Level: Critical

Purpose: This alert informs that the MDC tracker cannot write to Elastic Search.

Scenario: The tracker log contains the following: “Failed to write object due to ElasticSearch Status Exception”. Check the reason in exception message.

• “Data too large” - Kibana and/or elastic search service has failed on the esk (elk stack) server
• “failed to parse field” - this indicates an error with agent parsing

Resolution: Check if kibana and elastic search service are running. Usually restarting elastic search, even if it's running, followed by kibana, will fix the issue.

If you get the parse field error you will need to track down the agent causing the issue; this is not as serious as the “Data too large” issue.

Manual Action Steps:

sudo service elasticsearch restart
sudo service kibana restart

Auto Clear: This will auto-clear if the log line “Failed to write object due to ElasticSearch Status Exception” doesn't appear in the tracker logs for more than 30 minutes.