diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 1598f69b9678e..4aa81f7ec52aa 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -70384,12 +70384,12 @@ paths: pattern: '[smdh]$' type: string maxLogsPerPage: - default: 40000 + default: 50000 maximum: 9007199254740991 minimum: 1 type: integer maxLogsPerWindow: - default: 500000 + default: 100000 maximum: 9007199254740991 minimum: 0 type: integer diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 3ef3956b17181..d224d83f0d03d 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -74377,12 +74377,12 @@ paths: pattern: '[smdh]$' type: string maxLogsPerPage: - default: 40000 + default: 50000 maximum: 9007199254740991 minimum: 1 type: integer maxLogsPerWindow: - default: 500000 + default: 100000 maximum: 9007199254740991 minimum: 0 type: integer diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/logs_extraction_client.test.ts b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/logs_extraction_client.test.ts index bfc1c0877fbb7..795922b04a1f8 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/logs_extraction_client.test.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/domain/logs_extraction/logs_extraction_client.test.ts @@ -112,6 +112,7 @@ function createMockGlobalStateClient( lookbackPeriod: string; delay: string; maxTimeWindowSize: string; + maxLogsPerWindow: number; excludedIndexPatterns: string[]; additionalIndexPatterns: string[]; }> @@ -125,6 +126,9 @@ function createMockGlobalStateClient( // Default to a very large cap so existing tests run as a single sub-window. The dedicated // sub-window cap describe block overrides this to exercise capping behavior. maxTimeWindowSize: logExtractionOverrides?.maxTimeWindowSize ?? '999d', + // Default to 0 (disabled) so volume-cap logic doesn't interfere with unrelated tests. + // The dedicated volume-cap describe block overrides this via setupVolCapTest. + maxLogsPerWindow: logExtractionOverrides?.maxLogsPerWindow ?? 0, }); const state = { logsExtraction } as EntityStoreGlobalState; return { @@ -975,9 +979,6 @@ describe('LogsExtractionClient', () => { ['2025-01-15T11:00:01.000Z', 'hash2', '2025-01-15T11:00:01.000Z', 'entity2'], ], }; - // effectiveMaxLogsPerPage = min(40000, maxLogsPerWindow=1) = 1. - // Probe LIMIT 1 → total_logs = 1 → sliceLogCount = 1. - // totalLogs = 1 >= maxLogsPerWindow=1 → cap fires. setupVolCapTest({ maxLogsPerWindow: 1, maxLogsPerWindowCapBehavior: 'defer' }); mockExtractSuccessSequence(mainExtractionResponse, 1); mockIngestEntities.mockResolvedValue(undefined); @@ -1014,9 +1015,6 @@ describe('LogsExtractionClient', () => { ['2025-01-15T11:00:01.000Z', 'hash2', '2025-01-15T11:00:01.000Z', 'entity2'], ], }; - // effectiveMaxLogsPerPage = min(40000, maxLogsPerWindow=1) = 1. - // Probe LIMIT 1 → total_logs = 1 → sliceLogCount = 1. - // totalLogs = 1 >= maxLogsPerWindow=1 → cap fires. setupVolCapTest({ maxLogsPerWindow: 1, maxLogsPerWindowCapBehavior: 'drop' }); mockExtractSuccessSequence(mainExtractionResponse, 1); mockIngestEntities.mockResolvedValue(undefined); @@ -1108,7 +1106,6 @@ describe('LogsExtractionClient', () => { expect(result.success).toBe(true); if (!result.success) return; expect(result.logsCapApplied).toBe(true); - // effectiveMaxLogsPerPage = min(40000, maxLogsPerWindow=1) = 1 → sliceLogCount = 1 expect(result.logsProcessed).toBe(1); // defer: lastSearchTimestamp is where the loop stopped, NOT the window end expect(result.lastSearchTimestamp).toBe(lastPageTimestamp); @@ -1142,7 +1139,6 @@ describe('LogsExtractionClient', () => { expect(result.success).toBe(true); if (!result.success) return; expect(result.logsCapApplied).toBe(true); - // effectiveMaxLogsPerPage = min(40000, maxLogsPerWindow=1) = 1 → sliceLogCount = 1 expect(result.logsProcessed).toBe(1); // drop: lastSearchTimestamp is advanced to the window end expect(result.lastSearchTimestamp).toBe(toDateISO); diff --git a/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts b/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts index a9d28f7e1121b..f097a6de17947 100644 --- a/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts +++ b/x-pack/solutions/security/plugins/entity_store/server/domain/saved_objects/global_state/constants.ts @@ -15,11 +15,11 @@ export const LOG_EXTRACTION_FREQUENCY_DEFAULT = '1m'; // Max amount of entities to extract in one ESQL query export const LOG_EXTRACTION_DOCS_LIMIT_DEFAULT = 10000; // Max raw log documents per logs to be processed in a query (inside elastic search) -export const LOG_EXTRACTION_MAX_LOGS_PER_PAGE_DEFAULT = 40000; +export const LOG_EXTRACTION_MAX_LOGS_PER_PAGE_DEFAULT = 50_000; export const LOG_EXTRACTION_TIMEOUT_DEFAULT = '59s'; export const LOG_EXTRACTION_MAX_TIME_WINDOW_SIZE_DEFAULT = '15m'; // Max total raw log documents to process per task run; 0 = no cap -export const LOG_EXTRACTION_MAX_LOGS_PER_WINDOW_DEFAULT = 500_000; +export const LOG_EXTRACTION_MAX_LOGS_PER_WINDOW_DEFAULT = 100_000; export const LOG_EXTRACTION_CAP_BEHAVIOR_DEFAULT = 'drop' as const; export type LogExtractionConfig = z.infer;