OSQuery Manager Integration Mapping IP (`host.ip`) as Keyword

BenB196 · September 2, 2021, 11:42pm

Hi All,

I'm using Fleet with the OSQuery Manager integration for 7.14.0, and I noticed that the data stream it created logs-osquery_manager.result-default is mapping the host.ip field as a keyword. This is causing an issue in Kibana as its causing a mapping conflict within the Kibana Index Pattern logs-*, as host.ip is supposed to be mapped as an IP according to ECS.

Example:

GET /.ds-logs-osquery_manager.result-default-2021.08.25-000001/_mapping/field/host.ip

{
  ".ds-logs-osquery_manager.result-default-2021.08.25-000001" : {
    "mappings" : {
      "host.ip" : {
        "full_name" : "host.ip",
        "mapping" : {
          "ip" : {
            "type" : "keyword",
            "ignore_above" : 1024
          }
        }
      }
    }
  }
}

Would anyone know why this is or how to fix it?

This field seems to being created when a result is returned from a query via OSQuery.

Looking at the index pattern logs-osquery_manager.result, it appears that host.ip isn't mapped, and the dynamic setting only allows mapping everything to keywords:

"dynamic_templates": [
  {
    "strings_as_keyword": {
      "mapping": {
        "ignore_above": 1024,
        "type": "keyword"
      },
      "match_mapping_type": "string"
    }
  }
]

ruflin · September 3, 2021, 11:27am

As you pointed out, it is likely missing in the mappings: https://github.com/elastic/integrations/blob/master/packages/osquery_manager/data_stream/result/fields/osquery.yml

@aleksmaus To not have to map all fields, maybe a dynamic mapping that matches *.ip could be used?

aleksmaus · September 3, 2021, 11:50am

Thank you for reporting this issue.
Yes, seems like there are more mappings that need to be defined. We will address that in the next versions of the integration package.

BenB196 · September 3, 2021, 12:02pm

@aleksmaus @ruflin thanks for the information. I've found a few similar issues with some of the other integrations. Is there a better place to report these mapping issues, or should I just open up additional forum topics?

ruflin · September 3, 2021, 12:25pm

If you see mapping issues, best directly open a github issue in https://github.com/elastic/integrations Thanks for reporting these!

BenB196 · September 3, 2021, 12:33pm

Will do, thanks @ruflin

system · October 1, 2021, 2:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.