-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Extended rule execution logging to Event Log #126063
[Security Solution][Detections] Extended rule execution logging to Event Log #126063
Conversation
2c9905f
to
b618228
Compare
5238efd
to
f7c2b00
Compare
d7ccc0a
to
0a0b14f
Compare
92a7283
to
1278e9a
Compare
13283b8
to
597c07d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing the comments, @banderror 👍
597c07d
to
9c92cb5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really awesome. Thanks so much for providing the cloud env for testing. Focused on the CTI/platform changes in review which looked like mostly refactor/cleanup.
LGTM 🔥
@banderror The single event log plugin code change looks fine. Tested it out just to see what's being logged and I'm wondering if there is a followup issue to consolidate some of the log messages to take into consideration the fact that they are being written as ES documents now? Understand this is behind a feature flag and it sounds like there are improvements coming. I'm just seeing things like
which will show up as 2 event log docs and would like to make sure there are followup efforts to combine the messages (and make them individually more meaningful?) |
@ymao1 we'll make sure to revisit this before making this feature available for the users. There are no follow-up tickets for this at this point, but I'll write up some before the next planning. I'll make a note to do that so I don't forget. |
9c92cb5
to
767a8c6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Response ops changes LGTM!
💛 Build succeeded, but was flakyFailed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @banderror |
**Relates to:** #126063 ## Summary This PR extends rule event log's filter and improves log messages. ## Details We have Rule execution log feature hidden by a feature flag and disabled, it's shown on a rule details page when enabled. <img width="1782" alt="image" src="https://github.com/elastic/kibana/assets/3775283/71565d96-13aa-4275-b870-22118ac90335"> The feature is close to a releasable state but some tasks had to be addressed to make it usable. This PR addresses the following tasks to make rule execution log feature releasable - Adds search bar to search for specific messages <img width="1529" alt="image" src="https://github.com/elastic/kibana/assets/3775283/4bd198de-60e8-4511-a96d-4d68ec53a7f2"> - Adds a date range filter by default set to show logs for last 24 hours <img width="1529" alt="image" src="https://github.com/elastic/kibana/assets/3775283/b9d7e658-a19a-402a-a039-28d225000952"> - Improves error, warning and debug messages - Returns rule metrics in a message as a serialized JSON <img width="1526" alt="image" src="https://github.com/elastic/kibana/assets/3775283/7d9501b9-4a12-4d31-be99-6ce3c04b2b97"> - Adds `execution_id` to the response <img width="1522" alt="image" src="https://github.com/elastic/kibana/assets/3775283/92d1291e-0605-456c-abca-8c6fd329ade2"> ### Tasks to address later - [ ] Further improve logging messages. We have either error, warning or debug messages. In fact info or trace levels aren't used but it can give useful info. - [ ] Add an OpenAPI spec for the rule execution log endpoint
Epics: #124947, #118324
Fixes: #131352
Summary
Console logs written by rule executors can now be "routed" to the Event Log in addition to the console. A new table UI for viewing plain rule execution logs allows the user to look at all status changes, errors, warnings, info and debug messages on the Rule Details page.
This feature is hidden under a feature flag and disabled by default -- it might not be production-ready yet. We will need to work on product and UX/UI design in the subsequent development cycles to make it ready for release. Until then, we can start using it in development: it should make it easier to troubleshoot issues with rule execution. Add this flag to your Kibana config to enable this feature:
If the flag is enabled:
message
, in addition to the existingstatus-change
andexecution-metrics
events.Execution events
. This tab will contain a table with plain execution logs.As for the new Kibana Advanced Settings, by default:
error
. This only affects the newmessage
events.Implementation details
Important change: refactored the folder structure as our first step to domain-driven architecture and splitting the Detection Engine into subdomains.
rule_monitoring
. This subdomain now lives in three folders:security_solution/common/detection_engine/rule_monitoring
security_solution/public/detection_engine/rule_monitoring
security_solution/server/lib/detection_engine/rule_monitoring
Other changes:
IRuleExecutionLogForExecutors
instead of the consoleLogger
.IRuleExecutionLogForExecutors
is passed to rule executors and downstream functions they call.Logger
is not passed anymore.buildRuleMessage
andbuildRuleMessageFactory
are deleted.message
for writing console logs to Event Log.log.level
andevent.severity
.plugins.securitySolution.ruleExecution
.rule.rule_id
) as a correlation id to the logs.ExtMeta
to use interfaces instead of type intersection due to a found bug in TypeScript that affected this type.AggregateRuleExecutionEvent
into theRuleExecutionResult
.RuleExecutionEvent
.Execution events table UI
For context, this is how the existing
Execution logs
table looks like when the flag is off (notice the renaming toExecution results
:This is the new
Execution events
table when the flag is on:Showing only trace and debug events:
Showing only status changes:
Showing only warning and error
message
s:Expanded rows showing details of the corresponding events:
Console logs
Example:
Note that:
plugins.securitySolution.ruleExecution
, which allows to turn on only rule execution logs in the config (could be useful when debugging).[siem.queryRule][Endpoint Security][rule id 825b2fab-8b3e-11ec-a4a0-cf820453283c][rule uuid 9a1a2dae-0b5f-4c3d-8305-a268d404c306][exec id ebb7f713-b216-4c90-a456-6c1a6815a065][space default]
Checklist
x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/README.md
For maintainers