Skip to content

Comments

[Endpoint] Use a search query for alert details#66912

Closed
jonathan-buttner wants to merge 1 commit intoelastic:masterfrom
jonathan-buttner:fix-alerts-data-stream
Closed

[Endpoint] Use a search query for alert details#66912
jonathan-buttner wants to merge 1 commit intoelastic:masterfrom
jonathan-buttner:fix-alerts-data-stream

Conversation

@jonathan-buttner
Copy link
Contributor

@jonathan-buttner jonathan-buttner commented May 18, 2020
edited
Loading

Summary

Retrieving alerts from ES is currently not working because of data streams. To reproduce this issue:

  1. Checkout master
  2. Log in to kibana
  3. Connect a live endpoint
  4. Generate an alert
  5. Attempt to view the alert in the endpoint app

This will not happen when using the resolver data generator because it uses a mapping file which forces the index to not use data streams.

You should see the following in the UI

Alert UI Failure

image

The issue is that the ingest manager leverages v2 templates and data streams for the data sent by an endpoint. The endpoint binary is configured to send event data and alerts to event-endpoint-1. Instead of creating a normal index in ES, a data stream will be created and the actual index will be something like events-endpoint-1-000001. When the alert details server code tries to retrieve the alert it uses a hard coded index value here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/endpoint/common/alert_constants.ts#L19 (events-endpoint-1) and uses the ES Get api for retrieving the alert by it's ID.

This fails with the following error:

{
  "msg": "[illegal_argument_exception] The provided expression [events-endpoint-1] matches a data stream, specify the corresponding concrete indices instead.",
  "path": "/events-endpoint-1/_doc/5IPTKHIBMyjTtvMm6Xmj",
  "query": {},
  "statusCode": 400,
  "response": "{\"error\":{\"root_cause\":[{\"type\":\"illegal_argument_exception\",\"reason\":\"The provided expression [events-endpoint-1] matches a data stream, specify the corresponding concrete indices instead.\"}],\"type\":\"illegal_argument_exception\",\"reason\":\"The provided expression [events-endpoint-1] matches a data stream, specify the corresponding concrete indices instead.\"},\"status\":400}"
}

To solve this, instead of using an ES Get, I've changed it to use a Search. A search on a data stream is valid. Another solution would be to encode the index of each alert in the alert list api that way the alert details handler would have the exact index (e.g. events-endpoint-1-000001) when it does the ES Get. That solution seemed like more intrusive changes and I'm not sure what the state of transitioning this code to the SIEM app is.

Testing

Connect a live endpoint and trigger an alert. You should be able to see the alert in resolver.

image

@jonathan-buttner jonathan-buttner requested review from a team as code owners May 18, 2020 17:13
@jonathan-buttner jonathan-buttner added Feature:Endpoint Elastic Endpoint feature release_note:skip Skip the PR/issue when compiling release notes v7.9.0 v8.0.0 labels May 18, 2020
@elasticmachine
Copy link
Contributor

elasticmachine commented May 18, 2020

Pinging @elastic/endpoint-app-team (Feature:Endpoint)

@jonathan-buttner jonathan-buttner requested a review from madirey May 18, 2020 17:30
@madirey
Copy link
Contributor

madirey commented May 18, 2020

We already had a solution for this here: 6d0b12e

Can we not just use that?

@kibanamachine
Copy link
Contributor

kibanamachine commented May 18, 2020

💔 Build Failed

Failed CI Steps

Test Failures

Kibana Pipeline / x-pack-intake-agent / X-Pack Jest Tests.x-pack/plugins/infra/public/containers/logs/log_summary.useLogSummary hook provides an empty list of buckets by default

