[BUG] Mapper not found: [linux]

[paasi6666]

What is the bug?
When defining a new detector and selecting the "System Logs" type, the "Configure field mapping" are empty.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Go to Security Analytics>Detectors>Create detector
2. Select any index
3. Click on 'System logs':

5. See that 'Configure field mapping' is empty
6. When following the link (mappings/view?indexName=index_*&ruleTopic=linux), following message is displayed:

{"ok":false,"error":"[illegal_argument_exception] Mapper not found: [linux]"}

What is the expected behavior?
Like the other types (Azure logs for example):

Also, when following the link:
{"ok":true,"response":{"properties":{},"unmapped_index_fields":

What is your host/environment?

• OS: Centos7
• Opensearch Version: 2.7.0
• Opensearch-Dashboards Version: 2.7.0

[sbcd90]

will look into it.

[sbcd90]

thanks for creating the issue. created a pr to fix it.

[Aloush-ha]

Hi @sbcd90
I used opensearch as Container by using Image 2.7.0, and it still has the same Problem

"version": {
"distribution": "opensearch",
"number": "2.7.0",
"build_type": "tar",
"build_hash": "b7a6e09e492b1e965d827525f7863b366ef0e304",
"build_date": "2023-04-27T21:43:09.523336706Z",
"build_snapshot": false,
"lucene_version": "9.5.0",
"minimum_wire_compatibility_version": "7.10.0",
"minimum_index_compatibility_version": "7.0.0"
}
can you help me with that
Thank you

[dsek]

this is the same problem as described weeks ago via #320

[Aloush-ha]

Hi @dsek
we are all together having the same problem, but how can we push to solve it.
I saw that your PR is not merged until know

[dsek]

yeah ... i've no idea ... maybe somebody of the security-analytics team may take care of it.

// sarcasm:on
i do really understand that handling this really complicated pull request takes so much time ...
// sarcasm:off

[sbcd90]

hi @paasi6666 , @dsek , @Aloush-ha , i'm extremely sorry if this issue caused any inconveniences to you. This issue will be fixed in 2.8 release of OpenSearch which is scheduled to be released this week.

[dsek]

sounds good! 👍

[Aloush-ha]

thank you @sbcd90

[paasi6666]

Thanks @sbcd90

[getsaurabh02]

Fix is available in 2.8 release

[Aloush-ha]

Hi @sbcd90
I checked the new Version 2.8, and I realized something, maybe you can explain it to us.

As you can see, in System logs there is audit field, and some fields that not compatible with Linux syslog
can you explain to me, which field in Linux syslog can pointed to rsa-web-remote_domain or process-working_directory !?
Which field is the message ?

should I open another Issue for that?

thank you

[paasi6666]

Hi @Aloush-ha

I think you should open a new issue since this one is closed.