What is the bug?
create a new Security Analytics Detector
ERROR: Failed to create detector:
[security_analytics_exception] analyzer [rule_analyzer] has not been configured in mappings
How can one reproduce the bug?
Steps to reproduce the behavior:
- Go to Security Analytics and create a new detector
- See error
What is the expected behavior?
Want to create a detector based on auditbeat 7.13.4 logs to find with the SIMGA rule "System Network Discovery - Linux"
What is your host/environment?
- OS: Ubuntu bullseye/sid
- Version 2.5.0
- Plugins logtash 8.4.0, opensearch-security-analytics 2.5.0.0
Do you have any screenshots?
opensearch node log
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
uncaught exception in thread [DefaultDispatcher-worker-1]
AlertingException[analyzer [rule_analyzer] has not been configured in mappings]; nested: Exception[java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings];
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70)
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359)
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41)
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594)
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742)
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
[2023-01-24T17:35:14,004][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,013][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,018][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,025][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,176][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,185][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,190][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,199][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,392][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,397][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-alerts is updated
[2023-01-24T17:35:14,404][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,407][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-alerts-history-2023.01.23-1 is updated
[2023-01-24T17:35:14,414][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,415][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-findings-2023.01.23-1 is updated
[2023-01-24T17:35:14,421][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,422][ERROR][o.o.a.u.AlertingException] [opensearch-node1] Alerting error: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
[2023-01-24T17:35:14,422][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-node1] uncaught exception in thread [DefaultDispatcher-worker-1]
org.opensearch.alerting.util.AlertingException: analyzer [rule_analyzer] has not been configured in mappings
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)]
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) [kotlinx-coroutines-core-1.1.1.jar:?]
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
uncaught exception in thread [DefaultDispatcher-worker-1]
AlertingException[analyzer [rule_analyzer] has not been configured in mappings]; nested: Exception[java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings];
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70)
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359)
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41)
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594)
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742)
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
What is the bug?
create a new Security Analytics Detector
ERROR: Failed to create detector:
[security_analytics_exception] analyzer [rule_analyzer] has not been configured in mappings
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
Want to create a detector based on auditbeat 7.13.4 logs to find with the SIMGA rule "System Network Discovery - Linux"
What is your host/environment?
Do you have any screenshots?
opensearch node log
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
uncaught exception in thread [DefaultDispatcher-worker-1]
AlertingException[analyzer [rule_analyzer] has not been configured in mappings]; nested: Exception[java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings];
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70)
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359)
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41)
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594)
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742)
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
[2023-01-24T17:35:14,004][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,013][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,018][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,025][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,176][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,185][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,190][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,199][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,392][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts/usv-AHTXR_KClWRreCZqWQ]
[2023-01-24T17:35:14,397][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-alerts is updated
[2023-01-24T17:35:14,404][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-alerts-history-2023.01.23-1/OypQ-vxZRC-h-FaAw89axA]
[2023-01-24T17:35:14,407][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-alerts-history-2023.01.23-1 is updated
[2023-01-24T17:35:14,414][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-findings-2023.01.23-1/W_-cMmlGTD20B9oFf5HiLA]
[2023-01-24T17:35:14,415][INFO ][o.o.a.a.AlertIndices ] [opensearch-node1] Index mapping of .opensearch-sap-linux-findings-2023.01.23-1 is updated
[2023-01-24T17:35:14,421][INFO ][o.o.p.PluginsService ] [opensearch-node1] PluginService:onIndexModule index:[.opensearch-sap-linux-detectors-queries-000001/T_nv-1T0Rb2zgim5THXltg]
[2023-01-24T17:35:14,422][ERROR][o.o.a.u.AlertingException] [opensearch-node1] Alerting error: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
[2023-01-24T17:35:14,422][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-node1] uncaught exception in thread [DefaultDispatcher-worker-1]
org.opensearch.alerting.util.AlertingException: analyzer [rule_analyzer] has not been configured in mappings
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt) ~[opensearch-alerting-2.5.0.0.jar:2.5.0.0]
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)]
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) [kotlinx-coroutines-core-1.1.1.jar:?]
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more
uncaught exception in thread [DefaultDispatcher-worker-1]
AlertingException[analyzer [rule_analyzer] has not been configured in mappings]; nested: Exception[java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings];
at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70)
at org.opensearch.alerting.util.DocLevelMonitorQueries.updateQueryIndexMappings(DocLevelMonitorQueries.kt:359)
at org.opensearch.alerting.util.DocLevelMonitorQueries.access$updateQueryIndexMappings(DocLevelMonitorQueries.kt:41)
at org.opensearch.alerting.util.DocLevelMonitorQueries$updateQueryIndexMappings$1.invokeSuspend(DocLevelMonitorQueries.kt)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:285)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594)
at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742)
Caused by: java.lang.Exception: java.lang.IllegalArgumentException: analyzer [rule_analyzer] has not been configured in mappings
... 9 more