[RAC] RAC framework calls to ES should wrap their own errors #106315
Comments
timroes
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Looking at the code I can't see a Rule Registry Logger at all. |
|
@gmmorris Rule Registry has its own logger and it's used to log some info and debug messages: If you enable it in the dev config, you will see some logs about installation of ES resources like component templates etc: logging.events:
{
log: ['ruleRegistry', 'error', 'fatal'],
request: ['fatal'],
error: '*',
ops: __no-ops__,
}Just to make sure I got it correctly, is this exactly what you meant by "the registry should have its own context", or something else? |
|
@pmuellr I'd like to clarify the expected behaviour.
What do you mean by the RAC code? I think we have several different citizens:
RuleDataService and RuleDataClient currently write some logs, but they don't wrap any exceptions and don't have (almost) their own
Something like that? } catch (e) {
this.options.logger.error(e);
const reason = e?.message || 'Unknown reason';
throw new Error(`Failure installing ${resources}. ${reason}`);
}If we talk about the rest of the "citizens", does the same approach to exceptions and logging apply? Just to double-check, you're fine with exceptions thrown from whatever executors as long as they can be easily identified as "exceptions from rule registry" or "from security solution rule types" etc, right? And finally, are you concerned only about the code that runs within the Alerting Framework executors, or any code in general that calls ES APIs from "RAC"? For example, we have RBAC and RBAC-related endpoints that call ES outside of the rule types. |
oops, sorry @banderror , I don't know how I missed that!
Yeah, I think that should do it - as long as you catch the errors and log them yourself, they should have the context of the RulesRegistry. |
Yes, throwing the error tells the framework that the rule failed, and that's valuable. |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Hey everyone, FYI ownership of this ticket and other tickets related to rule_registry (like #101016) now goes to the Detection Alerts area ( |
|
Transferring again to @elastic/response-ops as they now own the rule registry implementation. |
marshallmain
added
Team:ResponseOps
mikecote
added
Feature:Alerting/Alerts-as-Data
From issue #101753, we realized that the RAC framework is making ES calls during the rule executor, which are throwing exceptions, and not caught. Those get bubbled up back to the rule executor, which assumes the error came from the rule executor. In this case, the rule executor was actually RAC, which did some work, called the original rule executor, and then did some more work, before returning control back to the alerting framework.
The problem with this is that it can cause some confusion during diagnosis of errors. It would really be best if the RAC ES calls were "wrapped", to catch exceptions, such that:
This will help us when we see these exceptions to narrow down the place it occurred.
As an example, re: #101753, I believe the exception happened when executing the following code:
kibana/x-pack/plugins/rule_registry/server/rule_data_client/index.ts
Lines 125 to 143 in bc4928f
For that case, instead of just the
throw err, it probably should log a message indicating the problem (debug is fine if it feels like it will be too noisy, but this one seems worthy of a logged message), and then create a new error with the any details found in the originating error, with an error message describing the error occurred while trying to create an alerting index.There weren't too many ES calls that I could see, directly using the
clusterClient; they seemed to be in the following three files:x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.tsx-pack/plugins/rule_registry/server/rule_data_client/index.tsx-pack/plugins/rule_registry/server/rule_data_plugin_service/index.tsThe text was updated successfully, but these errors were encountered: