Cannot delete detectors

I created new Security Analytics detectors in OpenSearch Dashboards (OSD). However, one of them is not visible at all, but sends emails every 1 minute. And the other one is visible in the OSD, but I can’t remove it.

I am using the latest version of OpenSearch 2.6.0.

POST /_plugins/_security_analytics/detectors/_search
{
  "size": 30,  
  "query": {
    "nested": {
      "path": "detector",
      "query": {
        "bool": {
          "must": [
            { "match": {"detector.name": "*"} }
          ]
        }
      }
    }
  }
}

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

When I try to disable this plugin,

PUT _cluster/settings
{
  "transient": {
    "plugins.anomaly_detection.enabled": false
  }
}

I still get emails.

Triggered alert condition: 
Severity: 3 (Medium)
Threat detector: pfsesnse-netflow-new
Description: 
Detector data sources:
	pfsense-netflow-*

This I can see in OSD:

obrazek1396×324 23.2 KB

Can you please execute following query and paste results here?

GET .opendistro-alerting-config/_search
{
  "query": {
    "exists": { "field": "monitor" }
  }
}

If this is only detector in your system currently, then you should see 1 monitor returned by this _search call. You can then delete it by calling:

DELETE /_plugins/_alerting/monitors/{monitorId}

This is known issue in 2.6 I think. One of monitors failed deleting during first DELETE call on detector and now it’s erroring out if one of monitors is missing during deletion, instead of just continuing .

here you are:

GET .opendistro-alerting-config/_search
{
  "query": {
    "exists": { "field": "monitor" }
  }
}


{
  "took": 33,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

My wrong. I used a user with admin rights, but when I use the admin user I can see the detectors. I delete one that was not visible.

But there is still one threat detector which is not in this table and is in OSD:

obrazek1402×311 22.8 KB

GET .opendistro-alerting-config/_search

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

Are you executing this search as admin? Not sure how are you getting these notifications without any monitor.

Yes, I use the admin. After I deleted the OSD invisible monitor from table, notifications stop coming. But in OSD I still see one monitor, with an empty table .opendistro-alerting-config. This one cannot be deteled in OSD.

This is my query:

curl --cacert root-ca.pem  --cert admin.pem --key admin-key.pem 'https://localhost:9200/.opendistro-alerting-config/_search' | jq .
{
  "took": 25,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

I have the same problem (v2.6).
I can’t edit or delete the threat detector (“… is not found.”), but it sends alert mails.
Very confusing…

Hello @jst

I had the same issue Issue with Scheduled job for detectors
I opened a topic before finding this, turns out you can’t find the detector through the API without using the security admin to make the request

search action for .opendistro-alerting-config is not allowed for a non adminDN user

If you use

https://localhost:9200/.opendistro-alerting-config/_search

with the security admin account you should find it. If you have any about the other issue I have in my topic I’ll gladly take the input.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.