Documentation & Evidence Gathering - Reporting revamp tier 2 #7906
Description
Description
With the unified reporting system now in place (leveraging OpenSearch Reporting and Notifications plugins), the Wazuh Dashboard still contains legacy report generation code and settings that are no longer required. This creates unnecessary complexity and potential maintenance issues.
This objective aims to remove legacy reporting from the Wazuh Dashboard and fully align the dashboard reporting capabilities with the new system.
This cleanup is required to prevent divergence between legacy and unified reporting mechanisms.
All future work related to reporting must extend the unified system only.
Functional Requirements
1. Remove legacy reporting
Eliminate old report generation logic, UI settings, and configuration options from the Wazuh Dashboard.
We successfully removed much of the implementation based on the old way of generating reports. Previously, we had a lot of logic that performed report generation manually without using the native OpenSearch Dashboards reporting plugin.
Reference: https://github.com/wazuh/wazuh-dashboard-plugins/pull/7899/files
Remove unused API endpoints, helpers, and assets related to the deprecated system.
As mentioned in the previous point, after removing the legacy implementation, most of the old logic ran on the server side, so a large part of the generation logic lived in these endpoints.
Reference: https://github.com/wazuh/wazuh-dashboard-plugins/pull/7899/files
2. Refactor dashboards construction
Ensure all dashboards are based on saved objects compatible with the new reporting mechanism.
We changed how the dashboard and visualization specifications are stored.
Previously we had the definitions in code. We transformed those dashboards that contain visualizations into saved objects, and they are stored in our repository as .ndjson files. These files allow us to import them and generate the saved objects needed to render the dashboards across the different sections of Wazuh Dashboard.
It is important to clarify that only all the by value dashboards that have the reporting functionality were modified. There are some dashboards such as the cluster one that have not been modified.
Reference: https://github.com/wazuh/wazuh-dashboard-plugins/pull/7847/files
Update dashboard creation workflows to enforce saved object usage.
Previously, because the dashboards were defined in code, they were created at runtime when rendering the different sections. Now that they are saved objects, we added a mechanism to import all dashboards (.ndjson) at application startup. The new health check verifies that the required saved objects exist to render the dashboards.
3. RBAC enforcement
Ensure the new saved objects used for dashboards are as protected as possible from users via Wazuh Indexer RBAC permissions.
We initially considered restricting the deletion of the dashboards saved objects via RBAC permissions. However, the OpenSearch Saved Objects plugins are restricted to index-level CRUD permissions, because document-level permissions are evaluated in _search operations.
Therefore, if a user has write permissions for saved objects, they can create, modify, and delete dashboards stored in the Indexer. This means there is no practical way to restrict deletions for users with write permissions. We therefore decided that the new health check should maintain the integrity of the dashboards' saved objects. This ensures they exist so the system can function, even though deletion cannot be prevented.
4. Healthcheck integration
Extend Wazuh Dashboard health checks to validate the availability and functionality of the new dashboards system.
The new health check now obtains the list of .ndjson files that contain the specifications for dashboards and visualizations. Using this list, it checks whether each saved object has already been created in the Indexer. If it has not been created, it will attempt to create it. If it already exists, no changes are made, since users may have modified dashboards and we want to allow that customization.
