Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom rule in Elastic Security throws RuleDataWriteDisabledError error when run #148460

Open
Tracked by #165878
brsolomon-deloitte opened this issue Jan 5, 2023 · 7 comments
Open
Tracked by #165878

Custom rule in Elastic Security throws RuleDataWriteDisabledError error when run #148460

brsolomon-deloitte opened this issue Jan 5, 2023 · 7 comments
Labels
bug Fixes for quality problems that affect the customer experience consider-next impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@brsolomon-deloitte
Copy link

Kibana version: 8.5.3

Elasticsearch version: 8.5.3

Browser version: Chrome 108.0.5359.124

Original install method (e.g. download page, yum, from source, etc.): ECK

Describe the bug: Custom rule fails to run with Bulk Indexing of signals failed: RuleDataWriteDisabledError: Rule registry writing is disabled due to an error during Rule Data Client initialization.

Steps to reproduce:

  1. Create rule as shown below
  2. Ingest Suricata alerts with Filebeat suricata module
  3. Watch as the Rule execution log fills up with Failed runs with zero useful debugging information

Expected behavior: Rule runs successfully.

Screenshots (if relevant):

Screen Shot 2023-01-05 at 10 33 13 AM

Provide logs and/or server output (if relevant):

Kibana logs:

[2023-01-05T15:27:00.022+00:00][INFO ][plugins.securitySolution.ruleExecution] Changing rule status to "running" [siem.queryRule][Suricata alerts][rule id 43afdd40-8c73-11ed-85b3-87db925d75d3][rule uuid a5377b9a-75f9-446d-bc00-2c5262c9190a][exec id 1e3e038c-3308-4af5-a4d8-5afca2950d36][space default]
[2023-01-05T15:27:00.321+00:00][ERROR][plugins.securitySolution.ruleExecution] [-] search_after_bulk_create threw an error RuleDataWriteDisabledError: Rule registry writing is disabled due to an error during Rule Data Client initialization. [siem.queryRule][Suricata alerts][rule id 43afdd40-8c73-11ed-85b3-87db925d75d3][rule uuid a5377b9a-75f9-446d-bc00-2c5262c9190a][exec id 1e3e038c-3308-4af5-a4d8-5afca2950d36][space default]
[2023-01-05T15:27:00.321+00:00][ERROR][plugins.securitySolution.ruleExecution] Changing rule status to "failed". Bulk Indexing of signals failed: RuleDataWriteDisabledError: Rule registry writing is disabled due to an error during Rule Data Client initialization. [siem.queryRule][Suricata alerts][rule id 43afdd40-8c73-11ed-85b3-87db925d75d3][rule uuid a5377b9a-75f9-446d-bc00-2c5262c9190a][exec id 1e3e038c-3308-4af5-a4d8-5afca2950d36][space default]

The rule in question

Fetched with GET kbn:/api/alerting/rules/_find?search_fields=name&search=Suricata*.

{
  "page": 1,
  "total": 1,
  "per_page": 10,
  "data": [
    {
      "id": "43afdd40-8c73-11ed-85b3-87db925d75d3",
      "name": "Suricata alerts",
      "tags": [
        "Suricata"
      ],
      "consumer": "siem",
      "enabled": true,
      "throttle": null,
      "schedule": {
        "interval": "5m"
      },
      "params": {
        "author": [
          "REDACTED"
        ],
        "description": "Generates a detection alert each time a Suricata alert is received. Enabling this rule allows you to immediately begin investigating your Suricata alerts.",
        "ruleId": "a5377b9a-75f9-446d-bc00-2c5262c9190a",
        "falsePositives": [],
        "from": "now-600s",
        "immutable": false,
        "license": "Proprietary",
        "outputIndex": "",
        "meta": {
          "from": "5m",
          "kibana_siem_app_url": "https://REDACTED/app/security"
        },
        "maxSignals": 100,
        "relatedIntegrations": [],
        "requiredFields": [],
        "riskScore": 0,
        "riskScoreMapping": [],
        "ruleNameOverride": "rule.name",
        "setup": "",
        "severity": "medium",
        "severityMapping": [
          {
            "severity": "low",
            "field": "event.severity",
            "value": "4",
            "operator": "equals"
          },
          {
            "severity": "medium",
            "field": "event.severity",
            "value": "3",
            "operator": "equals"
          },
          {
            "severity": "high",
            "field": "event.severity",
            "value": "2",
            "operator": "equals"
          },
          {
            "severity": "critical",
            "field": "event.severity",
            "value": "1",
            "operator": "equals"
          }
        ],
        "threat": [],
        "timestampOverride": "event.ingested",
        "timestampOverrideFallbackDisabled": false,
        "to": "now",
        "references": [
          "https://suricata.readthedocs.io/en/suricata-6.0.9/rules/index.html"
        ],
        "version": 5,
        "exceptionsList": [
          {
            "list_id": "559aee96-104c-44bd-be68-7c4e71cd0457",
            "namespace_type": "single",
            "id": "7460dd30-8c79-11ed-94b0-654745905219",
            "type": "detection"
          }
        ],
        "type": "query",
        "language": "kuery",
        "index": [
          "auditbeat-*",
          "filebeat-*",
          "packetbeat-*",
          "winlogbeat-*",
          "logs-endpoint.events.*"
        ],
        "query": "event.kind:alert and event.module:suricata",
        "filters": []
      },
      "rule_type_id": "siem.queryRule",
      "created_by": "elastic",
      "updated_by": "elastic",
      "created_at": "2023-01-04T21:03:40.313Z",
      "updated_at": "2023-01-05T15:22:02.844Z",
      "api_key_owner": "elastic",
      "notify_when": "onActiveAlert",
      "mute_all": true,
      "muted_alert_ids": [],
      "scheduled_task_id": "43afdd40-8c73-11ed-85b3-87db925d75d3",
      "execution_status": {
        "status": "ok",
        "last_execution_date": "2023-01-05T15:22:05.901Z",
        "last_duration": 1835
      },
      "actions": []
    }
  ]
}
@brsolomon-deloitte brsolomon-deloitte added the bug Fixes for quality problems that affect the customer experience label Jan 5, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Jan 5, 2023
@brsolomon-deloitte
Copy link
Author

