Event and Alert dashboards are not loading when the sentinel is upgraded to 8.2

  • Document ID:7022736
  • Creation Date:15-Mar-2018
  • Modified Date:14-May-2018
    • Micro Focus Products:
      Sentinel

Environment

Sentinel 8.2 

Situation

Update to Some of the Sentinel dashboards that leverage Kibana do not load after you upgrade to Sentinel 8.2.

The exception called "mapper[hits] cannot convert from long to integer" is being thrown.

Resolution

To fix this issue, you must manually delete the existing Kibana index file and recreate a new Kibana index file using the following instructions:  

1) Back up your existing data. Copy the Kibana index to a file with a different name, .kibana-temp using the following commands: 

curl -XPOST "http://<elasticsearch ip>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".kibana"
},
"dest": {
"index": ".kibana-temp"
}
}'

2) Stop the Sentinel server using the command:

 rcsentinel stop.

3) Start the Security Intelligence database using the following command:

rcsentinel startSIdb.

4) Delete the existing .kibana index from ElasticSearch using the following command:

curl -XDELETE <elasticsearch ip>:9200/.kibana

5) Delete the configuration details of the existing kibana index:

1) Go to /<sentinel_install_directory>/opt/novell/sentinel/3rdparty/kibana/config.

2) Open kibana.yml.

3) Delete the following:

pid.file: /test/home/novell/sentinel/kibana.pid
server.host: 127.0.0.1
kibana.defaultAppId: dashboard/Event-Summary-Dashboard
server.port: 5601
server.basePath: /visual-analytics/proxy
elasticsearch.requestTimeout: 3600000
elasticsearch.url: http://<elasticsearch-ip>:9200

6) Start Sentinel using the command:

 rcsentinel start.

7) To restore existing data, transfer the data from the temporary index (.kibana-temp) to the new .kibana index, using the following commands:

curl -XPOST "http://<elasticsearch-ip>:9200/_reindex" -H 'Content-Type: application/json' -d'
{
  "source": {
    "index": ".kibana-temp"
  },
  "dest": {
    "index": ".kibana"
  }
}'

8) Delete the temporary index using the following command, curl -XDELETE '<elasticsearch-ip>:9200/.kibana-temp'

Sentinel now launches the dashboards successfully.

Cause

This issue occurs because Elasticsearch and Kibana versions have been upgraded in Sentinel 8.2, and the existing Kibana index file is not compatible with the upgraded versions of Elasticsearch and Kibana.