Alerts with IPv6 data cannot be seen in the WebUI Alert Views
This document (7016555) is provided subject to the disclaimer at the end of this document.
The Alerts are correctly generated and can be seen in the mongoDB however they do not show up in the alert views WebUI. This is due to the fact that elasticsearch "currently" only supports IPv4 data.
Modify your elasticsearch index to account for IPv6 Data. This can be done by modifying the indexing for elasticsearch with the following steps:
1. Delete the existing elasticsearch index using the following command from the server:
curl -XDELETE 'http://127.0.0.1:9200/alerts.alerts'
2. Stop Sentinel
3. Backup the existing index template file:
cp -a /etc/opt/novell/sentinel/3rdparty/elasticsearch/templates/alerts.alerts.json /home/novell/alerts.alerts.json.bak
4. Edit the template file to substitute all values of "type":"ip" to be "type":"string"
4a. Use the following command to find all instances of "type":"ip" and replace it with "type":"string"
**Ensure that the file is still owned by novell:novell **
5. Delete the following file so that indexes will be rebuilt using the new template on server startup
6. Start Sentinel
Once this is done, you should be able to see alerts with IPv6 data as well as IPv4 Data.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016555
- Creation Date:02-JUN-15
- Modified Date:02-JUN-16
- NovellChange Guardian
Did this document solve your problem? Provide Feedback