[event log] add rule to event log shared object for provider: actions action: execute log event #99225
Assignees
Labels
Feature:EventLog
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
pmuellr
added
Team:ResponseOps
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
9 tasks
pmuellr
added a commit
to pmuellr/kibana
that referenced
this issue
Jun 20, 2021
pmuellr
added a commit
that referenced
this issue
Jun 22, 2021
…og doc (#101526) resolves #99225 Prior to this PR, when an alerting connection action was executed, the event log document generated did not contain a reference to the originating rule. This makes it difficult to diagnose problems with connector errors, since the error is often in the parameters specified in the actions in the alert. In this PR, a reference to the alerting rule is added to the saved_objects field in the event document for these events.
pmuellr
added a commit
to pmuellr/kibana
that referenced
this issue
Jun 22, 2021
…og doc (elastic#101526) resolves elastic#99225 Prior to this PR, when an alerting connection action was executed, the event log document generated did not contain a reference to the originating rule. This makes it difficult to diagnose problems with connector errors, since the error is often in the parameters specified in the actions in the alert. In this PR, a reference to the alerting rule is added to the saved_objects field in the event document for these events.
pmuellr
added a commit
that referenced
this issue
Jun 22, 2021
…og doc (#101526) (#102994) resolves #99225 Prior to this PR, when an alerting connection action was executed, the event log document generated did not contain a reference to the originating rule. This makes it difficult to diagnose problems with connector errors, since the error is often in the parameters specified in the actions in the alert. In this PR, a reference to the alerting rule is added to the saved_objects field in the event document for these events.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, we do not add the rule saved object in the saved object references when we write the
provider: actions, action: executelog entry. We do forprovider: alerting, action: execute-action, which is logged when actions are queued to be run.Historically, we weren't passing the rule into the action executor, so we didn't have the rule info to write out. That changed with RBAC, and we now have the rule when executing the action, so we should be able to provide that reference now.
This is fairly important to be able to track an action execution error to not just the connector that failed, but the alert it was run for.
Note: I could swear there was already an issue open for this, but not seeing it. We can close one as a DUP if someone else finds it.
The code where this would go, is here:
kibana/x-pack/plugins/actions/server/lib/action_executor.ts
Lines 124 to 136 in 886295f
We'll have to figure out if we want the
rel: SAVED_OBJECT_REL_PRIMARYon this - I think we do. This field indicates whether the event log doc will be returned when searching on just the alert SO. For theexecute-actionlog, I believe we only use REL_PRIMARY for the rule, and not connector, because we don't want to expose what alerts are being run if you happen to just have a connector id to search for. Here's where that is done:kibana/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts
Lines 175 to 188 in 886295f
The text was updated successfully, but these errors were encountered: