Security audit logs timestamp format

infodata · October 12, 2022, 6:08pm

Hello my Opensearch 2.2 version security audit logs index patterns are not picking timestamp

on looking at them from curl
they are in this format
“@timestamp”: “2022-10-12T06:22:41.076+00:00”,

“_index”: “security-auditlog-2022.10.12”,
“_id”: “vnzcyoMByBsiMUfwB2u1”,
“_score”: 1,
“_source”: {
“audit_cluster_name”: “opensearch-cluster”,
“audit_node_name”: “opensearch-node1”,
“audit_rest_request_method”: “POST”,
“audit_category”: “FAILED_LOGIN”,

      "@timestamp": "2022-10-12T06:22:41.076+00:00",
      "audit_request_effective_user_is_admin": false,

from other index which are ok have this below format
“@timestamp”: “2022-10-12T16:24:00.108Z”,

if timestamp field for default security audit logs needs to be changed

pablo · October 17, 2022, 2:01pm

@infodata Could you elaborate more on this issue? What exactly are you try to achieve?

infodata · October 17, 2022, 2:31pm

on dashboards only see hits but no data visible

the data is there as I can see it from curl query from cli

timestamp field is in _source and it doesnt pick it up during create index

pablo · October 18, 2022, 1:30pm

@infodata Do you see the same behaviour with the admin user?

infodata · October 18, 2022, 1:33pm

we have ad auth so admin UI login not allowed

pablo · October 18, 2022, 1:41pm

@infodata Could you share the roles assigned to the user that you’ve used in the screenshots?

infodata · October 18, 2022, 1:50pm

the curl query is with admin userid as it allows cli but not dashboard login

UI user roles

Roles (4)

Roles you are currently mapped to by your administrator.

adminuser

own_index

kibana_user

all_access

Backend roles (2)

Backend roles you are currently mapped to by your administrator.
admin
kibanauser

infodata · October 26, 2022, 2:44pm

anyone has this issue with ad enabled

pablo · October 27, 2022, 12:48pm

@infodata I couldn’t repro your issue with basicauth and ldap. Have you made any changes to advanced settings in OpenSearch Dashboards?

infodata · October 27, 2022, 6:11pm

the only change in advanced settings was enable dark mode on ,
turned it off and checked same issue

Step 2 of 2: Configure settings

Specify settings for your security-auditlog* index pattern.
The indices which match this index pattern don’t contain any time fields.

pablo · October 27, 2022, 6:40pm

@infodata Do you run it as pod/container or service?

pablo · October 27, 2022, 6:58pm

@infodata Could you check if there are any index templates configured?

GET _index_template

Also, please share the result of the below command.

GET security-auditlog-2022.10.12/_mapping

infodata · October 28, 2022, 1:04am

GET _index_template

{
“index_templates” :
}

GET security-auditlog-2022.10.27/_mapping
{
“security-auditlog-2022.10.27” : {
“mappings” : {
“properties” : { }
}
}
}

pablo · October 28, 2022, 11:54am

@infodata Do you see any permissions error when you execute that API?
Either the index has no mappings assigned or your authenticated user has no permission to see it.

That might explain why OpenSearch Dashboards doesn’t see the timestamp field.

Please share your roles.yml and roles_mapping.yml files.

Is it a fresh deployment?

pablo · October 28, 2022, 3:31pm

@infodata Could you also share opensearch.yml, opensearch_dashboards.yml, whitelist.yml and allowlist.yml?

Topic		Replies	Views
Kibana user - Security setup Security	5	1980	October 10, 2019
Cross cluster search with secured clusters Security	18	1889	April 16, 2021
Security : Prevent admin user to alter security_auditlog indices Security discuss , configure	2	18	September 25, 2024
Opensearch Audit log issue OpenSearch troubleshoot , feature-request	5	445	November 10, 2023
Audit_request_privilege indices:admin/mapping/auto_put Security	2	904	February 8, 2021

Security audit logs timestamp format

Roles (4)

Backend roles (2)

Step 2 of 2: Configure settings

Related topics