maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Event Log] add event.outcome to relevant event log documents (#64389)

Browse source 
resolves https://github.com/elastic/kibana/issues/61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
This commit is contained in:
Patrick Mueller 2020-04-27 23:11:43 -04:00 committed by GitHub
parent 23665133d7
commit 5457a62fdb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
x-pack/plugins/actions/server/lib/action_executor.ts
View file

@ -140,13 +140,18 @@ export class ActionExecutor {
status: 'ok', status: 'ok',
}; };
event.event = event.event || {};
if (result.status === 'ok') { if (result.status === 'ok') {
event.event.outcome = 'success';
event.message = `action executed: ${actionLabel}`; event.message = `action executed: ${actionLabel}`;
} else if (result.status === 'error') { } else if (result.status === 'error') {
event.event.outcome = 'failure';
event.message = `action execution failure: ${actionLabel}`; event.message = `action execution failure: ${actionLabel}`;
event.error = event.error || {}; event.error = event.error || {};
event.error.message = actionErrorToMessage(result); event.error.message = actionErrorToMessage(result);
} else { } else {
event.event.outcome = 'failure';
event.message = `action execution returned unexpected result: ${actionLabel}`; event.message = `action execution returned unexpected result: ${actionLabel}`;
event.error = event.error || {}; event.error = event.error || {};
event.error.message = 'action execution returned unexpected result'; event.error.message = 'action execution returned unexpected result';

4
x-pack/plugins/alerting/server/task_runner/task_runner.test.ts
View file

@ -165,6 +165,7 @@ describe('Task Runner', () => {
Object { Object {
"event": Object { "event": Object {
"action": "execute", "action": "execute",
"outcome": "success",
}, },
"kibana": Object { "kibana": Object {
"saved_objects": Array [ "saved_objects": Array [
@ -226,6 +227,7 @@ describe('Task Runner', () => {
Object { Object {
"event": Object { "event": Object {
"action": "execute", "action": "execute",
"outcome": "success",
}, },
"kibana": Object { "kibana": Object {
"saved_objects": Array [ "saved_objects": Array [
@ -342,6 +344,7 @@ describe('Task Runner', () => {
Object { Object {
"event": Object { "event": Object {
"action": "execute", "action": "execute",
"outcome": "success",
}, },
"kibana": Object { "kibana": Object {
"saved_objects": Array [ "saved_objects": Array [
@ -558,6 +561,7 @@ describe('Task Runner', () => {
}, },
"event": Object { "event": Object {
"action": "execute", "action": "execute",
"outcome": "failure",
}, },
"kibana": Object { "kibana": Object {
"saved_objects": Array [ "saved_objects": Array [

4
x-pack/plugins/alerting/server/task_runner/task_runner.ts
View file

@ -202,12 +202,16 @@ export class TaskRunner {
event.message = `alert execution failure: ${alertLabel}`; event.message = `alert execution failure: ${alertLabel}`;
event.error = event.error || {}; event.error = event.error || {};
event.error.message = err.message; event.error.message = err.message;
event.event = event.event || {};
event.event.outcome = 'failure';
eventLogger.logEvent(event); eventLogger.logEvent(event);
throw err; throw err;
} }
eventLogger.stopTiming(event); eventLogger.stopTiming(event);
event.message = `alert executed: ${alertLabel}`; event.message = `alert executed: ${alertLabel}`;
event.event = event.event || {};
event.event.outcome = 'success';
eventLogger.logEvent(event); eventLogger.logEvent(event);
// Cleanup alert instances that are no longer scheduling actions to avoid over populating the alertInstances object // Cleanup alert instances that are no longer scheduling actions to avoid over populating the alertInstances object

4
x-pack/plugins/event_log/generated/mappings.json
View file

@ -41,6 +41,10 @@
}, },
"end": { "end": {
"type": "date" "type": "date"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
} }
} }
}, },

1
x-pack/plugins/event_log/generated/schemas.ts
View file

@ -41,6 +41,7 @@ export const EventSchema = schema.maybe(
start: ecsDate(), start: ecsDate(),
duration: ecsNumber(), duration: ecsNumber(),
end: ecsDate(), end: ecsDate(),
outcome: ecsString(),
}) })
), ),
error: schema.maybe( error: schema.maybe(

1
x-pack/plugins/event_log/scripts/mappings.js
View file

@ -53,6 +53,7 @@ exports.EcsEventLogProperties = [
'event.start', 'event.start',
'event.duration', 'event.duration',
'event.end', 'event.end',
'event.outcome', // optional, but one of failure, success, unknown
'error.message', 'error.message',
'user.name', 'user.name',
'kibana.server_uuid', 'kibana.server_uuid',