[Security Solution] Truncated error messages during rule execution #147918
Labels
bug
Fixes for quality problems that affect the customer experience
consider-next
Feature:Detection Alerts
Security Solution Detection Alerts Feature
Feature:Rule Monitoring
Security Solution Detection Rule Monitoring area
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Milestone
Comments
xcrzx
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
xcrzx
added
Feature:Rule Monitoring
|
All these issues could have been fixed by elastic/elastic-transport-js#52 which was propagated to Kibana in #148521. We need to verify that it fixes the issues mentioned in this ticket. |
|
@marshallmain and @elastic/security-detections-response-alerts folks, would you be able to help here with verifying that the error cases from the linked SDHs are now resolved? I think this is more related to rule execution logic and how errors are created, rather than the rule execution logging mechanism and features, so I'd rely on your knowledge of the detection engine here. |
banderror
added
Team:Detection Alerts
yctercero
added
Team:Detection Engine
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
During the search phase of rule execution, thrown error messages are truncated, making it difficult to identify the root cause of the error.
See SDHs for example:
All of them have error messages logged without root cause in both the Kibana logs and the rule execution log:
We need to find a way to extract useful information from Elasticsearch errors and log it with the error. Sometimes it is specified in the reason field, for example:
{ "message": "status_exception", "statusCode": 400, "attributes": { "type": "status_exception", "reason": "error while executing search", "caused_by": { "type": "search_phase_execution_exception", "reason": "Partial shards failure", "phase": "query", "grouped": true, "failed_shards": [ { "shard": 0, "index": ".ds-elastic-cloud-logs-8-2022.03.05-000001", "node": "FAfhiKFgQRub0foBuI0llg", "reason": { "type": "illegal_argument_exception", "reason": "Field [timestamp] of type [keyword] is not supported for aggregation [date_histogram]" } } ], "caused_by": { "type": "", "reason": ": Field [timestamp] of type [keyword] is not supported for aggregation [date_histogram]", "caused_by": { "type": "illegal_argument_exception", "reason": "Field [timestamp] of type [keyword] is not supported for aggregation [date_histogram]" } } } } }The text was updated successfully, but these errors were encountered: