Security audit logs timestamp format

Security
1

Hello my Opensearch 2.2 version security audit logs index patterns are not picking timestamp

on looking at them from curl
they are in this format
@timestamp”: “2022-10-12T06:22:41.076+00:00”,

“_index”: “security-auditlog-2022.10.12”,
“_id”: “vnzcyoMByBsiMUfwB2u1”,
“_score”: 1,
“_source”: {
“audit_cluster_name”: “opensearch-cluster”,
“audit_node_name”: “opensearch-node1”,
“audit_rest_request_method”: “POST”,
“audit_category”: “FAILED_LOGIN”,

      "@timestamp": "2022-10-12T06:22:41.076+00:00",
      "audit_request_effective_user_is_admin": false,

from other index which are ok have this below format
@timestamp”: “2022-10-12T16:24:00.108Z”,

if timestamp field for default security audit logs needs to be changed

2

@infodata Could you elaborate more on this issue? What exactly are you try to achieve?

3

on dashboards only see hits but no data visible

the data is there as I can see it from curl query from cli

image
image1748×755 47.7 KB

timestamp field is in _source and it doesnt pick it up during create index

image
image1543×757 45.2 KB

4

@infodata Do you see the same behaviour with the admin user?

5

we have ad auth so admin UI login not allowed

6

@infodata Could you share the roles assigned to the user that you’ve used in the screenshots?

7

the curl query is with admin userid as it allows cli but not dashboard login

UI user roles

Roles (4)

Roles you are currently mapped to by your administrator.

adminuser

own_index

kibana_user

all_access

Backend roles (2)

Backend roles you are currently mapped to by your administrator.
admin
kibanauser

8

anyone has this issue with ad enabled

9

@infodata I couldn’t repro your issue with basicauth and ldap. Have you made any changes to advanced settings in OpenSearch Dashboards?

10

the only change in advanced settings was enable dark mode on ,
turned it off and checked same issue

Step 2 of 2: Configure settings

Specify settings for your security-auditlog* index pattern.
The indices which match this index pattern don’t contain any time fields.

11

@infodata Do you run it as pod/container or service?

12

@infodata Could you check if there are any index templates configured?

GET _index_template

Also, please share the result of the below command.

GET security-auditlog-2022.10.12/_mapping
13

GET _index_template

{
“index_templates” :
}

GET security-auditlog-2022.10.27/_mapping
{
“security-auditlog-2022.10.27” : {
“mappings” : {
“properties” : { }
}
}
}

14

@infodata Do you see any permissions error when you execute that API?
Either the index has no mappings assigned or your authenticated user has no permission to see it.

That might explain why OpenSearch Dashboards doesn’t see the timestamp field.

Please share your roles.yml and roles_mapping.yml files.

Is it a fresh deployment?

15

@infodata Could you also share opensearch.yml, opensearch_dashboards.yml, whitelist.yml and allowlist.yml?