[Alerting] write event log entries for alert execution and it's actions

resolves elastic#55636

Writes eventLog events for alert executions, and the actions executed from
that alert execution.

x-pack/plugins/alerting/kibana.json

@@ -5,6 +5,6 @@
   "version": "8.0.0",
   "kibanaVersion": "kibana",
   "configPath": ["xpack", "alerting"],
-  "requiredPlugins": ["licensing", "taskManager", "encryptedSavedObjects", "actions"],
+  "requiredPlugins": ["licensing", "taskManager", "encryptedSavedObjects", "actions", "eventLog"],
   "optionalPlugins": ["usageCollection", "spaces", "security"]
 }

x-pack/plugins/alerting/server/plugin.ts

@@ -56,6 +56,13 @@ import {
 import { Services } from './types';
 import { registerAlertsUsageCollector } from './usage';
 import { initializeAlertingTelemetry, scheduleAlertingTelemetry } from './usage/task';
+import { IEventLogger, IEventLogService } from '../../event_log/server';
+
+const EVENT_LOG_PROVIDER = 'alerting';
+export const EVENT_LOG_ALERTING = {
+  execute: 'execute',
+  executeAction: 'execute-action',
+};
 
 export interface PluginSetupContract {
   registerType: AlertTypeRegistry['register'];
@@ -73,6 +80,7 @@ export interface AlertingPluginsSetup {
   licensing: LicensingPluginSetup;
   spaces?: SpacesPluginSetup;
   usageCollection?: UsageCollectionSetup;
+  eventLog: IEventLogService;
 }
 export interface AlertingPluginsStart {
   actions: ActionsPluginStartContract;
@@ -93,6 +101,7 @@ export class AlertingPlugin {
   private readonly alertsClientFactory: AlertsClientFactory;
   private readonly telemetryLogger: Logger;
   private readonly kibanaIndex: Promise<string>;
+  private eventLogger?: IEventLogger;
 
   constructor(initializerContext: PluginInitializerContext) {
     this.logger = initializerContext.logger.get('plugins', 'alerting');
@@ -133,6 +142,11 @@ export class AlertingPlugin {
       ]),
     });
 
+    plugins.eventLog.registerProviderActions(EVENT_LOG_PROVIDER, Object.values(EVENT_LOG_ALERTING));
+    this.eventLogger = plugins.eventLog.getLogger({
+      event: { provider: EVENT_LOG_PROVIDER },
+    });
+
     const alertTypeRegistry = new AlertTypeRegistry({
       taskManager: plugins.taskManager,
       taskRunnerFactory: this.taskRunnerFactory,
@@ -211,6 +225,7 @@ export class AlertingPlugin {
       actionsPlugin: plugins.actions,
       encryptedSavedObjectsPlugin: plugins.encryptedSavedObjects,
       getBasePath: this.getBasePath,
+      eventLogger: this.eventLogger!,
     });
 
     scheduleAlertingTelemetry(this.telemetryLogger, plugins.taskManager);

x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts

@@ -8,6 +8,7 @@ import { AlertType } from '../types';
 import { createExecutionHandler } from './create_execution_handler';
 import { loggingServiceMock } from '../../../../../src/core/server/mocks';
 import { actionsMock } from '../../../actions/server/mocks';
+import { eventLoggerMock } from '../../../event_log/server/event_logger.mock';
 
 const alertType: AlertType = {
   id: 'test',
@@ -31,6 +32,7 @@ const createExecutionHandlerParams = {
   getBasePath: jest.fn().mockReturnValue(undefined),
   alertType,
   logger: loggingServiceMock.create().get(),
+  eventLogger: eventLoggerMock.create(),
   actions: [
     {
       id: '1',

x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts

@@ -9,6 +9,8 @@ import { AlertAction, State, Context, AlertType } from '../types';
 import { Logger } from '../../../../../src/core/server';
 import { transformActionParams } from './transform_action_params';
 import { PluginStartContract as ActionsPluginStartContract } from '../../../../plugins/actions/server';
+import { IEventLogger, IEvent } from '../../../event_log/server';
+import { EVENT_LOG_ALERTING } from '../plugin';
 
 interface CreateExecutionHandlerOptions {
   alertId: string;
@@ -20,6 +22,7 @@ interface CreateExecutionHandlerOptions {
   apiKey: string | null;
   alertType: AlertType;
   logger: Logger;
+  eventLogger: IEventLogger;
 }
 
