-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Detections] Truncate lastFailureMessage for siem-…
…detection-engine-rule-status documents (#112257) **Ticket:** #109815 ## Summary **Background:** `siem-detection-engine-rule-status` documents stores the `lastFailureMessage` a string which is indexed as `type: "text"` but some failure messages are so large that these documents are up to 26MB. These large documents cause migrations to fail because a batch of 1000 documents easily exceed Elasticsearch's `http.max_content_length` which defaults to 100mb. This PR truncates `lastFailureMessage` and `lastSuccessMessage` in the following cases: 1. When we write new or update existing status SOs: - The lists of errors/warnings are deduped -> truncated to max `20` items -> joined to a string - The resulting strings are truncated to max `10240` characters 2. When we migrate `siem-detection-engine-rule-status` SOs to 7.15.2: - The two message fields are truncated to max `10240` characters ### Checklist Delete any items that are not applicable to this PR. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
- Loading branch information
1 parent
aadd651
commit 2322cda
Showing
6 changed files
with
89 additions
and
9 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export * from './rule_execution_log_client'; | ||
export * from './types'; | ||
export * from './utils/normalization'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
...s/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { take, toString, truncate, uniq } from 'lodash'; | ||
|
||
// When we write rule execution status updates to `siem-detection-engine-rule-status` saved objects | ||
// or to event log, we write success and failure messages as well. Those messages are built from | ||
// N errors collected during the "big loop" in the Detection Engine, where N can be very large. | ||
// When N is large the resulting message strings are so large that these documents are up to 26MB. | ||
// These large documents may cause migrations to fail because a batch of 1000 documents easily | ||
// exceed Elasticsearch's `http.max_content_length` which defaults to 100mb. | ||
// In order to fix that, we need to truncate those messages to an adequate MAX length. | ||
// https://github.com/elastic/kibana/pull/112257 | ||
|
||
const MAX_MESSAGE_LENGTH = 10240; | ||
const MAX_LIST_LENGTH = 20; | ||
|
||
export const truncateMessage = (value: unknown): string | undefined => { | ||
if (value === undefined) { | ||
return value; | ||
} | ||
|
||
const str = toString(value); | ||
return truncate(str, { length: MAX_MESSAGE_LENGTH }); | ||
}; | ||
|
||
export const truncateMessageList = (list: string[]): string[] => { | ||
const deduplicatedList = uniq(list); | ||
return take(deduplicatedList, MAX_LIST_LENGTH); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters