search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.56k stars 582 forks source link

Create more meaningful opensearch index names #2596

Open arisjr opened 1 year ago

arisjr commented 1 year ago

Is your feature request related to a problem? Please describe. When a user needs to find a problematic openseach index from a problematic sketch, he need to struggle to find the right one if there's various sketches and the system is accessed by multiple users.

Describe the solution you'd like Insert the SKETCH-ID as a prefix on the index name. (Example: 2-600a04c642e146e9ae68a5513bf8add7)

Describe alternatives you've considered Insert also the sketch name somehow.

jaegeral commented 1 year ago

Yeah that request makes sense, I am moving it to Q3 where we might have time to look in feature requests

berggren commented 11 months ago

The naming scheme is from back when TS supported an index to be part of multiple sketches. This functionality has since been deprecated.

@arisjr What is your use-case in this case? Do you need to manually go into opensearch and operate on the index?

Would it be sufficient to have a more visible list of indexes (with timeline mapping, i.e. what timelines are using an index)?

arisjr commented 11 months ago

Hello, @berggren.

@arisjr What is your use-case in this case? Do you need to manually go into opensearch and operate on the index?

I had, in the past, made some manual maintenance on opensearch indexes and felt this difficulty to isolate the right index - the manual intervention is documented on another issue on here (https://github.com/google/timesketch/issues/2353). Also, in the past, for one of our analysts, I had to enable opensearch-dashboard on one index made by timesketch. Also, the index identification was important in this case.

Would it be sufficient to have a more visible list of indexes (with timeline mapping, i.e. what timelines are using an index)?

Yes, a timeline to index mapping would be of great help.

In fact, I don't really know how are index separated/created on timesketch. Is it sketch or timeline oriented, or if it is free to choose (I have seen options on this on timesketch_importer but didn't test)? Anyway, I couldn't find documentation on the matter at the time.