Kibanaのgraphを用いてデータ間の依存関係を可視化したいのですが、ノード間のエッジを表示するためには何か設定などが必要でしょうか?jsonファイルをELKスタックに投入して表示しています。現状ではノードのみ表示されている状況です。
ご教示いただけますと幸いです。
投入したデータ
[
{
"event": {
"type": "SYSCALL",
"timestamp": 1364481363.243,
"audit_id": 24287,
"syscall": {
"process_info": {
"pid": 3538,
"ppid": 3500,
"command": "cat",
"executable": "/bin/cat"
}
},
"path_info": {
"name": "/etc/ssh/sshd_config",
"inode": 409248
},
"provenance_info": {
"input_files": [],
"output_files": ["/etc/ssh/sshd_config"]
}
}
},
{
"event": {
"type": "SYSCALL",
"timestamp": 1364481370.123,
"audit_id": 24288,
"syscall": {
"process_info": {
"pid": 3540,
"ppid": 3502,
"command": "vi",
"executable": "/bin/vi"
}
},
"path_info": {
"name": "/etc/passwd",
"inode": 409249
},
"provenance_info": {
"input_files": ["/etc/ssh/sshd_config"],
"output_files": ["/etc/passwd"]
}
}
},
{
"event": {
"type": "SYSCALL",
"timestamp": 1364481385.678,
"audit_id": 24289,
"syscall": {
"process_info": {
"pid": 3542,
"ppid": 3540,
"command": "grep",
"executable": "/bin/grep"
}
},
"path_info": {
"name": "/var/log/auth.log",
"inode": 409250
},
"provenance_info": {
"input_files": ["/etc/passwd"],
"output_files": ["/var/log/auth.log"]
}
}
},
{
"event": {
"type": "SYSCALL",
"timestamp": 1364481395.789,
"audit_id": 24290,
"syscall": {
"process_info": {
"pid": 3544,
"ppid": 3542,
"command": "chmod",
"executable": "/bin/chmod"
}
},
"path_info": {
"name": "/home/user/.bashrc",
"inode": 409251
},
"provenance_info": {
"input_files": ["/var/log/auth.log"],
"output_files": ["/home/user/.bashrc"]
}
}
}
]
マッピング
{
"dtest4" : {
"aliases" : { },
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"parsed_json" : {
"properties" : {
"event" : {
"properties" : {
"audit_id" : {
"type" : "long"
},
"path_info" : {
"properties" : {
"inode" : {
"type" : "long"
},
"name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"provenance_info" : {
"properties" : {
"input_files" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"output_files" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"syscall" : {
"properties" : {
"process_info" : {
"properties" : {
"command" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"executable" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"pid" : {
"type" : "long"
},
"ppid" : {
"type" : "long"
}
}
}
}
},
"timestamp" : {
"type" : "float"
},
"type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
},
"tags" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1715132871526",
"number_of_shards" : "1",
"number_of_replicas" : "1",
"uuid" : "9wZN4XQ0Rwmb9mSTlNgNoQ",
"version" : {
"created" : "7060299"
},
"provided_name" : "dtest4"
}
}
}
現在の表示
子プロセス(pid)と親プロセス(ppid)の依存関係を可視化したい。
