diff --git a/docs/experimental-features/host-risk-score.asciidoc b/docs/experimental-features/host-risk-score.asciidoc index 736086437a..3d18f967d1 100644 --- a/docs/experimental-features/host-risk-score.asciidoc +++ b/docs/experimental-features/host-risk-score.asciidoc @@ -70,6 +70,8 @@ To enable host risk score from Console in {kib}, open a browser window and enter NOTE: If there's existing content in Console, scroll to the bottom to find the output loaded. +TIP: If you receive an error message during the installation process, delete the host risk score module manually, then re-enable it. Refer to <> for more information. + [[upgrade-host-risk-score]] [discrete] === Upgrade host risk score @@ -88,7 +90,9 @@ After this is done, you can proceed with upgrading the host risk score feature f * The *Host risk* tab on the Hosts page * The *Host risk* tab on a host's details page -NOTE: After you enable or upgrade host risk score, you might get a message that says, "No host risk score data available to display." To verify that the transform that installs the host risk score module is picking up data, refer to <>. +NOTE: After you enable or upgrade host risk score, you might get a message that says, "No host risk score data available to display." To verify that the transform that installs the host risk score module is picking up data, refer to <>. + +TIP: If you receive an error message during the upgrade process, delete the host risk score module manually, and then re-enable it. Refer to <> for more information. [[analyze-host-risk-score]] [discrete] @@ -156,6 +160,71 @@ The histogram shows historical changes in a particular host's risk score(s). To [role="screenshot"] image::images/data-tables.png[] +[[troubleshoot-host-risk-score]] +[discrete] +=== Troubleshooting + +During the installation or upgrade process, you may receive the following error messages: + +* `Saved object already exists` +* `Transform already exists` +* `Ingest pipeline already exists` + +In this case, we recommend that you manually delete the host risk score module, then re-enable it. To manually delete the module: + +. Delete the host risk score saved objects: +.. From the {kib} main menu, go to **Stack Management** -> **Kibana** -> **Saved Objects**. +.. Delete the saved objects that have the `Host Risk Score - ` tag. ++ +[role="screenshot"] +image::images/delete-hrs-saved-objects.png[Delete host risk score saved objects] +.. Delete the `Host Risk Score - ` tag. ++ +[role="screenshot"] +image::images/delete-hrs-tag.png[Delete host risk score tag] +. Stop and delete the host risk score transforms. You can do this using the {kib} UI or the {ref}/stop-transform.html[Stop transform API] and {ref}/delete-transform.html[Delete transform API]. +** To delete the host risk score transforms using the {kib} UI: +.. From the {kib} main menu, go to **Stack Management** -> **Data** -> **Transforms**. +.. Stop the following transforms, then delete them: +*** `ml_hostriskscore_latest_transform_` +*** `ml_hostriskscore_pivot_transform_` +** To delete the host risk score transforms using the API, run the following commands in Console: +.. Stop and delete the latest transform: ++ +[source,console] +---------------------------------- +POST _transform/ml_hostriskscore_latest_transform_/_stop +DELETE _transform/ml_hostriskscore_latest_transform_ +---------------------------------- +.. Stop and delete the pivot transform: ++ +[source,console] +---------------------------------- +POST _transform/ml_hostriskscore_pivot_transform_/_stop +DELETE _transform/ml_hostriskscore_pivot_transform_ +---------------------------------- +. Delete the host risk score ingest pipeline. You can do this using the {kib} UI or the {ref}/delete-pipeline-api.html[Delete pipeline API]. +** To delete the host risk score ingest pipeline using the {kib} UI: +.. From the {kib} main menu, go to **Stack Management** -> **Ingest** -> **Ingest Pipelines**. +.. Delete the `ml_hostriskscore_ingest_pipeline_` ingest pipeline. +** To delete the host risk score ingest pipeline using the Delete pipeline API, run the following command in Console: ++ +[source,console] +---------------------------------- +DELETE /_ingest/pipeline/ml_hostriskscore_ingest_pipeline_ +---------------------------------- +. Delete the stored host risk score scripts using the {ref}/delete-stored-script-api.html[Delete stored script API]. In Console, run the following commands: ++ +[source,console] +---------------------------------- +DELETE _scripts/ml_hostriskscore_levels_script_ +DELETE _scripts/ml_hostriskscore_init_script_ +DELETE _scripts/ml_hostriskscore_map_script_ +DELETE _scripts/ml_hostriskscore_reduce_script_ +---------------------------------- + +After manually deleting the host risk score saved objects, transforms, ingest pipeline, and stored scripts, follow the steps to <>. + [[verify-host-risk-score]] === Verify that host risk score data installed successfully (Optional) diff --git a/docs/experimental-features/images/delete-hrs-saved-objects.png b/docs/experimental-features/images/delete-hrs-saved-objects.png new file mode 100644 index 0000000000..c4c05024ad Binary files /dev/null and b/docs/experimental-features/images/delete-hrs-saved-objects.png differ diff --git a/docs/experimental-features/images/delete-hrs-tag.png b/docs/experimental-features/images/delete-hrs-tag.png new file mode 100644 index 0000000000..f35ad916d7 Binary files /dev/null and b/docs/experimental-features/images/delete-hrs-tag.png differ diff --git a/docs/experimental-features/images/delete-urs-saved-objects.png b/docs/experimental-features/images/delete-urs-saved-objects.png new file mode 100644 index 0000000000..4e41bb8590 Binary files /dev/null and b/docs/experimental-features/images/delete-urs-saved-objects.png differ diff --git a/docs/experimental-features/images/delete-urs-tag.png b/docs/experimental-features/images/delete-urs-tag.png new file mode 100644 index 0000000000..030e1e357b Binary files /dev/null and b/docs/experimental-features/images/delete-urs-tag.png differ diff --git a/docs/experimental-features/user-risk-score.asciidoc b/docs/experimental-features/user-risk-score.asciidoc index 47e6acafb1..c6627aaa15 100644 --- a/docs/experimental-features/user-risk-score.asciidoc +++ b/docs/experimental-features/user-risk-score.asciidoc @@ -61,7 +61,9 @@ To enable user risk score from Console in {kib}, open a browser window and enter {KibanaURL}/s/{spaceID}/app/dev_tools#/console?load_from={KibanaURL}/s/{spaceID}/internal/risk_score/prebuilt_content/dev_tool/enable_user_risk_score ---------------------------------- -NOTE: If there's existing content in Console, scroll to the bottom to find the output loaded. +NOTE: If there's existing content in Console, scroll to the bottom to find the output loaded. + +TIP: If you receive an error message during the installation process, delete the user risk score module manually, and then re-enable it. Refer to <> for more information. [[upgrade-user-risk-score]] [discrete] @@ -81,7 +83,9 @@ After this is done, you can proceed with upgrading the user risk score feature f * The *User risk* tab on the User page * The *User risk* tab on a user's details page -NOTE: After you enable or upgrade user risk score, you might get a message that says, "No user risk score data available to display." To verify that the transform that installs the user risk score module is picking up data, refer to <>. +NOTE: After you enable or upgrade user risk score, you might get a message that says, "No user risk score data available to display." To verify that the transform that installs the user risk score module is picking up data, refer to <>. + +TIP: If you receive an error message during the installation process, delete the user risk score module manually, and then re-enable it. Refer to <> for more information. [[view-user-risk-score]] [discrete] @@ -136,6 +140,69 @@ The data tables beneath the histogram display associated rules, users, and MITRE [role="screenshot"] image::images/dashboard.gif[User risk score dashboard] +[[troubleshoot-user-risk-score]] +[discrete] +=== Troubleshooting + +During the installation or upgrade process, you may receive the following error messages: + +* `Saved object already exists` +* `Transform already exists` +* `Ingest pipeline already exists` + +In this case, we recommend that you manually delete the user risk score module, and then re-enable it. To manually delete the module: + +. Delete the user risk score saved objects: +.. From the {kib} main menu, go to **Stack Management** -> **Kibana** -> **Saved Objects**. +.. Delete the saved objects that have the `User Risk Score - ` tag. ++ +[role="screenshot"] +image::images/delete-urs-saved-objects.png[Delete user risk score saved objects] +.. Delete the `User Risk Score - ` tag. ++ +[role="screenshot"] +image::images/delete-urs-tag.png[Delete user risk score tag] +. Stop and delete the user risk score transforms. You can do this using the {kib} UI or the {ref}/stop-transform.html[Stop transform API] and {ref}/delete-transform.html[Delete transform API]. +** To delete the user risk score transforms using the {kib} UI: +.. From the {kib} main menu, go to **Stack Management** -> **Data** -> **Transforms**. +.. Stop the following transforms, then delete them: +*** `ml_userriskscore_latest_transform_` +*** `ml_userriskscore_pivot_transform_` +** To delete the user risk score transforms using the API, run the following commands in Console: +.. Stop and delete the latest transform: ++ +[source,console] +---------------------------------- +POST _transform/ml_userriskscore_latest_transform_/_stop +DELETE _transform/ml_userriskscore_latest_transform_ +---------------------------------- +.. Stop and delete the pivot transform: ++ +[source,console] +---------------------------------- +POST _transform/ml_userriskscore_pivot_transform_/_stop +DELETE _transform/ml_userriskscore_pivot_transform_ +---------------------------------- +. Delete the user risk score ingest pipeline. You can do this using the {kib} UI or the {ref}/delete-pipeline-api.html[Delete pipeline API]. +** To delete the user risk score ingest pipeline using the {kib} UI: +.. From the {kib} main menu, go to **Stack Management** -> **Ingest** -> **Ingest Pipelines**. +.. Delete the `ml_userriskscore_ingest_pipeline_` ingest pipeline. +** To delete the user risk score ingest pipeline using the Delete pipeline API, run the following command in Console: ++ +[source,console] +---------------------------------- +DELETE /_ingest/pipeline/ml_userriskscore_ingest_pipeline_ +---------------------------------- +. Delete the stored user risk score scripts using the {ref}/delete-stored-script-api.html[Delete stored script API]. In Console, run the following commands: ++ +[source,console] +---------------------------------- +DELETE _scripts/ml_userriskscore_levels_script_ +DELETE _scripts/ml_userriskscore_map_script_ +DELETE _scripts/ml_userriskscore_reduce_script_ +---------------------------------- + +After manually deleting the user risk score saved objects, transforms, ingest pipeline, and stored scripts, follow the steps to <>. [[verify-user-risk-score]] === Verify that user risk score data installed successfully (Optional)