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/66852

Stack Trace

TypeError: Caught error after test environment was torn down

Cannot read property 'createEvent' of null
    at Object.invokeGuardedCallbackDev (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:302:26)
    at invokeGuardedCallback (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:440:31)
    at invokeGuardedCallbackAndCatchFirstError (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:454:25)
    at executeDispatch (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:584:3)
    at executeDispatchesInOrder (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:609:5)
    at executeDispatchesAndRelease (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:713:5)
    at executeDispatchesAndReleaseTopLevel (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:722:10)
    at forEachAccumulated (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:694:8)
    at runEventsInBatch (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:739:3)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom-test-utils.development.js:1560:7
    at Object.batchedUpdates$1 [as unstable_batchedUpdates] (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:24386:12)
    at eventFn (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom-test-utils.development.js:1556:14)
    at fn (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme-adapter-react-16/src/ReactSixteenAdapter.js:490:11)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme-adapter-react-16/src/ReactSixteenAdapter.js:354:37
    at batchedUpdates$1 (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:24386:12)
    at Object.act (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom-test-utils.development.js:1092:14)
    at wrapAct (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme-adapter-react-16/src/ReactSixteenAdapter.js:354:13)
    at Object.simulateEvent (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme-adapter-react-16/src/ReactSixteenAdapter.js:489:9)
    at ReactWrapper.call (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme/src/ReactWrapper.js:666:22)
    at ReactWrapper.single (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme/src/ReactWrapper.js:1170:21)
    at ReactWrapper.simulate (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/enzyme/src/ReactWrapper.js:665:17)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx:179:72
    at batchedUpdates$1 (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom.development.js:24386:12)
    at act (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/react-dom/cjs/react-dom-test-utils.development.js:1092:14)
    at Object.it (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/triggers_actions_ui/public/application/sections/alert_form/alert_edit.test.tsx:178:30)
Kibana Pipeline / x-pack-intake-agent / X-Pack Jest Tests.x-pack/plugins/infra/public/containers/logs/log_summary.useLogSummary hook queries for new summary buckets when the source id changes

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/66853

Stack Trace

: Timeout - Async callback was not invoked within the 5000ms timeout specified by jest.setTimeout.Timeout - Async callback was not invoked within the 5000ms timeout specified by jest.setTimeout.Error: 
    at new Spec (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/Spec.js:116:22)
    at new Spec (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/setup_jest_globals.js:80:9)
    at specFactory (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/Env.js:575:24)
    at Env.it (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/Env.js:644:24)
    at Env.it (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmineAsyncInstall.js:132:23)
    at it (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/jasmineLight.js:93:21)
    at Suite.Object.<anonymous>.describe (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/infra/public/containers/logs/log_summary/log_summary.test.tsx:29:3)
    at addSpecsToSuite (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/Env.js:496:51)
    at Env.describe (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/Env.js:466:11)
    at describe (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/jasmine/jasmineLight.js:81:18)
    at Object.<anonymous> (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/infra/public/containers/logs/log_summary/log_summary.test.tsx:19:1)
    at Runtime._execModule (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runtime/build/index.js:867:68)
    at Runtime._loadModule (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runtime/build/index.js:577:12)
    at Runtime.requireModule (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runtime/build/index.js:433:10)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:202:13
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:27:24)
    at _next (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:47:9)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:52:7
    at new Promise (<anonymous>)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:44:12
    at jasmine2 (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-jasmine2/build/index.js:60:19)
    at /var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:385:24
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:161:24)
    at _next (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:181:9)
Kibana Pipeline / x-pack-intake-agent / X-Pack Jest Tests.x-pack/plugins/infra/public/containers/logs/log_summary.useLogSummary hook queries for new summary buckets when the filter query changes

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/66854

Stack Trace

Error: expect(received).toEqual(expected) // deep equality

- Expected
+ Received

  Array [
    Object {
-     "end": 1589825763921,
-     "entriesCount": 1,
-     "start": 1589825753920,
+     "end": 1589825758916,
+     "entriesCount": 2,
+     "start": 1589825748915,
    },
  ]
    at Object.it (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/infra/public/containers/logs/log_summary/log_summary.test.tsx:101:36)

and 1 more failures, only showing the first 3.

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jonathan-buttner jonathan-buttner deleted the fix-alerts-data-stream branch November 10, 2020 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@madirey madirey Awaiting requested review from madirey

Assignees

No one assigned

Labels

Feature:Endpoint Elastic Endpoint feature release_note:skip Skip the PR/issue when compiling release notes v7.9.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jonathan-buttner @elasticmachine @madirey @kibanamachine