Errors related to Elasticsearch engine pagination.(CVE Connector error) #6031
Comments
misohouse
added
needs triage
|
I verified that the "query":"be6b5136-4db9-4ccd-b2fa-cb8031387f27" in that error statement is the UUIDv4 of the CVE Connector I set up. The connector is not in use, so I don't know why the error occurred since it was commented out in portainer. I uncommented it and checked that it works, but I still get the same error. The problem seems to occur when importing data. Also, when I try to delete previously completed tasks in bulk on the [Data - Connectors] page, I get an engine pagination error. (I can delete them individually, but the amount is too large to do it one by one.) And there is no log in CVE connector's container. ============== The current CVE connector container state(1) and opencti container state(2) are shown in the photo below. (2) I don't know why I'm getting errors periodically, even though the cve import operation has already been completed. |
misohouse
changed the title
|
Hi @misohouse, I looked much deeper into it, and you're right, not a circuit breaker issue concerning the error above, and I found the part of the code responsible for this raised error:
This compares what the header received as response for the http request and the max_response_size allowed which is 10mb by default: In order to easily access to the cluster settings, have you installed Kibana ? It's a data visualization and exploration tool from Elastic. An example to add in your docker compose file on the link below: Once you access to your Kibana, you can open the Dev Tools and check your
Could you check the config by your side ? |
|
I installed kibana as you said and saw that there are max_response_size in 2 places. And I changed the max_response_size in 1 of them with the put message below. Below shows the result of that query. The other one is a static value, so I get an error that it can't be changed And in the elasticsearch container log, I could see the log that the max_response_size was changed as shown below. But I'm still getting the same error in opencti container... What am I doing wrong? |
helene-nguyen
removed
the
needs triage
|
Ok, let me check the CVE Connector side too and give you an update as soon as possible. |
|
Hello @misohouse, |
|
Currently, OpenCTI is so laggy that it's almost unusable. Rebooting will make things temporarily better, but over time, the system will get progressively slower and slower until it becomes nearly unusable. Looking at the CPU logs, it seems to be caused by an elasticsearch related crash. My CVE configuration is below. And I send some pictures which may help to fix this situation. 1. CVE Connector status in OpenCTI 2. CPU stuck message in OpenCTI server 3. CVE Connector container logs ` Traceback (most recent call last): The above exception was the direct cause of the following exception: Traceback (most recent call last): The above exception was the direct cause of the following exception: Traceback (most recent call last): During handling of the above exception, another exception occurred: Traceback (most recent call last):
|
|
Ok, not related to the CVE connector as AbuseIPDB connector seems to have the same error but definitively a database error, @SouadHadjiat do you have any idea about this error ? |
|
@helene-nguyen @misohouse This error seem to happen when trying to delete completed works. We try to query up to 500 completed works to be deleted and it looks like the response is too big. I suggest for now to run this query manually on elasticsearch, it should delete all completed works older than 7 days, and see if the error stops : I think we should use directly this query in our code instead of querying the works to be then deleted, we won't have any issue with size limits. |
|
Oh! I ran the query as you said and it deleted thousands of completed tasks and no longer throws the error. Thank you for your detailed answer! :) |
|
@misohouse If our support has helped you and you're no stuck anymore, I'll let you close this issue :) |
|
@nino-filigran I suggest to fix the way we delete completed tasks to avoid having this issue again |
Kedae
added
the
solved
Kedae
added
bug
Previous question: #5999
ERR Fail to execute engine pagination | category=APP errors=[{"attributes":{"genre":"TECHNICAL","http_status":500,"query":{"_source":true,"body":{"query":{"bool":{"must":[{"bool":{"minimum_should_match":2,"should":[{"bool":{"minimum_should_match":3,"should":[{"bool":{"minimum_should_match":1,"should":[{"multi_match":{"fields":["event_source_id.keyword"],"query":"be6b5136-4db9-4ccd-b2fa-cb8031387f27"}}]}},{"bool":{"minimum_should_match":1,"should":[{"multi_match":{"fields":["status.keyword"],"query":"complete"}}]}},{"bool":{"minimum_should_match":1,"should":[{"range":{"completed_time":{"lte":"now-7d/d"}}}]}}]}},{"bool":{"minimum_should_match":1,"should":[{"multi_match":{"fields":["entity_type.keyword","parent_types.keyword"],"query":"Work"}}]}}]}}],"must_not":[]}},"size":500,"sort":[{"standard_id.keyword":"asc"}]},"index":["opencti_history"],"track_total_hits":true}},"message":"Fail to execute engine pagination","name":"DATABASE_ERROR","stack":"DATABASE_ERROR: Fail to execute engine pagination\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at DatabaseError (/opt/opencti/build/src/config/errors.js:58:48)\n at /opt/opencti/build/src/database/engine.js:2520:15\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at elList (/opt/opencti/build/src/database/engine.js:2543:22)\n at deleteCompletedWorks (/opt/opencti/build/src/manager/connectorManager.js:93:3)\n at connectorHandler (/opt/opencti/build/src/manager/connectorManager.js:117:7)\n at /opt/opencti/build/src/manager/connectorManager.js:137:9\n at npt.#runHandlerAndScheduleTimeout (/opt/opencti/build/node_modules/set-interval-async/dist/set-interval-async-timer.cjs:36:13)\n at Timeout._onTimeout (/opt/opencti/build/node_modules/set-interval-async/dist/set-interval-async-timer.cjs:29:13)"},{"message":"The content length (536932588) is bigger than the maximum allowed string (536870888)","name":"RequestAbortedError","stack":"RequestAbortedError: The content length (536932588) is bigger than the maximum allowed string (536870888)\n at aYt.request (/opt/opencti/build/node_modules/@elastic/transport/src/Transport.ts:574:34)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at k$e.SearchApi [as search] (/opt/opencti/build/node_modules/@elastic/elasticsearch/src/api/api/search.ts:89:10)\n at elList (/opt/opencti/build/src/database/engine.js:2543:22)\n at deleteCompletedWorks (/opt/opencti/build/src/manager/connectorManager.js:93:3)\n at connectorHandler (/opt/opencti/build/src/manager/connectorManager.js:117:7)\n at /opt/opencti/build/src/manager/connectorManager.js:137:9\n at npt.#runHandlerAndScheduleTimeout (/opt/opencti/build/node_modules/set-interval-async/dist/set-interval-async-timer.cjs:36:13)\n at Timeout._onTimeout (/opt/opencti/build/node_modules/set-interval-async/dist/set-interval-async-timer.cjs:29:13)"}] manager=CONNECTOR_MANAGER timestamp=2024-02-16T06:34:16.696Z version=5.12.31I read the “Cluster setting” page but it’s hard to understand that since I set up the elasticsearch by docker-compose in portainer.
Would you tell me how to configure the cluster setting of elasticsearch by docker-compose in portainer?
=============
If the error is not for the circuit breaker that @helene-nguyen mentioned in a previous question, would you suggest another solution?
The text was updated successfully, but these errors were encountered: