OSQuery Integration user.id is [long] but ECS is [keyword]

oloughlinp · May 6, 2023, 7:57am

Hi all,

I am trying to use some of the Windows prebuilt rules that rely on user.id in the eql query, but they are erroring out because my OSQuery manager indexes have user.id set to long, but the ECS standard (and what the windows/system integrations use) is for user.id to be keyword.

verification_exception Root causes: verification_exception: verification_exception: Found 1 problem line 4:33: Cannot use field [user.id] due to ambiguities being mapped as [2] incompatible types: [keyword] in --windows and linux logs-- , [long] in [.ds-logs-osquery_manager-...].

I'm not sure if this is a bug with the OSQuery Manager integration, or an issue with something I did on my end. Has anyone encountered this before?

patrykkopycinski · May 8, 2023, 6:33pm

@oloughlinp which version of the stack and osquery_manager are you using?
is it the initial version or have you migrated it? if so what was the initial version?

oloughlinp · May 10, 2023, 1:33pm

Thanks @patrykkopycinski

Running on Elastic 8.7.0 and OSQuery Manager 1.7.2. We've upgraded two or three times over the last year.

I also found a bug report that hasn't been touched for the same issue: [OSQuery] Non-compliant ECS field mappings causing conflicts: user.id, user.group.id, group.id · Issue #4507 · elastic/integrations · GitHub

system · June 7, 2023, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.