[Security Solution][Endpoint] Better error handling for ES errors#266524
Conversation
paul-tavares
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
szwarckonrad
left a comment
szwarckonrad
left a comment
There was a problem hiding this comment.
I’ve left a few comments, but they don’t seem to be in the way. Please decide if they are worth pursuing.
| logger.debug(stringify(error, 20)); | ||
| } else { | ||
| logger.error(error); | ||
| logger.error(stringify(error, 20)); |
There was a problem hiding this comment.
AI generated:
This drops the structured logger path for errors. When an Error is passed to logger.error, Kibana's BaseLogger.createLogRecord builds a LogRecord with error: <Error> alongside message — ECS appenders use that to populate error.type, error.message, error.stack_trace, etc. Stringifying first collapses everything into message, and any consumer indexing on error.* (Filebeat → ES, etc.) silently loses those fields.
Could we keep the Error and put the new debug payload in LogMeta instead?
| */ | ||
| export class EndpointError<MetaType = unknown> extends Error { | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||
| public debug: any = undefined; |
There was a problem hiding this comment.
I believe we could go with something like
export interface EndpointErrorDebug {
es_request?: {
method?: string;
path?: string;
querystring?: unknown;
body?: unknown;
};
es_response?: { body?: unknown };
}
export class EndpointError<MetaType = unknown> extends Error {
public debug?: EndpointErrorDebug;
// ...
}There was a problem hiding this comment.
EndpointError is generic and also used by the UI, so I rather keep debug property set at any. Although with this change was triggered by the lack of detail while investigating a recent issue that originated from a ES error, the debug property is really to capture anything else that one might like to include when an error of this type if thrown.
|
|
||
| try { | ||
| // Process known error Types and retrieve additional data not normally output to logs | ||
| if (error instanceof errors.ElasticsearchClientError) { |
There was a problem hiding this comment.
Would it be worth adding a small wrap_errors.test.ts alongside this?
| try { | ||
| // Process known error Types and retrieve additional data not normally output to logs | ||
| if (error instanceof errors.ElasticsearchClientError) { | ||
| const esError = error as { meta?: DiagnosticResult; body?: any }; |
There was a problem hiding this comment.
Instead of typin we could probably go with
if (error instanceof errors.ResponseError) {
const { params } = error.meta.meta.request;
debug = {
es_request: {
method: params.method,
...There was a problem hiding this comment.
That will not work. Here I'm checking that the Error is one emitted by the Elastic search client (the base Error class) and that Error definition does not have a meta thus why I defined the type above. Tehre are a few errors that have the meta, so defining the type here allows us to capture data for all of them - including any new one that might be added in the future.
see node_modules/@elastic/elasticsearch/node_modules/@elastic/transport/lib/errors.d.ts to view the types defined for ES client errors
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
|
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/25434301543 |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…rs (#266524) (#267961) # Backport This will backport the following commits from `main` to `9.4`: - [[Security Solution][Endpoint] Better error handling for ES errors (#266524)](#266524) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Paul Tavares","email":"56442535+paul-tavares@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-05-06T12:08:17Z","message":"[Security Solution][Endpoint] Better error handling for ES errors (#266524)\n\n## Summary\n\n- Improve error handling of errors, specifically those thrown by ES/SO\nclients\n- Logic in `wrapErrorIfNeeded()` will now check to see if the error\nbeing wrapped is from ES and if so, it will attempt to generate a better\nerror message as well as capture additional debug data","sha":"0e7f25b99db349ee8388797c7ff5a25f0ba2cd50","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","backport:version","v9.4.0","v9.5.0"],"title":"[Security Solution][Endpoint] Better error handling for ES errors","number":266524,"url":"https://github.com/elastic/kibana/pull/266524","mergeCommit":{"message":"[Security Solution][Endpoint] Better error handling for ES errors (#266524)\n\n## Summary\n\n- Improve error handling of errors, specifically those thrown by ES/SO\nclients\n- Logic in `wrapErrorIfNeeded()` will now check to see if the error\nbeing wrapped is from ES and if so, it will attempt to generate a better\nerror message as well as capture additional debug data","sha":"0e7f25b99db349ee8388797c7ff5a25f0ba2cd50"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/266524","number":266524,"mergeCommit":{"message":"[Security Solution][Endpoint] Better error handling for ES errors (#266524)\n\n## Summary\n\n- Improve error handling of errors, specifically those thrown by ES/SO\nclients\n- Logic in `wrapErrorIfNeeded()` will now check to see if the error\nbeing wrapped is from ES and if so, it will attempt to generate a better\nerror message as well as capture additional debug data","sha":"0e7f25b99db349ee8388797c7ff5a25f0ba2cd50"}}]}] BACKPORT--> Co-authored-by: Paul Tavares <56442535+paul-tavares@users.noreply.github.com>
…astic#266524) ## Summary - Improve error handling of errors, specifically those thrown by ES/SO clients - Logic in `wrapErrorIfNeeded()` will now check to see if the error being wrapped is from ES and if so, it will attempt to generate a better error message as well as capture additional debug data
4 participants
Summary
wrapErrorIfNeeded()will now check to see if the error being wrapped is from ES and if so, it will attempt to generate a better error message as well as capture additional debug data