From 236009c84f6191d59035c59a2914565a4bdceee1 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Thu, 14 Oct 2021 07:54:28 +0200 Subject: [PATCH] Address comments --- .../rule_execution_log/utils/normalization.ts | 15 ++++++++++++++- .../rules/saved_object_mappings.ts | 13 +++---------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts index 3f63a86b0fa2e..baaee9446eee3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/utils/normalization.ts @@ -7,10 +7,23 @@ import { take, toString, truncate, uniq } from 'lodash'; +// When we write rule execution status updates to `siem-detection-engine-rule-status` saved objects +// or to event log, we write success and failure messages as well. Those messages are built from +// N errors collected during the "big loop" in the Detection Engine, where N can be very large. +// When N is large the resulting message strings are so large that these documents are up to 26MB. +// These large documents may cause migrations to fail because a batch of 1000 documents easily +// exceed Elasticsearch's `http.max_content_length` which defaults to 100mb. +// In order to fix that, we need to truncate those messages to an adequate MAX length. +// https://github.com/elastic/kibana/pull/112257 + const MAX_MESSAGE_LENGTH = 10240; const MAX_LIST_LENGTH = 20; -export const truncateMessage = (value: unknown): string => { +export const truncateMessage = (value: unknown): string | undefined => { + if (value === undefined) { + return value; + } + const str = toString(value); return truncate(str, { length: MAX_MESSAGE_LENGTH }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts index 5307d115a185a..d347fccf6b77b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts @@ -5,12 +5,7 @@ * 2.0. */ -import { - SavedObjectsType, - SavedObjectSanitizedDoc, - SavedObjectUnsanitizedDoc, -} from 'kibana/server'; - +import { SavedObjectsType, SavedObjectMigrationFn } from 'kibana/server'; import { truncateMessage } from '../rule_execution_log'; export const ruleStatusSavedObjectType = 'siem-detection-engine-rule-status'; @@ -53,9 +48,7 @@ export const ruleStatusSavedObjectMappings: SavedObjectsType['mappings'] = { }, }; -const truncateMessageFields = ( - doc: SavedObjectUnsanitizedDoc> -): SavedObjectSanitizedDoc => { +const truncateMessageFields: SavedObjectMigrationFn> = (doc) => { const { lastFailureMessage, lastSuccessMessage, ...restAttributes } = doc.attributes; return { @@ -75,7 +68,7 @@ export const type: SavedObjectsType = { namespaceType: 'single', mappings: ruleStatusSavedObjectMappings, migrations: { - '7.14.2': truncateMessageFields, + '7.15.2': truncateMessageFields, }, };