[RAC] RFC: Index naming and hierarchy

[banderror]

Related to:

#93729
#95903
#98353
elastic/elasticsearch#72181

Summary

There's more and more questions and concerns being raised regarding rule monitoring implementation for RAC. I'm working on #98353 which implements "event log" abstraction within rule registry that will be used for writing and reading both alerts and rule execution logs.

This RFC proposes some naming and structure for RAC indices, hierarchy for rule registries, and lists a few open questions and concerns.

Proposal

Index aliases naming convention would be similar to Elastic data stream naming scheme:

{prefix}-{consumer}.{additional.log.name}-{kibana space}

where:

• {prefix} will be .alerts by default. Users will be able to override it in Kibana config and set it to any other value, e.g. .alerts-xyz or .whatever (for compatibility with legacy Kibana multitenancy).
• {consumer} will indicate the rule/alert consumer in terms of Alerting framework (more info). We will probably have security, observability and stack as consumers.
• {additional.log.name} will be used to specify concrete indices for alerts, execution events, metrics and whatnot. We will probably have only alerts and events as concrete logs. It might be good to have short and sweet names without - or . in them (perhaps _ is ok).
• {kibana space} will indicate space id, for example default. In case of space agnostic alerts, the no.space placeholder can be used.

Examples of concrete index names

For clarity, this section contains the concrete index names that are created the Security and Observability solutions.

Security:

.alerts-security.alerts-{kibana space}-000001        // (1) 
.alerts-security.events-{kibana space}-000001        // (2) 

(1) The Alert documents that support human workflow and are updatable.
(2) Rule-specific execution events and metrics created by Security rules to enhance our observability of alerting.

Technically it will be possible to derive child logs from these alerts and events, e.g. .alerts-security.alerts.ml-{kibana space}. Although we don't think that we need this in Security at this point.

Observability:

.alerts-observability.{apm,uptime,metrics,logs}.alerts-{kibana space}-000001   // (1)
.alerts-observability.{apm,uptime,metrics,logs}.events-{kibana space}-000001   // (2)

.alerts-observability.metrics.alerts-no.space-000001   // (3)

(1) The Alert documents that are updatable. Same exact semantics as for Security (1)
(2) Supporting documents (evaluation) for the Alerts + execution logs to be used for the Observability of Alerting
(3) Example of space agnostic alert index. This can be used by the space-agnostic Rule types like the Stack Monitoring might need. The no.space "space" is not a valid Kibana space name, so this pattern can be used as a placeholder.

Diagram

Here's a structural diagram showing some rule execution dependencies in the context of RAC and how the proposed indices fit the whole picture:

diagram source

[banderror]

@spong @dgieselaar @tsg @jasonrhodes @kobelb @XavierM @yctercero @dhurley14

please review 🙂

[dgieselaar]

Thanks @banderror for putting this up! Couple of questions:

• Do we need the version in the index name? I added this, but I copied it from the event log, and I'm not sure whether we actually need it. Can you think of any scenarios?
• I think we're broadly in agreement that it will be .alerts-* by default, with a configuration option to point it to a different index, e.g. to match kibana.index. Do you mind updating the RFC to reflect that?
• What do the index names look like for stack rules?
• Do we need separate indices for alerts/events? I think it makes sense. But it makes some things a little harder, like figuring out the index target. I assume that whoever has access to e.g. security alerts, would have access to other events (rule monitoring, evaluations, state changes) as well. If that is the case, the user would have to be granted permission to .alerts-*-security, and that asterisk is greedy I think, so administrators might accidentally grant broader privileges than intended. Something like .alerts-security*, or .alerts-security-myspace* is perhaps more reasonable. We could also use .alerts-security.alerts-myspace and .alerts-security.events-myspace. Ideally we can stay close to the data stream naming scheme, if we decide to switch to that at some point.

[spong]

With regards to 1. The problem with .kibana- prefix. In async discussions it was determined with a fair degree of confidence that using .alerts-* indices are going to work for our use cases. We will provide a user-configurable kibana.yml override value to override this, similar to kibana.index, which may only be available in 7.x, but will allow legacy multi-tenancy users who have segmented their Kibana entities via kibana.index to continue to do that, so long as they also specify this new configuration option as well. Setting it to, for example, "xyz", will store alerts in .alerts-xyz-*, etc. RBAC implications here would require T-Grid to have a toggle for using the Kibana Security Model (feature privileges and kibana_system user), or ES Index Privileges. Will need to scope this accordingly with the RBAC efforts.

