Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] process.command_line field mapping is not properly picked up by the dashboard #585

Closed
f-galland opened this issue Dec 10, 2024 · 5 comments · Fixed by #589 or wazuh/wazuh-indexer-plugins#182
Closed

[BUG] process.command_line field mapping is not properly picked up by the dashboard #585

f-galland opened this issue Dec 10, 2024 · 5 comments · Fixed by #589 or wazuh/wazuh-indexer-plugins#182
Assignees
@f-galland
Labels
level/task Task issue mvp Minimum Viable Product type/bug Bug issue

Comments

@f-galland
Copy link
Member

Description

The process.command_line field is of wildcard type with multi-fields.
This seems to throw the dashboard off, showing unknown as the type:

Image

We need to investigate and fix the issue.
@f-galland f-galland self-assigned this Dec 10, 2024
@wazuhci wazuhci moved this to In progress in Release 5.0.0 Dec 10, 2024
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/bug Bug issue mvp Minimum Viable Product labels Dec 10, 2024
@AlexRuiz7
Copy link
Member

ECS process.command_line is defined as a multi-field. We are probably missing the removal of the multi-fields for this field in ecs/generate.sh.

@f-galland f-galland mentioned this issue Dec 10, 2024
Merged
3 tasks
@f-galland
Copy link
Member Author

Removing the fields object from the template doesn't fix the issue. Changing the type to match_only_text doesn't seem to work either:

curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.process.properties.command_line'
{
  "type": "match_only_text"
}

Image

@f-galland
Copy link
Member Author

It seems this is not the only field we see this problem with:
Image

$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.agent.properties.host.properties.os.properties.full'
{
  "ignore_above": 1024,
  "fields": {
    "text": {
      "type": "match_only_text"
    }
  },
  "type": "keyword"
}

$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.agent.properties.host.properties.os.properties.name'
{
  "ignore_above": 1024,
  "fields": {
    "text": {
      "type": "match_only_text"
    }
  },
  "type": "keyword"
}

@f-galland
Copy link
Member Author

This still happens even after removing the fields field (and recreating indices and index patterns):

(env) fede@tyner:~/src/ecs (main *)
$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.agent.properties.host.properties.os.properties.full'
{
  "ignore_above": 1024,
  "type": "keyword"
}
(env) fede@tyner:~/src/ecs (main *)
$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.agent.properties.host.properties.os.properties.name'
{
  "ignore_above": 1024,
  "type": "keyword"
}
(env) fede@tyner:~/src/ecs (main *)
$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/states-inventory-processes | jq '."states-inventory-processes".mappings.properties.process.properties.command_line'
{
  "type": "wildcard"
}

Image

@f-galland
Copy link
Member Author

f-galland commented Dec 11, 2024
edited
Loading

It looks like the agent.host* unknown fields in the pattern were due to the fields object not being excluded in the generator for them. This fixed that part of the problem:

$ sed -n 22,30p generate.sh 
  jq 'del(
    .mappings.properties.host.properties.os.properties.full.fields,
    .mappings.properties.host.properties.os.properties.name.fields,
    .mappings.properties.agent.properties.host.properties.os.properties.full.fields,
    .mappings.properties.agent.properties.host.properties.os.properties.name.fields,
    .mappings.properties.vulnerability.properties.description.fields,
    .mappings.properties.process.properties.command_line.fields,
    .mappings.properties.process.properties.name.fields
  )' "$IN_FILE" > "$OUT_FILE"

With process.command_line, the issue seems to also be caused by the wildcard type. Changing to match_only_text doesn't help either (there is a reported issue in opensearch).

$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/index-template-processes | jq '."index-template-processes".mappings.properties.process.properties.command_line'
{
  "type": "match_only_text"
}

Image

Only switching to keyword helped in my tests:

(env) fede@tyner:~/src/ecs (main *)
$ curl -sku admin:admin -XGET https://192.168.58.254:9200/_template/index-template-processes | jq '."index-template-processes".mappings.properties.process.properties.command_line'
{
  "type": "keyword"
}

Image

@f-galland f-galland mentioned this issue Dec 11, 2024
Merged
@wazuhci wazuhci moved this from In progress to Pending review in Release 5.0.0 Dec 11, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Dec 11, 2024
Open
3 tasks
@wazuhci wazuhci moved this from Pending review to Done in Release 5.0.0 Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-galland f-galland

Labels
level/task Task issue mvp Minimum Viable Product type/bug Bug issue
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
2 participants
@AlexRuiz7 @f-galland