You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the bug?
We have upgraded two of our environments (one from 2.15 and another one from 2.11) to 2.16. When trying to create a Threat Intelligence source local (using the Documentation sample and also a custom stix2), it fails.
The error message:
[exception] Error occurred while ingesting IOCs to [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] with an error failure in bulk execution: [0]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [dfdc4b83-6b2c-4bc6-b06c-e4b30158f542], message [[.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] IndexNotFoundException[no such index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697]]] [1]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [d3706759-5567-4551-ac28-59823d4b8140]
However, the index ends up being created (empty, but it gets created).
This goes a very long list for each IOC in the STIX json.
How can one reproduce the bug?
Steps to reproduce the behavior:
Ensure the environment is an Upgraded environment. ( The error doesn't happen in a fresh install )
Go to 'Security Analytics / Threat Intelligence'
Click on 'Add Threat Intel Source'
Select Local File Upload
Upload the file
Select all checkboxes and add a name
Click on Add Threat Intel Source
What is the expected behavior?
It should completed the creation of the TI Source and show in the list. The IOCs should be ingested in the index .opensearch-sap-iocs-randomindex.
What is your host/environment?
OS: [Windows 11]
Version [2.16 - Ugpraded]
Do you have any screenshots?
Do you have any additional context?
In the OSD logs, I can also see the error (besides the one above) - Alerting - MonitorService - searchMonitor: StatusCodeError: [alerting_exception] Configured indices are not found: [.opendistro-alerting-config]
The text was updated successfully, but these errors were encountered:
you can message me at https://opensearch.slack.com/team/U052WCKACH3 on OpenSearch Slack where I can better understand your set up over a call
Closing issue since you have resolved your problem by unblocking index creation for the .opensearch-sap* pattern
What is the bug?
We have upgraded two of our environments (one from 2.15 and another one from 2.11) to 2.16. When trying to create a Threat Intelligence source local (using the Documentation sample and also a custom stix2), it fails.
The error message:
[exception] Error occurred while ingesting IOCs to [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] with an error failure in bulk execution: [0]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [dfdc4b83-6b2c-4bc6-b06c-e4b30158f542], message [[.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] IndexNotFoundException[no such index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697]]] [1]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [d3706759-5567-4551-ac28-59823d4b8140]
However, the index ends up being created (empty, but it gets created).
This goes a very long list for each IOC in the STIX json.
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
It should completed the creation of the TI Source and show in the list. The IOCs should be ingested in the index .opensearch-sap-iocs-randomindex.
What is your host/environment?
Do you have any screenshots?
Do you have any additional context?
In the OSD logs, I can also see the error (besides the one above) - Alerting - MonitorService - searchMonitor: StatusCodeError: [alerting_exception] Configured indices are not found: [.opendistro-alerting-config]
The text was updated successfully, but these errors were encountered: