OSQuery Integration user.id is [long] but ECS is [keyword]

oloughlinp · May 6, 2023, 7:57am

Hi all,

I am trying to use some of the Windows prebuilt rules that rely on user.id in the eql query, but they are erroring out because my OSQuery manager indexes have user.id set to long, but the ECS standard (and what the windows/system integrations use) is for user.id to be keyword.

verification_exception Root causes: verification_exception: verification_exception: Found 1 problem line 4:33: Cannot use field [user.id] due to ambiguities being mapped as [2] incompatible types: [keyword] in --windows and linux logs-- , [long] in [.ds-logs-osquery_manager-...].

I'm not sure if this is a bug with the OSQuery Manager integration, or an issue with something I did on my end. Has anyone encountered this before?

patrykkopycinski · May 8, 2023, 6:33pm

@oloughlinp which version of the stack and osquery_manager are you using?
is it the initial version or have you migrated it? if so what was the initial version?

oloughlinp · May 10, 2023, 1:33pm

Thanks @patrykkopycinski

Running on Elastic 8.7.0 and OSQuery Manager 1.7.2. We've upgraded two or three times over the last year.

I also found a bug report that hasn't been touched for the same issue: [OSQuery] Non-compliant ECS field mappings causing conflicts: user.id, user.group.id, group.id · Issue #4507 · elastic/integrations · GitHub

system · June 7, 2023, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Osquery exported fields Elastic Security osquery-manager	2	451	February 3, 2022
Elastic Query for alerts Windows Elasticsearch	1	317	February 1, 2022
Syntax error shown in EQL queries for correlation Elastic Security	1	424	March 10, 2022
Long keyword/text fields just for retrieval Elasticsearch	6	1320	February 9, 2017
Querying a LONG field Elasticsearch	5	362	July 6, 2017

OSQuery Integration user.id is [long] but ECS is [keyword]

Related topics