHJ0bSgTTGQxT7xIBKZJw]
[2025-06-27T05:07:07,632][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.ds-.kibana-reporting-2025.06.26-000004][0] marking unavailable shards as stale: [veLXD9OORdSZ-iureGuH0Q]
[2025-06-27T05:07:07,632][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.slo-observability.summary-v3.3.temp][0] marking unavailable shards as stale: [_EtwhJLlRHu8ce3u5mAAPA]
[2025-06-27T05:07:08,146][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-observability.logs.alerts-default-000001][0] marking unavailable shards as stale: [I2npMGC_QE6u1Xa5ZQ0ClQ]
[2025-06-27T05:07:08,325][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-observability.slo.alerts-default-000001][0] marking unavailable shards as stale: [LzJs9HWPRieY3qFmSu1kHg]
[2025-06-27T05:07:08,805][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-security.alerts-default-000001][0] marking unavailable shards as stale: [RCOFkQfeR9SJCHgl06QGJA]
[2025-06-27T05:07:08,921][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-observability.uptime.alerts-default-000001][0] marking unavailable shards as stale: [n-vPGgp7QF2wzP_fmkLcKQ]
[2025-06-27T05:07:09,354][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-observability.metrics.alerts-default-000001][0] marking unavailable shards as stale: [l0jFTZ4ZSXKxVnKwAdgavw]
[2025-06-27T05:07:09,450][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-ml.anomaly-detection-health.alerts-default-000001][0] marking unavailable shards as stale: [6JbQ6iITTJWnJg0zXGbWwQ]
[2025-06-27T05:07:09,941][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-transform.health.alerts-default-000001][0] marking unavailable shards as stale: [qspPf3hYQKGnkhL1K_dsCg]
[2025-06-27T05:07:10,046][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-stack.alerts-default-000001][0] marking unavailable shards as stale: [WQqNQsbiRo6Z0uLOSHyy0Q]
[2025-06-27T05:07:10,474][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.slo-observability.summary-v3.3][0] marking unavailable shards as stale: [nVj_NnTASZWgfOzUrkdjWA]
[2025-06-27T05:07:10,584][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-ml.anomaly-detection.alerts-default-000001][0] marking unavailable shards as stale: [73kJD8TGQReorBpjJrzbkQ]
[2025-06-27T05:07:11,000][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.internal.alerts-default.alerts-default-000001][0] marking unavailable shards as stale: [-4z-yld0T_6w6CVcM12bIA]
[2025-06-27T05:07:11,114][WARN ][org.elasticsearch.cluster.routing.allocation.AllocationService] [.slo-observability.sli-v3.3][0] marking unavailable shards as stale: [aT33b49RTpi5cowDrf6rIA]
`
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions