Exception creating detector

e100 · March 27, 2023, 4:53pm

When creating any new Security Analytics detector an exception is thrown, here are some logs from the server:

{"type": "server", "timestamp": "2023-03-27T14:47:19,852Z", "level": "ERROR", "component": "o.o.a.u.AlertingException", "cluster.name": "logs", "node.name": "es-master-1", "message": "Aler ting error: java.lang.ClassCastException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap')", "cluster.uuid": "o1Ol5SK_SGWmwe0MXaMmtA", "node.id": "74ZN26_6TV2HGWRSuKA84A" } {"type": "server", "timestamp": "2023-03-27T14:47:19,854Z", "level": "ERROR", "component": "o.o.s.u.SecurityAnalyticsException", "cluster.name": "logs", "node.name": "es-master-1", "messag e": "Security Analytics error:", "cluster.uuid": "o1Ol5SK_SGWmwe0MXaMmtA", "node.id": "74ZN26_6TV2HGWRSuKA84A" , "stacktrace": ["org.opensearch.alerting.util.AlertingException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap')", "at org.opensearch.alerting.util.AlertingException$Companion.wrap(AlertingException.kt:70) ~[?:?]", "at org.opensearch.alerting.transport.TransportIndexMonitorAction$IndexMonitorHandler.indexMonitor(TransportIndexMonitorAction.kt:512) ~[?:?]", "at org.opensearch.alerting.transport.TransportIndexMonitorAction$IndexMonitorHandler.access$indexMonitor(TransportIndexMonitorAction.kt:239) ~[?:?]", "at org.opensearch.alerting.transport.TransportIndexMonitorAction$IndexMonitorHandler$indexMonitor$1.invokeSuspend(TransportIndexMonitorAction.kt) ~[?:?]", "at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) ~[?:?]", "at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:233) ~[?:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) ~[?:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) ~[?:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) ~[?:?]", "Caused by: java.lang.Exception: java.lang.ClassCastException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of l oader 'bootstrap')", "... 9 more"] } {"type": "server", "timestamp": "2023-03-27T14:47:19,858Z", "level": "WARN", "component": "r.suppressed", "cluster.name": "logs", "node.name": "es-master-1", "message": "path: /_plugins/_s ecurity_analytics/detectors, params: {}", "cluster.uuid": "o1Ol5SK_SGWmwe0MXaMmtA", "node.id": "74ZN26_6TV2HGWRSuKA84A" , "stacktrace": ["org.opensearch.securityanalytics.util.SecurityAnalyticsException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in mo dule java.base of loader 'bootstrap')", "at org.opensearch.securityanalytics.util.SecurityAnalyticsException.wrap(SecurityAnalyticsException.java:51) ~[?:?]", "at org.opensearch.securityanalytics.transport.TransportIndexDetectorAction$AsyncIndexDetectorsAction.lambda$finishHim$0(TransportIndexDetectorAction.java:1168) ~[?:?]", "at org.opensearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:73) [opensearch-2.6.0.jar:2.6.0]", "at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:88) ~[opensearch-2.6.0.jar:2.6.0]", "at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:806) [opensearch-2.6.0.jar:2.6.0]", "at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-2.6.0.jar:2.6.0]", "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]", "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]", "at java.lang.Thread.run(Thread.java:833) [?:?]", "Caused by: java.lang.Exception: org.opensearch.alerting.util.AlertingException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in mod ule java.base of loader 'bootstrap')", "... 9 more"] }
From another node I found this exception:

{"type": "server", "timestamp": "2023-03-27T14:48:18,089Z", "level": "ERROR", "component": "o.o.a.DocumentLevelMonitorRunner", "cluster.name": "logs", "node.name": "es-data-2", "[972/1943] "Failed to start Document-level-monitor Apache_access_logs. Error: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap')", "cluster.uuid": "o1Ol5SK_SGWmwe0MXaMmtA", "node.id": "RRFc1RJcQeG3b9dwZ-cQKw" , "stacktrace": ["java.lang.ClassCastException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap' )", "at org.opensearch.alerting.util.DocLevelMonitorQueries.traverseMappingsAndUpdate(DocLevelMonitorQueries.kt:172) ~[opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at org.opensearch.alerting.util.DocLevelMonitorQueries.traverseMappingsAndUpdate(DocLevelMonitorQueries.kt:164) ~[opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at org.opensearch.alerting.util.DocLevelMonitorQueries.indexDocLevelQueries(DocLevelMonitorQueries.kt:245) ~[opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at org.opensearch.alerting.util.DocLevelMonitorQueries.indexDocLevelQueries$default(DocLevelMonitorQueries.kt:198) ~[opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at org.opensearch.alerting.DocumentLevelMonitorRunner.runMonitor(DocumentLevelMonitorRunner.kt:116) [opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at org.opensearch.alerting.DocumentLevelMonitorRunner$runMonitor$1.invokeSuspend(DocumentLevelMonitorRunner.kt) [opensearch-alerting-2.6.0.0.jar:2.6.0.0]", "at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) [kotlin-stdlib-1.6.10.jar:1.6.10-release-923(1.6.10)]", "at kotlinx.coroutines.DispatchedTask.run(Dispatched.kt:233) [kotlinx-coroutines-core-1.1.1.jar:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:594) [kotlinx-coroutines-core-1.1.1.jar:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler.access$runSafely(CoroutineScheduler.kt:60) [kotlinx-coroutines-core-1.1.1.jar:?]", "at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:742) [kotlinx-coroutines-core-1.1.1.jar:?]"] } {"type": "server", "timestamp": "2023-03-27T14:48:18,107Z", "level": "ERROR", "component": "o.o.a.u.AlertingException", "cluster.name": "logs", "node.name": "es-data-2", "message": "Alerti ng error: java.lang.ClassCastException: class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap')", "c luster.uuid": "o1Ol5SK_SGWmwe0MXaMmtA", "node.id": "RRFc1RJcQeG3b9dwZ-cQKw" }

Running 2.6.0, this cluster has been upgraded from elastic to ODFE to Opensearch over the years.
Any help resolving this would be appreciated!

pdz · March 27, 2023, 5:04pm

Can you please execute GET {index}/_mapping and paste results here, of source index you’re trying to create detector on?

e100 · March 27, 2023, 5:21pm

@pdz

The mapping is too large to post here, would this index template be sufficient?

{
  "index_templates": [
    {
      "name": "logstash_template",
      "index_template": {
        "index_patterns": [
          "logstash-*"
        ],
        "template": {
          "settings": {
            "index": {
              "codec": "best_compression",
              "mapping": {
                "total_fields": {
                  "limit": "4000"
                },
                "ignore_malformed": "true"
              },
              "refresh_interval": "30s",
              "number_of_shards": "3",
              "translog": {
                "flush_threshold_size": "1g",
                "sync_interval": "10m",
                "durability": "async"
              },
              "plugins": {
                "index_state_management": {
                  "policy_id": "delete_old"
                }
              },
              "merge": {
                "policy": {
                  "segments_per_tier": "10",
                  "max_merge_at_once": "10",
                  "max_merged_segment": "300mb"
                }
              },
              "sort": {
                "field": [
                  "logger_name",
                  "@timestamp"
                ],
                "order": [
                  "asc",
                  "desc"
                ]
              },
              "number_of_replicas": "1"
            }
          },
          "mappings": {
            "numeric_detection": false,
            "dynamic_templates": [
              {
                "id_fields": {
                  "mapping": {
                    "ignore_above": 256,
                    "type": "keyword"
                  },
                  "match": "*_id"
                }
              },
              {
                "string_fields": {
                  "mapping": {
                    "norms": false,
                    "type": "text"
                  },
                  "match_mapping_type": "string",
                  "match": "*"
                }
              },
              {
                "boolean_fields": {
                  "mapping": {
                    "norms": false,
                    "type": "text"
                  },
                  "match_mapping_type": "boolean",
                  "match": "*"
                }
              },
              {
                "long_fields": {
                  "mapping": {
                    "norms": false,
                    "type": "text"
                  },
                  "match_mapping_type": "long",
                  "match": "*"
                }
              },
              {
                "double_fields": {
                  "mapping": {
                    "norms": false,
                    "type": "text"
                  },
                  "match_mapping_type": "double",
                  "match": "*"
                }
              }
            ],
            "date_detection": false,
            "properties": {
              "reason": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "alert.category": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "aide": {
                "dynamic": true,
                "type": "object",
                "properties": {
                  "file": {
                    "type": "keyword"
                  },
                  "package": {
                    "type": "keyword"
                  },
                  "packages_installed": {
                    "type": "keyword"
                  },
                  "status": {
                    "type": "keyword"
                  }
                }
              },
              "data": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "type": {
                "type": "keyword"
              },
              "path": {
                "type": "keyword"
              },
              "host": {
                "type": "keyword"
              },
              "client_ip": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "from": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "logger_name": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "persistent": {
                "type": "keyword"
              },
              "cache": {
                "type": "keyword"
              },
              "registrations": {
                "norms": false,
                "type": "text"
              },
              "source_host": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "level": {
                "type": "keyword"
              },
              "minutes": {
                "ignore_malformed": true,
                "type": "long"
              },
              "queued_as": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "count": {
                "ignore_malformed": true,
                "type": "long",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "tags": {
                "type": "keyword"
              },
              "success": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "dest_ip": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "domain": {
                "type": "keyword"
              },
              "http_useragent": {
                "type": "keyword"
              },
              "tls_protocol": {
                "type": "keyword"
              },
              "status": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "ipaddress": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "process_id": {
                "ignore_malformed": true,
                "type": "long"
              },
              "syslog_pid": {
                "ignore_malformed": true,
                "type": "long"
              },
              "signature": {
                "type": "keyword"
              },
              "upstream_addr": {
                "type": "keyword"
              },
              "user_name": {
                "type": "keyword"
              },
