Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application Performance Logging No Longer Works As It Did Before v.6.0 #9404

Open
nhuber0724 opened this issue Dec 18, 2024 · 1 comment
Open
Labels
bug use for describing something not working as expected needs more info Intel needed about the use case

Comments

@nhuber0724
Copy link

Description

A client has been using the application performance logging to assist in identifying queries that have errors and to help identify when the elasticsearch shards require attention. An issue that has plagued the client now for a few years is when a single entity in the index has an array field that should be a list of values. What randomly occurs is that the array gets a duplicate of itself and the values. When this happens anything that touches that item fails to load in the platform.

It is an easy fix when you know the entity that is failing. The client was previously able to quickly determine this from the application performance logging.

Looking at the code in gitlab it looks like a change introduced in 6.1.0 was to not log this information anymore. The change was made in the opencti-graphql/src/graphql/loggerPlugin.js file. At the end of the 6.0 branch the logging data variable looked like this:
const callMetaData = {
user: origin,
type: operationType + (isCallError ? '_ERROR' : ''),
operation_query: stripIgnoredCharacters(context.request.query),
inner_relation_creation: innerRelationCount,
operation: op || 'Unspecified',
time: elapsed,
variables,
size,
};

as of the 6.1 branch it now looks like this:
const callMetaData = {
user: origin,
type: operationType + (isCallError ? '_ERROR' : ''),
inner_relation_creation: innerRelationCount,
operation: context.request.operationName ?? 'Unspecified',
time: elapsed,
size,
};

The operation_query has been removed from the log entries. The value in that field was the primary place to identify what was being queried so a client could run down the bad entry in elastic.

Environment

OpenCTI V.6.4.4

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Use the Application Performance Logging to track logs
  2. There is no longer the detail that existed before v.6.0

Expected Output

A client should be able to review the logs and identify detail about errors related to specific entities in Elastic.

Actual Output

As described above, the client no longer gets this level of detail and as a result, it is very difficult to identify which entity within Elastic is causing the error.

Additional information

Screenshots (optional)

@nhuber0724 nhuber0724 added bug use for describing something not working as expected needs triage use to identify issue needing triage from Filigran Product team labels Dec 18, 2024
@nino-filigran nino-filigran added needs more info Intel needed about the use case and removed needs triage use to identify issue needing triage from Filigran Product team labels Dec 19, 2024
@nino-filigran
Copy link

Hey @nhuber0724 to clarify what is the exact issue?

  • less details are present in loggging since 6.1 ("There is no longer the detail that existed before v.6.0")?
  • array gets duplicated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug use for describing something not working as expected needs more info Intel needed about the use case
Projects
None yet
Development

No branches or pull requests

2 participants