[tsg]

If that is the case, the user would have to be granted permission to .alerts--security, and that asterisk is greedy I think, so administrators might accidentally grant broader privileges than intended. Something like .alerts-security, or .alerts-security-myspace* is perhaps more reasonable. We could also use .alerts-security.alerts-myspace and .alerts-security.events-myspace. Ideally we can stay close to the data stream naming scheme, if we decide to switch to that at some point.

++, I like something like .alerts-security.events-myspace and .alerts-security.alerts-myspace so security shows up before event/alerts. The . is to stay close to the datastream naming model, like @dgieselaar suggested.

It might be good for all registries to have a short and sweet name without - or . in it (perhaps _ is ok).

What do the index names look like for stack rules?

Somehting like .alerts-stack.alerts-default? or .alerts-core.alerts-default?

Do we need the version in the index name? I added this, but I copied it from the event log, and I'm not sure whether we actually need it. Can you think of any scenarios?

I'm not sure on this one, the data streams don't include the version so I'm thinking to start without first. We can add it later if we really need it.

[banderror]

Thank you for comments, this is very helpful 👍

Kibana version in the name

Do we need the version in the index name? I added this, but I copied it from the event log, and I'm not sure whether we actually need it. Can you think of any scenarios?

I'm not sure on this one, the data streams don't include the version so I'm thinking to start without first. We can add it later if we really need it.

I just followed the existing implementations as well, so not sure. Off the top of my head I'd imagine this version number could be helpful for document migrations. On the other hand, migrations could be built on top of a different number specifically used for tracking changes in the schema. For example, migration system for .siem-signals index uses a version of the corresponding index template. When we bump this version in the code, documents get reindexed into a new index with the new template, and the alias is being updated to point to this new index. I'm not very familiar with this implementation, but I think this is the rough idea behind it.

Other than that, I don't have any ideas regarding use cases for Kibana version in the index name. I would support your suggestions and remove it for now 👍

Multiple indices for alerts, rule execution events etc

Do we need separate indices for alerts/events?

I think yes, but I'm also open for any objections. Why I'd say separate indices are a better option:

• Alerts and execution events will likely have very different schemas: subset of standard ECS, custom fields added, and so the resulting ES mappings will be different. At least this is true for Security.
• Execution events for Observability and Security will probably have slightly different schemas as well. They will have something in common and also something specific to the solution. So I think it would be good to define a common alerts schema, a common execution events schema, build a root registry using them, and then extend those schemas in the child solution registries. We need a common schema for the unified app. And specifics to be used within solutions. Having separate schemas seems to be cleaner and easier to maintain.
• Separate types of data in separate indices = more lightweight indices, more efficient queries.
• At this point we don't have any UI where we would combine alerts and execution events in a single list or table.
• Ability to define different ILM policies for alerts and execution events. In Security, I think we need to store alerts for as long as possible. While execution events like status changes, metrics like how much time was spent for indexing etc - this is probably not something that needs to be kept for a long time.

Naming in general

I like the suggested data stream naming scheme! So if I got it right, this is what we're gonna have:

{alerts prefix}-{name of the log}-{kibana space}

{alerts prefix} will be .alerts by default. Users will be able to override it in Kibana config and set it to any other value, e.g. .alerts-xyz or .whatever.

{name of the log} will represent the hierarchy of logs used in rule registries. Name will be a combination of parts, parts will be concatenated with .. The first part will be solution name, the second one - type of the log.

Examples: security.alerts, security.events (or security.execlog?), observability.alerts etc.

My questions regarding this naming:

• Do you think .events is a good name? Looks a bit ambiguous to me, in the sense that "events" in terms of detection engine are the source objects that detection rules are executed against.
• Are you expecting to have child logs in observability, e.g. observability.events.{rule type} or observability.alerts.{service name} or something like that?
• Do you think {kibana space} should be always at the and of the index alias? Could there be arguments for {alerts prefix}-{name of the log}-{kibana space}-{name of the child log}? Just want to make sure we're not missing anything here. This naming convention may impact the implementation of [RAC] Rule monitoring: Event Log for Rule Registry #98353

It might be good for all registries to have a short and sweet name without - or . in it (perhaps _ is ok).

Agree 👍 I will add this check to the implementation.

Stack rules

What do the index names look like for stack rules?

Somehting like .alerts-stack.alerts-default? or .alerts-core.alerts-default?

I'm not really aware of any requirements for stack rules, maybe I've missed that part. To clarify, stack rules are the rules that can be created from the Stack Management UI (/app/management/insightsAndAlerting/triggersActions/rules)? I can see there are many different types of them, maybe these types would require dedicated indices, or maybe not.

.alerts-stack.alerts-{space} or .alerts-core.alerts-{space} sounds good to me. Or .alerts-stack.alerts.{rule type}-{space} or something like that.

Do we have any requirements/plans for stack rules? In terms of RAC, stack rules == rules which will be created directly from the unified alerting app?

[banderror]

Oh yes, and I will of course update the RFC, just want us to agree on most of the details.
Thanks again for asking all these questions and giving suggestions, this is a lot of helpful info for me.

@dgieselaar @spong @tsg

[pmuellr]

Trying to understand the difference between the "alerts" and "execlog" and current event log indices.

I assume "alerts" is intended to hold data regarding the alert being run - for index threshold, that would include the threshold being tested again, the value calculated from the es aggs call to compare to the threshold, etc. And so the "execlog" indices would be like the current event log, which just capture the execution times/duration, status, etc.

Which I think means the event log itself becomes unneeded, eventually.

But I'd like to understand the field differences between the event log and execlog. Because I'm wondering if we can live with the current event log for now, especially given the following:

At this point we don't have any UI where we would combine alerts and execution events in a single list or table.

[pmuellr]

re: kibana version in index name

We did this for the event log, because it solved a problem for us, and we noticed other Kibana apps doing this - something in o11y, but not sure exactly what.

The problem is: "migrating" indices when Kibana is upgraded. Obviously (I hope), we weren't planning on doing ".kibana -style" migrations of the event log, but we were worried about situations where we might want to change index mappings. Would we hit scenarios where we'd want mapping changes that wouldn't work well with the existing data, potentially requiring a re-index (and even that might not be able to "fix" something)?

Adding a version to the name makes this problem go away! We always create a new index template, alias, and initial index when Kibana is updated. And then we end up using .kibana-event-log-* in queries over ALL the different versions.

Obviously, this doesn't handle every case. If the structure between Kibana versions changes "too much", we could be in a position where we wouldn't be able to validly query old data, and similar sorts of problems. But this felt like the best thing to do, back when we wrote this.

If we want to explore not using the version in the index name, then I think we need to have a really good story for what happens when the mappings change when Kibana is updated. Haven't thought too much about this (since it's not a problem for the event log).

[ymao1]

• What do the index names look like for stack rules?

@dgieselaar Is this question driven by the desire to view/manage alerts from stack rules and alerts from within each solution? If so, is it just limited to stack rules? Is there the desire to view/manage alerts from o11y rules inside security and security alerts from o11y? At one point, I saw the suggestion to determine the index to write to based on the consumer of the alert, not the producer. Is that something that is up for consideration?

[tsg]

At one point, I saw the suggestion to determine the index to write to based on the consumer of the alert, not the producer. Is that something that is up for consideration?

@ymao1 ++, I think using the consumer makes more sense. This way create alerts directly in the indices where we need them, and we don't have to query across solutions.

[tsg]

@pmuellr For eventlog, do you store the full version including the patch level (e.g. 7.11.2)? This is what Beats used to do before the new indexing strategy. It does help on upgrades, but it can mean creating a lot of indices in case of frequent upgrades.

The question is if we really need it, or is it enough to trigger an ILM rotation when we do an upgrade that changes the mapping. This might get complicated if we have multiple Kibana instances and they aren't upgraded all at once (is that permitted?).

FWIW, when the index naming strategy was discussed, I pressed on the need of including the version: https://github.com/elastic/observability-dev/issues/283#issuecomment-527372212

My only reason for going first without is that this is what the new indexing strategy also does the same, and it can be added later.