Health check logs
server log [14:31:17.319] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [agent-events-count-evolution] title [Events count evolution] - skipping
server log [14:31:18.226] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [aws-overview-dashboard-tab] title [AWS overview dashboard] - skipping
server log [14:31:18.521] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [azure-overview-dashboard-tab] title [Azure Overview Dashboard] - skipping
server log [14:31:18.631] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [azure-pinned-agent-dashboard-tab] title [Azure Agent Pinned dashboard] - skipping
server log [14:31:18.666] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [docker-overview-dashboard-tab] title [Docker Overview dashboard] - skipping
server log [14:31:18.689] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [docker-pinned-agent-dashboard-tab] title [Docker Agent Pinned dashboard] - skipping
server log [14:31:18.707] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [fim-files-dashboard] title [File Integrity Monitoring Files] - skipping
server log [14:31:18.741] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [fim-overview-dashboard] title [File Integrity Monitoring Overview] - skipping
server log [14:31:18.773] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [fim-pinned-agent-dashboard] title [File Integrity Monitoring Agent Pinned Dashboard] - skipping
server log [14:31:19.169] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [gdpr-overview-dashboard] title [GDPR Overview Dashboard] - skipping
server log [14:31:19.231] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [gdpr-pinned-agent-dashboard] title [GDPR Agent Pinned Dashboard] - skipping
server log [14:31:19.319] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-drilldown-action-dashboard-tab] title [GitHub Drilldown Action Dashboard] - skipping
server log [14:31:19.380] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-drilldown-actor-dashboard-tab] title [GitHub Drilldown Actor Dashboard] - skipping
server log [14:31:19.465] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-drilldown-organization-dashboard-tab] title [GitHub Drilldown Organization Overview] - skipping
server log [14:31:19.535] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-drilldown-repository-dashboard] title [GitHub Drilldown Repository Dashboard] - skipping
server log [14:31:19.636] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-overview-dashboard-tab] title [GitHub overview dashboard] - skipping
server log [14:31:19.686] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [github-pinned-agent-dashboard-tab] title [GitHub agent pinned dashboard] - skipping
server log [14:31:19.730] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [google-cloud-detector-dashboard-tab] title [Google Cloud Overview Dashboard] - skipping
server log [14:31:19.768] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [google-cloud-pinned-agent-dashboard] title [Google Cloud Agent Pinned Dashboard] - skipping
server log [14:31:19.812] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [hipaa-overview-dashboard-tab] title [HIPAA Overview Dashboard] - skipping
server log [14:31:19.888] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [hipaa-pinned-agent-dashboard-tab] title [HIPAA Pinned Agent Dashboard] - skipping
server log [14:31:19.999] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-overview-dashboard-tab] title [IT Hygiene - Overview] - skipping
server log [14:31:20.054] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-dashboard-kpis] title [IT Hygiene dashboard KPIs] - skipping
server log [14:31:20.082] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-networks-inventories-interfaces-dashboard-tab] title [IT Hygiene - Networks Inventories - Interfaces] - skipping
server log [14:31:20.112] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-networks-inventories-networks-dashboard-tab] title [IT Hygiene Networks Inventories - Networks] - skipping
server log [14:31:20.148] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-networks-inventories-protocols-dashboard-tab] title [IT Hygiene - Networks Inventories - Protocols] - skipping
server log [14:31:20.178] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-networks-inventories-services-dashboard-tab] title [IT Hygiene - Networks Inventories - Services] - skipping
server log [14:31:20.210] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-networks-inventories-traffic-dashboard-tab] title [IT Hygiene - Networks Inventories - Traffic] - skipping
server log [14:31:20.250] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-packages-inventories-browser-extensions-dashboard-tab] title [IT Hygiene - Packages Inventories - Browser Extensions] - skipping
server log [14:31:20.265] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-packages-inventories-hotfixes-dashboard-tab] title [IT Hygiene - Packages Inventories - Hotfixes] - skipping
server log [14:31:20.293] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-packages-inventories-packages-dashboard-tab] title [IT Hygiene - Packages Inventories - Packages] - skipping
server log [14:31:20.314] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-processes-dashboard-tab] title [IT Hygiene - Processes] - skipping
server log [14:31:20.332] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-services-dashboard-tab] title [IT Hygiene - Services] - skipping
server log [14:31:20.355] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-system-inventories-hardware-dashboard-tab] title [IT Hygiene - System Inventories - Hardware] - skipping
