search

NVISOsecurity / ee-outliers

Open-source framework to detect outliers in Elasticsearch events
https://blog.nviso.eu
GNU General Public License v3.0
204 stars 34 forks source link

Unfortunately frozen indices halt outlier detection #515

Closed rdepril closed 4 years ago

rdepril commented 4 years ago

Context

If a document is read in and tagged as an outlier, but the index becomes read-only before the document can be updated, a BulkIndexError gets thrown.

Snippet from the details of such an error: {'type': 'cluster_block_exception', 'reason': 'index [logstash-eagleeye-wevtfilter-000019] blocked by: [FORBIDDEN/8/index write (api)

Problem

It seems like outliers keeps retrying to commit this illegal bulk action, in the mean time no new outliers get detected.

Solution

Skip frozen indices when writing back?

rdepril commented 4 years ago

This issue can be prevented by having an ILM policy that doesn't freeze indices inside the window set by the history_window_days parameter

michielmeersmans commented 4 years ago

I would indeed skip frozen indices when writing back for now and add a warning log entry

maximilienroberti commented 4 years ago

Issue resolved on PR #550