New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
all: limit request tracer log count to five #8489
Conversation
d3d7d1d
to
80ae524
Compare
🌐 Coverage report
|
/test |
2 similar comments
/test |
/test |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
80ae524
to
b8aee2a
Compare
So the configuration would now limit to 5 request tracer logs, each 1MB in size per the |
Yes, that's approximately correct. There are a couple of integrations that limit log size to 5MB in their configs here, but all are now limited to 5 files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++
Initially, I worried slightly about limiting to 5MB being too limited for certain troubleshooting situations. However, I think it's a sensible starting point and better than inadvertently filling disk if the toggle is turned on and forgotten. 😅
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes to httpjson.yml.hbs look good, but I did notice 2 changelog.yml changes that looked odd.
@@ -56,7 +56,7 @@ | |||
changes: | |||
- description: Update package spec to 2.9.0. | |||
type: enhancement | |||
link: https://github.com/elastic/integrations/pull/1 | |||
link: https://github.com/elastic/integrations/pull/8489 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this right PR number for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, no it is not. I will repair that to what it should have been.
packages/o365/changelog.yml
Outdated
@@ -36,7 +41,7 @@ | |||
changes: | |||
- description: Fix mappings for dynamically mapped fields. | |||
type: enhancement | |||
link: https://github.com/elastic/integrations/pull/1 | |||
link: https://github.com/elastic/integrations/pull/8489 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the right PR number for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likewise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are setting a default limit for the request tracer maxbackups
. Can we update the documentation to have a mention about the default limit here?
Otherwise change looks good!
Package qualys_vmdr - 0.8.0 containing this change is available at https://epr.elastic.co/search?package=qualys_vmdr |
Package rapid7_insightvm - 1.8.0 containing this change is available at https://epr.elastic.co/search?package=rapid7_insightvm |
Package salesforce - 0.12.0 containing this change is available at https://epr.elastic.co/search?package=salesforce |
Package sentinel_one - 1.19.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one |
Package slack - 1.17.0 containing this change is available at https://epr.elastic.co/search?package=slack |
Package snyk - 1.19.0 containing this change is available at https://epr.elastic.co/search?package=snyk |
Package sophos_central - 1.13.0 containing this change is available at https://epr.elastic.co/search?package=sophos_central |
Package spring_boot - 1.1.0 containing this change is available at https://epr.elastic.co/search?package=spring_boot |
Package symantec_edr_cloud - 0.3.0 containing this change is available at https://epr.elastic.co/search?package=symantec_edr_cloud |
Package system - 1.49.0 containing this change is available at https://epr.elastic.co/search?package=system |
Package tenable_io - 2.7.0 containing this change is available at https://epr.elastic.co/search?package=tenable_io |
Package tenable_sc - 1.20.0 containing this change is available at https://epr.elastic.co/search?package=tenable_sc |
Package ti_abusech - 1.24.0 containing this change is available at https://epr.elastic.co/search?package=ti_abusech |
Package ti_cif3 - 1.10.0 containing this change is available at https://epr.elastic.co/search?package=ti_cif3 |
Package ti_cybersixgill - 1.25.0 containing this change is available at https://epr.elastic.co/search?package=ti_cybersixgill |
Package ti_maltiverse - 0.8.0 containing this change is available at https://epr.elastic.co/search?package=ti_maltiverse |
Package ti_misp - 1.27.0 containing this change is available at https://epr.elastic.co/search?package=ti_misp |
Package ti_opencti - 0.3.0 containing this change is available at https://epr.elastic.co/search?package=ti_opencti |
Package ti_otx - 1.22.0 containing this change is available at https://epr.elastic.co/search?package=ti_otx |
Package ti_rapid7_threat_command - 1.14.0 containing this change is available at https://epr.elastic.co/search?package=ti_rapid7_threat_command |
Package ti_recordedfuture - 1.20.0 containing this change is available at https://epr.elastic.co/search?package=ti_recordedfuture |
Package ti_threatq - 1.23.0 containing this change is available at https://epr.elastic.co/search?package=ti_threatq |
Package tines - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=tines |
Package trellix_epo_cloud - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=trellix_epo_cloud |
Package trend_micro_vision_one - 1.15.0 containing this change is available at https://epr.elastic.co/search?package=trend_micro_vision_one |
Package windows - 1.43.0 containing this change is available at https://epr.elastic.co/search?package=windows |
Package wiz - 0.4.0 containing this change is available at https://epr.elastic.co/search?package=wiz |
Package zeek - 2.22.0 containing this change is available at https://epr.elastic.co/search?package=zeek |
Package zerofox - 1.22.0 containing this change is available at https://epr.elastic.co/search?package=zerofox |
Package zeronetworks - 1.11.0 containing this change is available at https://epr.elastic.co/search?package=zeronetworks |
Proposed commit message
Currently the request tracer log is configured to retain all logs. This opens the risk of user filesystems being filled with unwanted logs. So limit the number of logs to five (picked as reasonably similar to the number of logs retained by elastic-agent, although the logs are not necessarily comparable in size or temporal domain).
Relevant docs for the change:
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots