exportar CSV desde discover

[Henry Valero]

Saludos:

Cuando intento exportar en CSV desde la opción de Discover del Wazuh, los eventos exportados son solo en aproximadamente 10,000.00 eventos y siendo que en la vista al momento de generarlos son mas de 20K.

Alguna ayuda para poder exportar por completo los eventos de acuerdo a la consulta que se realice en el discover.

atte.:

Henry

[Federico Gustavo Galland]

Henry,

Gracias por avisarnos de su problema. Le voy a responder en Inglés de forma que la comunidad entera se beneficie de nuestro intercambio.

Me avisa si necesita que traduzca alguna parte.

I've tried generating a csv report myself from the Discover view, where in my case, ~31k documents were visible, but the csv ended up with just ~14k lines.

I will conduct some research on this issue, as it is very likely an OpenSearch bug, and get back to you in time.

In the meantime you may want to try grabbing alert data directly off the Wazuh Manager's output at /var/ossec/logs/alerts/alerts.json

These files are rotated daily and they get compressed after a week, but they provide pretty much the same information as the exported csv would.

Anyway, let me circle back to you as soon as get further insight into the actual issue.

Regards,

Fede

[Federico Gustavo Galland]

Henry,

After a brief research session online, I found that this is not yet something that can be configured.

Reference links:

* https://github.com/opendistro-for-elasticsearch/kibana-reports/issues/176

* https://github.com/opensearch-project/dashboards-reporting/issues/60

However, you may want to try the solution proposed in the second link. You would basically run the following command:

sed -i 's/reportDefinitionRequest.report_params.core_params.limit=1e4/reportDefinitionRequest.report_params.core_params.limit=1e5/' /usr/share/wazuh-dashboard/plugins/reportsDashboards/target/public/reportsDashboards.chunk.4.js

in your Wazuh Dashboard host. This should up the export row limit to 100k.

Let me know how it fares.

Regards,

Fede