Lower logging levels in add_session_metadata processor #41409
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reduce logging levels for some log messages in the add_session_metadata processor. If something goes wrong with enrichment, many of these logs would be called for every process event, resulting in a lot of logging spam. The logs that have been changed to `Debug` are logs that could potentially be called on every enrichment, so they are lowered to below the default log level. The other logs that have been changed to `Warn` or `Info` will only be called once, or are related to a timer, so they will not cause a large amount of logs to be created. There are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example an Elasticsearch query or alert on missing data that only this processor will populate (i.e. `process.entry_leader` fields) will show processes that weren't properly enriched.
mjwolf
added
Auditbeat
bugfix
Team:Security-Linux Platform
Contributor
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
botelastic
bot
added
needs_team
nicholasberlin
approved these changes
Oct 24, 2024
mergify bot
pushed a commit
that referenced
this pull request
Oct 24, 2024
Reduce logging levels for some log messages in the add_session_metadata processor. If something goes wrong with the process cache where all, or most, processes are missed, many of these logs would be called for every process event, resulting in a lot of logging spam. These logs have been changed to Debug, which is below the default log level and will not cause log spam. The logs that have been reduce to Info are in a timer, so they will not cause a lot of spam, but they should be Informational messages There are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example, an Elasticsearch query or alert on missing fields that only this processor will populate will show processes that weren't properly enriched (i.e. process.entry_leader fields). (cherry picked from commit 5941e68)
mergify bot
pushed a commit
that referenced
this pull request
Oct 24, 2024
Reduce logging levels for some log messages in the add_session_metadata processor. If something goes wrong with the process cache where all, or most, processes are missed, many of these logs would be called for every process event, resulting in a lot of logging spam. These logs have been changed to Debug, which is below the default log level and will not cause log spam. The logs that have been reduce to Info are in a timer, so they will not cause a lot of spam, but they should be Informational messages There are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example, an Elasticsearch query or alert on missing fields that only this processor will populate will show processes that weren't properly enriched (i.e. process.entry_leader fields). (cherry picked from commit 5941e68)
This was referenced Oct 24, 2024
mjwolf
added a commit
that referenced
this pull request
Oct 24, 2024
Reduce logging levels for some log messages in the add_session_metadata processor. If something goes wrong with the process cache where all, or most, processes are missed, many of these logs would be called for every process event, resulting in a lot of logging spam. These logs have been changed to Debug, which is below the default log level and will not cause log spam. The logs that have been reduce to Info are in a timer, so they will not cause a lot of spam, but they should be Informational messages There are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example, an Elasticsearch query or alert on missing fields that only this processor will populate will show processes that weren't properly enriched (i.e. process.entry_leader fields). (cherry picked from commit 5941e68) Co-authored-by: Michael Wolf <[email protected]>
mjwolf
added a commit
that referenced
this pull request
Oct 24, 2024
Reduce logging levels for some log messages in the add_session_metadata processor. If something goes wrong with the process cache where all, or most, processes are missed, many of these logs would be called for every process event, resulting in a lot of logging spam. These logs have been changed to Debug, which is below the default log level and will not cause log spam. The logs that have been reduce to Info are in a timer, so they will not cause a lot of spam, but they should be Informational messages There are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example, an Elasticsearch query or alert on missing fields that only this processor will populate will show processes that weren't properly enriched (i.e. process.entry_leader fields). (cherry picked from commit 5941e68) Co-authored-by: Michael Wolf <[email protected]>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Reduce logging levels for some log messages in the add_session_metadata processor.
If something goes wrong with the process cache where all, or most, processes are missed, many of these logs would be called for every process event, resulting in a lot of logging spam. These logs have been changed to
Debug, which is below the default log level and will not cause log spam.The logs that have been reduce to
Infoare in a timer, so they will not cause a lot of spam, but they should be Informational messagesThere are better ways to detect if enrichment has failed, so changing the log levels shouldn't negatively affect anything. For example, an Elasticsearch query or alert on missing fields that only this processor will populate will show processes that weren't properly enriched (i.e.
process.entry_leaderfields).Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration files- [ ] I have added tests that prove my fix is effective or that my feature works- [ ] I have added an entry inCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
None