Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing default index pattern makes wazuh-dashboard not work correctly in docker single-node #1460

Closed
rafprzybysz opened this issue Jul 19, 2024 · 1 comment

Comments

@rafprzybysz
Copy link

Describe the bug
When changing default index pattern for wazuh-dashboard and deleting the deafult "wazuh-alerts-*" the last 24 hour alerts section in overview doesn't work correctly, when you click on one of the severities it takes you to discover tab with wrong filters

image
image

The url for this request is:
https://ip:5601/app/data-explorer/discover#?_a=(discover:(columns:!(_source),isDirty:!f,sort:!()),metadata:(indexPattern:'custom-alerts-*',view:discover))&_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'custom-alerts-*',key:manager.name,negate:!f,params:(query:wazuhmanager),type:phrase),query:(match_phrase:(manager.name:wazuhmanager))),('$state':(store:globalState),meta:(alias:!n,disabled:!t,index:'wazuh-alerts-*',key:rule.level,negate:!f,params:(gte:0,lte:6),type:range),range:(rule.level:(gte:0,lte:6)))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_q=(filters:!(),query:(language:kuery,query:''))

Manager name i getting correctly queried with custom index pattern but the rule.level is still referencing to wazuh-alerts-*

In the code I found this function:

const getCountLastAlerts = async () => {
            try {
              const {
                indexPatternName: indexPatternName,
                cluster: cluster,
                count: count,
              } = await getLast24HoursAlerts(
                severityLabel[severity].ruleLevelRange
              );
              setCountLastAlerts(count);
              const core = Object(kibana_services["d"])();
              const v2Enabled = await core.uiSettings.get("discover:v2");
              let discoverLocation = {
                app: "data-explorer",
                basePath: "discover",
              };
              if (!v2Enabled) {
                discoverLocation = { app: "discoverLegacy", basePath: "" };
              }
              const destURL = core.application.getUrlForApp(
                discoverLocation.app,
                {
                  path: ""
                    .concat(
                      discoverLocation.basePath,
                      "#?_a=(discover:(columns:!(_source),isDirty:!f,sort:!()),metadata:(indexPattern:'"
                    )
                    .concat(
                      indexPatternName,
                      "',view:discover))&_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'"
                    )
                    .concat(indexPatternName, "',key:")
                    .concat(cluster.field, ",negate:!f,params:(query:")
                    .concat(
                      cluster.name,
                      "),type:phrase),query:(match_phrase:("
                    )
                    .concat(cluster.field, ":")
                    .concat(
                      cluster.name,
                      "))),('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'wazuh-alerts-*',key:rule.level,negate:!f,params:(gte:"
                    )
                    .concat(
                      severityLabel[severity].ruleLevelRange.minRuleLevel,
                      ",lte:"
                    )
                    .concat(
                      severityLabel[severity].ruleLevelRange.maxRuleLevel ||
                        "!n",
                      "),type:range),range:(rule.level:(gte:"
                    )
                    .concat(
                      severityLabel[severity].ruleLevelRange.minRuleLevel,
                      ",lte:"
                    )
                    .concat(
                      severityLabel[severity].ruleLevelRange.maxRuleLevel ||
                        "!n",
                      ")))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_q=(filters:!(),query:(language:kuery,query:''))"
                    ),
                }
              );

I think this function has "wazuh-alerts-*" hard coded for rule.level which is causing this problem.

I use wazuh-docker 4.8 single-node

How to reproduce:

  1. Default wazuh-docker single node deployment
  2. Modify wazuh-template.json
  "index_patterns": [
    "custom-alerts-*",
    "wazuh-archives-4.x-*"
  ],
  1. Modify /usr/share/filebeat/module/wazuh/alerts/manifest.yml
module_version: 0.1

var:
  - name: paths
    default:
      - /var/ossec/logs/alerts/alerts.json
  - name: index_prefix
    default: custom-alerts-

input: config/alerts.yml

ingest_pipeline: ingest/pipeline.json
  1. Add these lines to dashboard wazuh.yml
alerts.sample.prefix: "custom-alerts-"
pattern: "custom-alerts-*"
  1. Create new index pattern in wazuh dashboard
    Index pattern name: custom-alerts-*
    Time field: timestamp
    Custom index pattern ID: custom-alerts-*
  2. Set new index pattern as default and delete "wazuh-alerts-*" index pattern

All the edited files are bind mounted from host to docker contianer

@rafprzybysz
Copy link
Author

Issue fixed here for version 4.8.1
wazuh/wazuh-dashboard-plugins#6777

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant