[Security Solution] Kibana OOM and crashing when running indicator match rule #118560
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Describe the bug:
Kibana's memory usage increases significantly when running a particular indicator match rule with ~520k indicator items. The rule is scheduled to run every 30 minutes, and every 30 minutes Kibana's memory usage increases to the limit (4GB in this case) and it crashes. The system returned to normal once the rule was disabled. The logs indicate that the rule executes for ~12 minutes before Kibana crashes, and during that time the rule does not appear to finish executing.
Kibana/Elasticsearch Stack version:
7.15.1
Steps to reproduce:
captureSpanStackTraces: true
is set in the APM config. This will happen by default in 7.15.1 if you set aserverUrl
in the APM config.x-pack/test/functional/es_archives/filebeat/default
, but modified it by removing the _id from each doc in the archive and creating ~80 copies of thedata.json
file. Using es_archiver on this folder created an index with ~500k docs.test-index
as the source index pattern. Activate the rule.Current behavior:
Kibana crashes due to running out of memory. It appears that the APM agent may be storing the entire response for every Elasticsearch query within a transaction. Since task manager runs tasks within a transaction, every Elasticsearch query response from a rule execution is being stored in memory.
Without APM enabled, the same rule executes without crashing Kibana.
Expected behavior:
Kibana should not run out of memory, even with APM enabled.
The text was updated successfully, but these errors were encountered: