Skip to content

Commit

Permalink
[Event Log] add event.outcome to relevant event log documents
Browse files Browse the repository at this point in the history
resolves elastic#61891

Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`,
or `unknown`. This is nice, as the only way we have currently of determining an
error for an alert or action execution in the log is the existence of an
`error.message` field.  It is added to to the documents for those events.

see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
  • Loading branch information
pmuellr committed Apr 24, 2020
1 parent a4e740e commit b704942
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 0 deletions.
5 changes: 5 additions & 0 deletions x-pack/plugins/actions/server/lib/action_executor.ts
Original file line number Diff line number Diff line change
Expand Up @@ -138,13 +138,18 @@ export class ActionExecutor {
status: 'ok',
};

event.event = event.event || {};

if (result.status === 'ok') {
event.event.outcome = 'success';
event.message = `action executed: ${actionLabel}`;
} else if (result.status === 'error') {
event.event.outcome = 'failure';
event.message = `action execution failure: ${actionLabel}`;
event.error = event.error || {};
event.error.message = actionErrorToMessage(result);
} else {
event.event.outcome = 'failure';
event.message = `action execution returned unexpected result: ${actionLabel}`;
event.error = event.error || {};
event.error.message = 'action execution returned unexpected result';
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/alerting/server/task_runner/task_runner.ts
Original file line number Diff line number Diff line change
Expand Up @@ -202,12 +202,16 @@ export class TaskRunner {
event.message = `alert execution failure: ${alertLabel}`;
event.error = event.error || {};
event.error.message = err.message;
event.event = event.event || {};
event.event.outcome = 'failure';
eventLogger.logEvent(event);
throw err;
}

eventLogger.stopTiming(event);
event.message = `alert executed: ${alertLabel}`;
event.event = event.event || {};
event.event.outcome = 'success';
eventLogger.logEvent(event);

// Cleanup alert instances that are no longer scheduling actions to avoid over populating the alertInstances object
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/event_log/generated/mappings.json
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@
},
"end": {
"type": "date"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/event_log/generated/schemas.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ export const EventSchema = schema.maybe(
start: ecsDate(),
duration: ecsNumber(),
end: ecsDate(),
outcome: ecsString(),
})
),
error: schema.maybe(
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/event_log/scripts/mappings.js
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ exports.EcsEventLogProperties = [
'event.start',
'event.duration',
'event.end',
'event.outcome', // optional, but one of failure, success, unknown
'error.message',
'user.name',
'kibana.server_uuid',
Expand Down

0 comments on commit b704942

Please sign in to comment.