 interface ExecutionHandlerOptions {
@@ -39,6 +42,7 @@ export function createExecutionHandler({
   spaceId,
   apiKey,
   alertType,
+  eventLogger,
 }: CreateExecutionHandlerOptions) {
   const alertTypeActionGroups = new Set(pluck(alertType.actionGroups, 'id'));
   return async ({ actionGroup, context, state, alertInstanceId }: ExecutionHandlerOptions) => {
@@ -63,19 +67,47 @@ export function createExecutionHandler({
           }),
         };
       });
+
+    const alertLabel = `${alertType.id}:${alertId}: ${alertName}`;
+    const namespace = namespaceFromSpaceId(spaceId);
+
     for (const action of actions) {
-      if (actionsPlugin.isActionTypeEnabled(action.actionTypeId)) {
-        await actionsPlugin.execute({
-          id: action.id,
-          params: action.params,
-          spaceId,
-          apiKey,
-        });
-      } else {
+      if (!actionsPlugin.isActionTypeEnabled(action.actionTypeId)) {
         logger.warn(
           `Alert "${alertId}" skipped scheduling action "${action.id}" because it is disabled`
         );
+        continue;
       }
+
+      // TODO would be nice  to add the action name here, but it's not available
+      const actionLabel = `${action.actionTypeId}:${action.id}`;
+      const event: IEvent = {
+        event: { action: EVENT_LOG_ALERTING.executeAction },
+        kibana: {
+          namespace,
+          saved_objects: [
+            { type: 'alert', id: alertId },
+            { type: 'action', id: action.id },
+          ],
+        },
+      };
+      eventLogger.startTiming(event);
+
+      await actionsPlugin.execute({
+        id: action.id,
+        params: action.params,
+        spaceId,
+        apiKey,
+      });
+
+      eventLogger.stopTiming(event);
+      event.message = `alert: ${alertLabel} executed action: ${actionLabel}`;
+      eventLogger.logEvent(event);
     }
   };
 }
+
+function namespaceFromSpaceId(spaceId: string) {
+  if (spaceId === 'default') return undefined;
+  return spaceId;
+}

x-pack/plugins/alerting/server/task_runner/task_runner.test.ts

@@ -14,6 +14,7 @@ import { encryptedSavedObjectsMock } from '../../../../plugins/encrypted_saved_o
 import { savedObjectsClientMock, loggingServiceMock } from '../../../../../src/core/server/mocks';
 import { PluginStartContract as ActionsPluginStart } from '../../../actions/server';
 import { actionsMock } from '../../../actions/server/mocks';
+import { eventLoggerMock } from '../../../event_log/server/event_logger.mock';
 
 const alertType = {
   id: 'test',
@@ -66,6 +67,7 @@ describe('Task Runner', () => {
     logger: loggingServiceMock.create().get(),
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),
     getBasePath: jest.fn().mockReturnValue(undefined),
+    eventLogger: eventLoggerMock.create(),
   };
 
   const mockedAlertTypeSavedObject = {

x-pack/plugins/alerting/server/task_runner/task_runner.ts

@@ -24,6 +24,8 @@ import {
 import { promiseResult, map, Resultable, asOk, asErr, resolveErr } from '../lib/result_type';
 import { taskInstanceToAlertTaskInstance } from './alert_task_instance';
 import { AlertInstances } from '../alert_instance/alert_instance';
+import { EVENT_LOG_ALERTING } from '../plugin';
+import { IEvent } from '../../../event_log/server';
 
 const FALLBACK_RETRY_INTERVAL: IntervalSchedule = { interval: '5m' };
 
@@ -124,6 +126,7 @@ export class TaskRunner {
       actions: actionsWithIds,
       spaceId,
       alertType: this.alertType,
+      eventLogger: this.context.eventLogger,
     });
   }
 
@@ -165,6 +168,14 @@ export class TaskRunner {
       rawAlertInstance => new AlertInstance(rawAlertInstance)
     );
 
+    const eventLogger = this.context.eventLogger;
+    const alertLabel = `${this.alertType.id}:${alertId}: ${name}`;
+    const event: IEvent = {
+      event: { action: EVENT_LOG_ALERTING.execute },
+      kibana: { namespace, saved_objects: [{ type: 'alert', id: alertId }] },
+    };
+    eventLogger.startTiming(event);
+
     const updatedAlertTypeState = await this.alertType.executor({
       alertId,
       services: {
@@ -183,6 +194,10 @@ export class TaskRunner {
       updatedBy,
     });
 
+    eventLogger.stopTiming(event);
+    event.message = `alert executed: ${alertLabel}`;
+    eventLogger.logEvent(event);
+
     // Cleanup alert instances that are no longer scheduling actions to avoid over populating the alertInstances object
     const instancesWithScheduledActions = pick<AlertInstances, AlertInstances>(
       alertInstances,

x-pack/plugins/alerting/server/task_runner/task_runner_factory.test.ts

@@ -10,6 +10,7 @@ import { TaskRunnerContext, TaskRunnerFactory } from './task_runner_factory';
 import { encryptedSavedObjectsMock } from '../../../../plugins/encrypted_saved_objects/server/mocks';
 import { savedObjectsClientMock, loggingServiceMock } from '../../../../../src/core/server/mocks';
 import { actionsMock } from '../../../actions/server/mocks';
+import { eventLoggerMock } from '../../../event_log/server/event_logger.mock';
 
 const alertType = {
   id: 'test',
@@ -62,6 +63,7 @@ describe('Task Runner Factory', () => {
     logger: loggingServiceMock.create().get(),
     spaceIdToNamespace: jest.fn().mockReturnValue(undefined),
     getBasePath: jest.fn().mockReturnValue(undefined),
+    eventLogger: eventLoggerMock.create(),
   };
 
   beforeEach(() => {

x-pack/plugins/alerting/server/task_runner/task_runner_factory.ts

@@ -14,11 +14,13 @@ import {
   SpaceIdToNamespaceFunction,
 } from '../types';
 import { TaskRunner } from './task_runner';
+import { IEventLogger } from '../../../event_log/server';
 
 export interface TaskRunnerContext {
   logger: Logger;
   getServices: GetServicesFunction;
   actionsPlugin: ActionsPluginStartContract;
+  eventLogger: IEventLogger;
   encryptedSavedObjectsPlugin: EncryptedSavedObjectsPluginStart;
   spaceIdToNamespace: SpaceIdToNamespaceFunction;
   getBasePath: GetBasePathFunction;