Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Alerts created from "NoOp trigger" with "Error" status #1476

Open
mmguero opened this issue Feb 13, 2025 · 0 comments
Open

[BUG] Alerts created from "NoOp trigger" with "Error" status #1476

mmguero opened this issue Feb 13, 2025 · 0 comments
Labels
bug Something isn't working untriaged

Comments

@mmguero
Copy link

mmguero commented Feb 13, 2025
edited
Loading

What is the bug?
After creating a detector for System Activity: Microsoft Windows (see bug #1475 where I outline how I do this), every few minutes an Alert gets created with the NoOp trigger name, with an Error status.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. create a detector for System Activity: Microsoft Windows (see bug [BUG] Detector for System Activity: Microsoft Windows times out, then gets created twice #1475 for my full steps on how I did this, this bug may be related to that bug or not, I don't know)
  2. Wait for a few minutes
  3. Observe Security Alerts (see screenshot)

What is the expected behavior?
No NoOp trigger alerts, valid alerts should be triggered based on the enabled rules

What is your host/environment?

  • OS: Linux x86_64 with the OpenSearch Docker image with minor modifications
  • Version: v2.19.0
  • Plugins: Standard plugins installed in the Docker image minus opensearch security and opensearch-performance-analyzer

Do you have any screenshots?

Image

Image

Also, every few minutes I also see the below in the logs. I have some observations from this:

  • the OriginalFileName error: I do have this mapping already in my template that's associated with this alias, so what's this about?
  • No field mapping can be found for the field with name [ommandLine] um, I think somebody's got a typo in a rule? What's ommandLine
  • What's up with the version conflict error?
opensearch-1         | [2025-02-13T20:51:48,653][ERROR][o.o.a.u.DocLevelMonitorQueries] [opensearch] MapperParsingException[failed to parse]; nested: QueryShardException[No field mapping can be found for the field with name [OriginalFileName]];
^^^^ (Note: the above line  is repeated about a hundred times)
opensearch-1         | [2025-02-13T20:51:48,653][ERROR][o.o.a.u.DocLevelMonitorQueries] [opensearch] MapperParsingException[failed to parse]; nested: QueryShardException[No field mapping can be found for the field with name [ommandLine]];
opensearch-1         | [2025-02-13T20:51:48,653][ERROR][o.o.a.u.DocLevelMonitorQueries] [opensearch] MapperParsingException[failed to parse]; nested: QueryShardException[No field mapping can be found for the field with name [OriginalFileName]];
^^^^ (Note: the above line is repeated about 20 more times)
opensearch-1         | [2025-02-13T20:51:49,145][ERROR][o.o.a.c.l.LockService    ] [opensearch] Lock is null. Nothing to release.
opensearch-1         | [2025-02-13T20:51:50,588][ERROR][o.o.c.a.u.AlertingException] [opensearch] Alerting error: [.opendistro-alerting-config/wvqPUN0LSR6DslpugqfRzQ][[.opendistro-alerting-config][0]] VersionConflictEngineException[[SSz9AJUBjll4ynr1VwcC-metadata-Kyz2AJUBjll4ynr10gfT-metadata]: version conflict, required seqNo [17], primary term [1]. current document has seqNo [23] and primary term [1]]
opensearch-1         | [2025-02-13T20:51:50,608][ERROR][o.o.a.DocumentLevelMonitorRunner] [opensearch] Failed running Document-level-monitor winlogtest
opensearch-1         | org.opensearch.commons.alerting.util.AlertingException: [SSz9AJUBjll4ynr1VwcC-metadata-Kyz2AJUBjll4ynr10gfT-metadata]: version conflict, required seqNo [17], primary term [1]. current document has seqNo [23] and primary term [1]
opensearch-1         |  at org.opensearch.commons.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70) ~[common-utils-2.19.0.0.jar:?]
opensearch-1         |  at org.opensearch.alerting.MonitorMetadataService.upsertMetadata(MonitorMetadataService.kt:129) ~[opensearch-alerting-2.19.0.0.jar:2.19.0.0]
opensearch-1         |  at org.opensearch.alerting.MonitorMetadataService$upsertMetadata$1.invokeSuspend(MonitorMetadataService.kt) ~[opensearch-alerting-2.19.0.0.jar:2.19.0.0]
opensearch-1         |  at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.8.21.jar:1.8.21-release-380(1.8.21)]
opensearch-1         |  at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285) [kotlinx-coroutines-core-1.1.1.jar:?]
opensearch-1         |  at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) [kotlinx-coroutines-core-1.1.1.jar:?]
opensearch-1         |  at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]
opensearch-1         |  at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) [kotlinx-coroutines-core-1.1.1.jar:?]
opensearch-1         | Caused by: java.lang.Exception: org.opensearch.index.engine.VersionConflictEngineException: [SSz9AJUBjll4ynr1VwcC-metadata-Kyz2AJUBjll4ynr10gfT-metadata]: version conflict, required seqNo [17], primary term [1]. current document has seqNo [23] and primary term [1]
opensearch-1         |  ... 8 more
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero