Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce round trips to ES during rule creation/update #123753

Open
jportner opened this issue Jan 25, 2022 · 1 comment
Open

Reduce round trips to ES during rule creation/update #123753

jportner opened this issue Jan 25, 2022 · 1 comment
Labels
chore Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@jportner
Copy link
Contributor

I was testing audit logging today and I noticed something that looked peculiar when I created a new alerting rule:

{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}}
{"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}

(several fields have been omitted for simplicity)

Before the rule is created, there are two connector_get events written.

I took a cursory look at the rule create function, and it seems like the connector(s) are fetched twice -- once during validateActions and again during extractReferences:

kibana/x-pack/plugins/alerting/server/rules_client/rules_client.ts

Lines 329 to 347 in 57d507c

await this.validateActions(ruleType, data.actions);
// Validate intervals, if configured
if (ruleType.minimumScheduleInterval) {
const intervalInMs = parseDuration(data.schedule.interval);
const minimumScheduleIntervalInMs = parseDuration(ruleType.minimumScheduleInterval);
if (intervalInMs < minimumScheduleIntervalInMs) {
throw Boom.badRequest(
`Error updating rule: the interval is less than the minimum interval of ${ruleType.minimumScheduleInterval}`
);
}
}
// Extract saved object references for this rule
const {
references,
params: updatedParams,
actions,
} = await this.extractReferences(ruleType, data.actions, validatedAlertTypeParams);

The updateAlert function behaves the same way:

kibana/x-pack/plugins/alerting/server/rules_client/rules_client.ts

Lines 965 to 983 in 57d507c

await this.validateActions(ruleType, data.actions);
// Validate intervals, if configured
if (ruleType.minimumScheduleInterval) {
const intervalInMs = parseDuration(data.schedule.interval);
const minimumScheduleIntervalInMs = parseDuration(ruleType.minimumScheduleInterval);
if (intervalInMs < minimumScheduleIntervalInMs) {
throw Boom.badRequest(
`Error updating rule: the interval is less than the minimum interval of ${ruleType.minimumScheduleInterval}`
);
}
}
// Extract saved object references for this rule
const {
references,
params: updatedParams,
actions,
} = await this.extractReferences(ruleType, data.actions, validatedAlertTypeParams);

It seems that validateActions and extractReferences could be condensed into one function that fetches connectors once (and only writes one audit event for it)
@jportner jportner added chore Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Jan 25, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@jportner jportner mentioned this issue Jan 26, 2022
Merged
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Rules & Alerts Management
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kobelb @jportner @elasticmachine