Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/filebeat/input: Fix truncation of bodies in request tracing #42327

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

x-pack/filebeat/input: Fix truncation of bodies in request tracing #42327

wants to merge 2 commits into from
+11 −18

Conversation

chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Jan 16, 2025
edited
Loading

Proposed commit message

x-pack/filebeat/input: Fix truncation of bodies in request tracing

When logging request traces, truncate the request/response body to 10%
of the maximum log file size.

Previously, bodies were truncated to the maximum file size, less 10kB.
10kB is a reasonable number for the other trace details, but space is
also required for encoding the body data as a JSON string value.

One example JSON body was 15% larger after encoding, but the 10kB
margin is 1% or less of the total limit. A body approaching the size
limit would typically generate a log entry that exceeded the limit.

Truncating large log entries to fit the file size limit means there may
only be one such entry per file. By truncating body data to 10% of the
file limit, we can expect to see entries for several request/response
pairs in each file.

The default maximum file size of 1MB gives a default maximum body size
of 100kB.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@chrisberkhout chrisberkhout self-assigned this Jan 16, 2025
@chrisberkhout chrisberkhout requested a review from a team as a code owner January 16, 2025 16:51
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 16, 2025
@chrisberkhout chrisberkhout added Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jan 16, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @chrisberkhout? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 16, 2025

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Jan 16, 2025
andrewkroh
andrewkroh reviewed Jan 16, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an excellent commit message. Thank you.

The default maximum file size of 1MB gives a default maximum body size
of 100kB.

I find this behavior a bit surprising. I would have expected that if I needed to capture a full 5 MiB response body that I would need to increase the max size to something a little larger than 5 MiB, but not 10x the size. What do others think? At a minimum, I think we need to mention this behavior in the documentation associated with the tracer settings.

CHANGELOG.next.asciidoc
@@ -206,6 +206,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- The `_id` generation process for S3 events has been updated to incorporate the LastModified field. This enhancement ensures that the `_id` is unique. {pull}42078[42078]
- Fix Netflow Template Sharing configuration handling. {pull}42080[42080]
- Updated websocket retry error code list to allow more scenarios to be retried which could have been missed previously. {pull}42218[42218]
- Fix truncation of bodies in request tracing. {pull}42327[42327]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to include a bit of the "how" part, like ... "by limiting bodies to 10% of the maximum file size".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@chrisberkhout chrisberkhout

Labels
backport-8.x Automated backport to the 8.x branch with mergify bugfix Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chrisberkhout @elasticmachine @andrewkroh