server log [14:31:20.379] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-system-inventories-system-dashboard-tab] title [IT Hygiene - System Inventories - System] - skipping
server log [14:31:20.413] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-tables-dashboard-tab] title [IT Hygiene - Tables] - skipping
server log [14:31:20.430] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-user-inventories-groups-dashboard-tab] title [IT Hygiene - User Inventories - Groups] - skipping
server log [14:31:20.463] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [it-hygiene-user-inventories-users-dashboard-tab] title [IT Hygiene - User Inventories - Users] - skipping
server log [14:31:20.519] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [malware-detection-overview-dashboard-tab] title [Malware detection overview dashboard] - skipping
server log [14:31:20.570] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [malware-detection-pinned-agent-dashboard-tab] title [Malware detection pinned agent dashboard] - skipping
server log [14:31:20.619] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [mitre-overview-dashboard-tab] title [MITRE overview dashboard] - skipping
server log [14:31:20.656] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [mitre-pinned-agent-dashboard-tab] title [MITRE pinned agent dashboard] - skipping
server log [14:31:20.708] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [nist-overview-dashboard-tab] title [NIST Overview Dashboard] - skipping
server log [14:31:20.791] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [nist-pinned-agent-dashboard-tab] title [NIST Pinned Agent Dashboard] - skipping
server log [14:31:20.835] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-drilldown-ip-config-panel-tab] title [Office drilldown ip configuration dashboard] - skipping
server log [14:31:20.902] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-drilldown-operations-config-panel-tab] title [Office drilldown operations config dashboard] - skipping
server log [14:31:20.976] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-drilldown-rules-config-panel-tab] title [Office drilldown rules config dashboard] - skipping
server log [14:31:21.050] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-drilldown-user-config-panel-tab] title [Office Drilldown User Config Dashboard] - skipping
server log [14:31:21.136] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-overview-kpis] title [Office Overview KPIs] - skipping
server log [14:31:21.284] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [office-overview-dashboard-tab] title [Office overview dashboard] - skipping
server log [14:31:21.499] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [sca-inventory-dashboard] title [Software Composition Analysis Inventory] - skipping
server log [14:31:21.656] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [sca-overview-dashboard] title [Security Configuration Assessment] - skipping
server log [14:31:21.750] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [threat-hunting-overview-dashboard] title [Threat Hunting - Overview] - skipping
server log [14:31:21.822] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [threat-hunting-pinned-agent-dashboard] title [Threat Hunting - Pinned Agent] - skipping
server log [14:31:21.892] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [tsc-overview-dashboard-tab] title [TSC overview dashboard] - skipping
server log [14:31:21.926] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [tsc-pinned-agent-dashboard-tab] title [TSC pinned agent dashboard] - skipping
server log [14:31:21.960] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [vulnerabilities-overview-dashboard-tab] title [Vulnerabilities Overview] - skipping
server log [14:31:22.021] [info][healthcheck][saved-objects:dashboards] Dashboard already exists [wz-discover-events-dashboard] title [Wazuh Discover Events Histogram] - skipping
server log [14:31:22.022] [info][healthcheck] Checks are ok
server log [14:31:22.027] [info][healthcheck] Set scheduled checks each 900000ms5. Disaster recovery
In case a user deletes the saved objects, the Wazuh Dashboard must be able to regenerate them and fall back into a working state.
To regenerate the saved objects required for the dashboards, we use the health check. It verifies that the necessary saved objects exist and, if they do not, it creates them from the .ndjson files found in the repository.
Non-Functional Requirements
- Reports must rely exclusively on the Reporting and Notifications plugins.
We implemented features native to the reporting plugin to generate PDF reports. We don't generate of persist any PDF report in the wazuh-dashboard-plugins repository.
- The changes introduced to the healthcheck process must not increase login time.
The new checks added in the health check process run as soon as the service starts up, so the login time is not affected.
- The solution must maintain consistency with the existing unified reporting layout and user experience.
To generate PDF reports, we reused the already well-known Generate report button located in the top-right corner of the module's dashboards.
Implementation Restrictions
- No new custom reporting mechanisms may be introduced. The unified reporting system must be the only supported approach.
We added a few modifications to the native reporting plugin so it exports native reporting methods. This allow us to implement those PDF report functions in the "Generate report" button located in the main repository
Metadata
Metadata
Assignees
Type
Projects
Status