Contrary to #139969 I have verified the alerts are not in cold/frozen/snapshot phase.

{
  "indices": {
    ".internal.alerts-security.alerts-default-000001": {
      "index": ".internal.alerts-security.alerts-default-000001",
      "managed": true,
      "policy": ".alerts-ilm-policy",
      "index_creation_date_millis": 1672866669277,
      "time_since_index_creation": "20.52h",
      "lifecycle_date_millis": 1672866669277,
      "age": "20.52h",
      "phase": "hot",
      "phase_time_millis": 1672866669344,
      "action": "rollover",
      "action_time_millis": 1672866669344,
      "step": "check-rollover-ready",
      "step_time_millis": 1672866669344,
      "phase_execution": {
        "policy": ".alerts-ilm-policy",
        "phase_definition": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_primary_shard_size": "50gb",
              "max_age": "30d"
            }
          }
        },
        "version": 3,
        "modified_date_in_millis": 1672843617932
      }
    }
  }
}

@dej611 dej611 added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Jan 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 10, 2023
@watson watson added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jan 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Detection Alerts Security Detection Alerts Area Team labels Jan 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@kqualters-elastic
Copy link
Contributor

@brsolomon-deloitte the 3 posted log lines are likely a red herring, and the relevant log entry likely higher up in the file. Generally I've seen this when resources fail to install for some reason https://github.com/elastic/kibana/blob/main/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts#L96 perhaps try to look for the error message seen on this line

kibana/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts

Line 120 in b7ff354

`Error installing common resources in RuleRegistry ResourceInstaller - ${err.message}`
otherwise set the logging level to debug and restart kibana, looking for some of the log messages in that file. Error has nothing to do with the rule definition itself, and is happening before it's ever defined.

@neu5ron
Copy link

neu5ron commented Jan 10, 2023

deleting preview index and restarting kibana fixed this.
will it be long term not sure, but everything finally works again.

using version 8.5.3

@peluja1012 peluja1012 added sdh-linked impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Mar 31, 2023
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@neu5ron
Copy link

neu5ron commented Jul 27, 2023
edited
Loading

happens in 8.6.2 too. different cluster too.
It's all to do with the preview index & the way Kibana gets restarted either during upgrades/outages/etc or just any sort of flakey ILM issue.
Here is another related error for anyone else who ends up here.

Bulk Indexing of signals failed: RuleDataWriterInitializationError: There has been a catastrophic error trying to install index level resources for the following registration context: security. This may have been due to a non-additive change to the mappings, removal and type changes are not permitted. Full error: Error: Failure installing common resources shared between all indices. process_cluster_event_timeout_exception: [process_cluster_event_timeout_exception] Reason: failed to process cluster event (put-lifecycle-.alerts-ilm-policy) within 30s

Same fix, restart Kibana. Trying to force an ILM step did not work either.

@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience consider-next impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@watson @peluja1012 @dej611 @neu5ron @yctercero @elasticmachine @MadameSheema @marshallmain @kqualters-elastic @brsolomon-deloitte