Address comments

elastic · Oct 14, 2021 · 236009c · 236009c
1 parent b2e018d
commit 236009c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/...s/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts b/...s/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts
@@ -7,10 +7,23 @@
 
 import { take, toString, truncate, uniq } from 'lodash';
 
+// When we write rule execution status updates to `siem-detection-engine-rule-status` saved objects
+// or to event log, we write success and failure messages as well. Those messages are built from
+// N errors collected during the "big loop" in the Detection Engine, where N can be very large.
+// When N is large the resulting message strings are so large that these documents are up to 26MB.
+// These large documents may cause migrations to fail because a batch of 1000 documents easily
+// exceed Elasticsearch's `http.max_content_length` which defaults to 100mb.
+// In order to fix that, we need to truncate those messages to an adequate MAX length.
+// https://github.com/elastic/kibana/pull/112257
+
 const MAX_MESSAGE_LENGTH = 10240;
 const MAX_LIST_LENGTH = 20;
 
-export const truncateMessage = (value: unknown): string => {
+export const truncateMessage = (value: unknown): string | undefined => {
+  if (value === undefined) {
+    return value;
+  }
+
   const str = toString(value);
   return truncate(str, { length: MAX_MESSAGE_LENGTH });
 };

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts
@@ -5,12 +5,7 @@
  * 2.0.
  */
 
-import {
-  SavedObjectsType,
-  SavedObjectSanitizedDoc,
-  SavedObjectUnsanitizedDoc,
-} from 'kibana/server';
-
+import { SavedObjectsType, SavedObjectMigrationFn } from 'kibana/server';
 import { truncateMessage } from '../rule_execution_log';
 
 export const ruleStatusSavedObjectType = 'siem-detection-engine-rule-status';
@@ -53,9 +48,7 @@ export const ruleStatusSavedObjectMappings: SavedObjectsType['mappings'] = {
   },
 };
 
-const truncateMessageFields = (
-  doc: SavedObjectUnsanitizedDoc<Record<string, unknown>>
-): SavedObjectSanitizedDoc => {
+const truncateMessageFields: SavedObjectMigrationFn<Record<string, unknown>> = (doc) => {
   const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes;
 
   return {
@@ -75,7 +68,7 @@ export const type: SavedObjectsType = {
   namespaceType: 'single',
   mappings: ruleStatusSavedObjectMappings,
   migrations: {
-    '7.14.2': truncateMessageFields,
+    '7.15.2': truncateMessageFields,
   },
 };