Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] OSIS Filter Not Honored #5200

Open
Conklin-Spencer-bah opened this issue Nov 18, 2024 · 0 comments
Open

[BUG] OSIS Filter Not Honored #5200

Conklin-Spencer-bah opened this issue Nov 18, 2024 · 0 comments
Assignees
@kkondaka
Labels
bug Something isn't working

Comments

@Conklin-Spencer-bah
Copy link

Describe the bug
The AWS Managed Data Prepper (OSIS) Does not seem to consistently honor the filtering that I have configured.

To Reproduce
Steps to reproduce the behavior:

  1. Enable Security Lake with cloudtrail and eks audit logs
  2. Create Ingestion for Security Lake -> OpenSearch
  3. Update pipeline to include routes
  route:
    - eks-logs: '/metadata/product/name == "amazon_eks"'
    - cloudtrail-logs: '/metadata/product/name == "cloudtrail"'
  1. Have the following sink configuration
sink:
    - opensearch:
        # Provide an AWS OpenSearch Service domain endpoint
        hosts: [ <redacted> ]
        routes: [eks-logs]
        aws:
          # Provide a Role ARN with access to the domain. This role should have a trust relationship with osis-pipelines.amazonaws.com
          sts_role_arn: "<redacted>"
          # Provide the region of the domain.
          region: "us-east-1"
          # Enable the 'serverless' flag if the sink is an Amazon OpenSearch Serverless collection
          serverless: false
        index: "ocsf-${/metadata/version}-${/class_uid}-${/class_name}-eks-${/accountid}-%{yyyy.MM.dd}"
    - opensearch:
        # Provide an AWS OpenSearch Service domain endpoint
        hosts: [ <redacted> ]
        routes: [cloudtrail-logs]
        aws:
          # Provide a Role ARN with access to the domain. This role should have a trust relationship with osis-pipelines.amazonaws.com
          sts_role_arn: "<redacted>"
          # Provide the region of the domain.
          region: "us-east-1"
          # Enable the 'serverless' flag if the sink is an Amazon OpenSearch Serverless collection
          serverless: false
        index: "ocsf-${/metadata/version}-${/class_uid}-${/class_name}-cloudtrail-${/accountid}-%{yyyy.MM.dd}"

Expected behavior
To create two indexes. One for 'eks' and one for 'cloudtrail'. Instead what happens is that it creates three indexes; one for eks, one for cloudtrail, and then a third that is unlabeled.

The unlabeled index logs contain 'metadata.product.name', and the product name is either 'cloudtrail' or 'amazon_eks'. This should have been routed to the appropriate route but is not.

Screenshots

Screenshot 2024-11-18 at 2 24 04 PM

Environment (please complete the following information):

  • AWS Managed OSIS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kkondaka kkondaka

Labels
bug Something isn't working
Projects
Data Prepper Tracking Board
Status: Unplanned
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlvenable @kkondaka @Conklin-Spencer-bah