              "_all": {
                "enabled": false
              },
              "forwarded_for": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "src_ip": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "clientuser": {
                "type": "keyword"
              },
              "severity": {
                "type": "keyword"
              },
              "course_id": {
                "type": "keyword"
              },
              "geoip": {
                "dynamic": true,
                "type": "object",
                "properties": {
                  "ip": {
                    "type": "ip",
                    "doc_values": true
                  },
                  "latitude": {
                    "type": "float",
                    "doc_values": true
                  },
                  "location": {
                    "type": "geo_point",
                    "doc_values": true
                  },
                  "longitude": {
                    "type": "float",
                    "doc_values": true
                  }
                }
              },
              "tls_cipher": {
                "type": "keyword"
              },
              "message_id": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "message": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "app_proto": {
                "type": "keyword"
              },
              "target": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "browser_metrics": {
                "properties": {
                  "patch": {
                    "type": "keyword"
                  },
                  "major": {
                    "type": "keyword"
                  },
                  "minor": {
                    "type": "keyword"
                  },
                  "os": {
                    "type": "keyword"
                  },
                  "build": {
                    "type": "keyword"
                  },
                  "os_minor": {
                    "type": "keyword"
                  },
                  "os_major": {
                    "type": "keyword"
                  },
                  "name": {
                    "type": "keyword"
                  },
                  "os_name": {
                    "type": "keyword"
                  },
                  "device": {
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "alert.signature": {
                "ignore_above": 256,
                "type": "keyword"
              },
              "ufw_type": {
                "type": "keyword"
              },
              "userhostaddress": {
                "ignore_malformed": true,
                "type": "ip",
                "fields": {
                  "text": {
                    "norms": false,
                    "type": "text"
                  },
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "bytes": {
                "ignore_malformed": true,
                "type": "long"
              },
              "response": {
                "norms": false,
                "type": "text"
              },
              "service": {
                "type": "keyword"
              },
              "remoteaddress": {
                "ignore_malformed": true,
                "type": "ip"
              },
              "dest_geoip": {
                "dynamic": true,
                "type": "object",
                "properties": {
                  "ip": {
                    "type": "ip",
                    "doc_values": true
                  },
                  "latitude": {
                    "type": "float",
                    "doc_values": true
                  },
                  "location": {
                    "type": "geo_point",
                    "doc_values": true
                  },
                  "longitude": {
                    "type": "float",
                    "doc_values": true
                  }
                }
              },
              "http_status": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "response_time": {
                "ignore_malformed": true,
                "type": "float"
              },
              "upstream_response_time": {
                "ignore_malformed": true,
                "type": "float"
              },
              "to": {
                "norms": false,
                "type": "text",
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                }
              },
              "category": {
                "type": "keyword"
              },
              "useractivitytypeid": {
                "ignore_malformed": true,
                "type": "long"
              },
              "objectid": {
                "type": "keyword"
              }
            }
          }
        },
        "composed_of": [
          ".opensearch-sap-alias-mappings-component-logstash-"
        ],
        "priority": 500
      }
    }
  ]
}```

pdz · March 27, 2023, 8:44pm

Thanks for sharing this! Can’t reproduce it locally. Can you please post mappings of concrete index, just in case? You can share them via paste2.org

e100 · March 27, 2023, 9:12pm

@pdz You can find it here:

Thanks for looking into this

pdz · March 27, 2023, 11:56pm

Thanks for sending mappings!
I think I found bug in parsing index mappings: if you have field named “properties” it will consider it properties of field instead of actual field.

If you can, for now, remove or rename this field to something else.

Having “properties” as nested inside other object/interim fields seems to work fine. For example: “field1.field2.properties”

system · May 26, 2023, 11:56pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[security_analytics_exception] class java.lang.String cannot be cast to class java.util.Map (java.lang.String and java.util.Map are in module java.base of loader 'bootstrap') Security Analytics	1	182	June 15, 2024
DNS SAP monitor throws error on create Security Analytics troubleshoot	8	355	July 7, 2023
"null cannot be cast to non-null type" creating a detector Security Analytics troubleshoot	7	50	October 9, 2024
_analyze API error Security	3	381	April 19, 2021
Exception while calling _cluster/health Security	4	605	June 7, 2021

Exception creating detector

Related topics