Resolving Integrity Monitoring Events Not Visible in SIEM Due to Shard Limit Exceeded

When the shard limit is exceeded due to indices not being deleted, we can encounter faults in Duplo. To resolve this issue, follow the steps below:

---

Steps to Resolve

1. Connect to the Duplo Master

2. Go to services Stop the Compliance Service

3. Modify Configuration Files

   • Open the Duplo.ComplianceCore.exe.config file.
   • Remove all credentials, including:
     • complianceTenantID
     • wazuhAddress
     • wazuhMaster
   • These values are present in the <appsettings></appsettings> section.
   • Update the wazuh_config file as required.

4. Deploy the Scribe Template

   • Navigate to Duplo Automation → Stack → Deployment → Deploy the Scribe Template (Org).
   • Fill in the required details and proceed to the next step.
   • Provide the SIEM host IP address.
   • A chart will appear showing what components will be deployed.
   • Select only system_config and submit.
   • This will update only the system settings.

5. Restart the Compliance Service

   • Go back to Duplo and start the compliance service.

6. Create and Apply the Lifecycle Policy

   • The lifecycle policy will be created automatically.
   • Add the following to the policy:

     "index_patterns": [
         "wazuh-*"
     ]
     

   • This policy will delete indices data after 90 days.

7. Apply the Policy to Indices

   • Go to Indices and select the indices.
   • Click on Actions and apply the siem policy to all indices.

---