opensearch-project · hyanggeun · Feb 3, 2026 · Feb 3, 2026
@@ -79,7 +79,7 @@ public boolean ruleTopicIndexTemplateExists() {
 
     private void getAllRuleIndices(ActionListener<List<String>> listener) {
 
-        logTypeService.getAllLogTypes(ActionListener.wrap(logTypes -> {
+        logTypeService.getAllLogTypesMetadata(ActionListener.wrap(logTypes -> {
             listener.onResponse(
                     logTypes
                         .stream()

@@ -0,0 +1,107 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ExecutionException;
+
+import org.junit.Before;
+import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.common.settings.Setting;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.securityanalytics.logtype.BuiltinLogTypeLoader;
+import org.opensearch.securityanalytics.logtype.LogTypeService;
+import org.opensearch.securityanalytics.model.CustomLogType;
+import org.opensearch.securityanalytics.model.LogType;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
+import org.opensearch.test.OpenSearchIntegTestCase;
+import org.opensearch.test.transport.MockTransportService;
+
+public class LogTypeServiceMetadataTests extends OpenSearchIntegTestCase {
+
+    private LogTypeService logTypeService;
+
+    @Override
+    protected Collection<Class<? extends Plugin>> nodePlugins() {
+        return Arrays.asList(TestPlugin.class, MockTransportService.TestPlugin.class);
+    }
+
+    @Before
+    public void setup() {
+        if (logTypeService == null) {
+            BuiltinLogTypeLoader builtinLogTypeLoader = new TestBuiltinLogTypeLoader();
+            logTypeService = new LogTypeService(client(), clusterService(), xContentRegistry(), builtinLogTypeLoader);
+        }
+    }
+
+    public void testGetAllLogTypesMetadataIncludesLogTypesWithAndWithoutMappings()
+            throws ExecutionException, InterruptedException {
+        ensureGreen();
+
+        PlainActionFuture<List<String>> future = new PlainActionFuture<>();
+        logTypeService.getAllLogTypesMetadata(future);
+        List<String> logTypes = future.get();
+
+        assertTrue(logTypes.contains("apache_access"));
+        assertTrue(logTypes.contains("linux"));
+    }
+
+    public void testGetAllLogTypesExcludesLogTypesWithoutMappings()
+            throws ExecutionException, InterruptedException {
+        ensureGreen();
+
+        PlainActionFuture<List<String>> future = new PlainActionFuture<>();
+        logTypeService.getAllLogTypes(future);
+        List<String> logTypes = future.get();
+
+        assertFalse(logTypes.contains("apache_access"));
+        assertTrue(logTypes.contains("linux"));
+    }
+
+    public static class TestPlugin extends Plugin {
+        @Override
+        public List<Setting<?>> getSettings() {
+            return Arrays.asList(SecurityAnalyticsSettings.DEFAULT_MAPPING_SCHEMA);
+        }
+    }
+
+    private static class TestBuiltinLogTypeLoader extends BuiltinLogTypeLoader {
+        private static final String APACHE_ACCESS = "apache_access";
+        private static final String LINUX = "linux";
+
+        @Override
+        public List<LogType> getAllLogTypes() {
+            LogType apacheAccess = new LogType(
+                    null,
+                    APACHE_ACCESS,
+                    "Apache access logs",
+                    true,
+                    List.of(),
+                    List.of()
+            );
+            LogType linux = new LogType(
+                    null,
+                    LINUX,
+                    "Linux logs",
+                    true,
+                    List.of(new LogType.Mapping("raw_field", "ecs_field", "ocsf_field", "ocsf11_field")),
+                    List.of()
+            );
+            return List.of(apacheAccess, linux);
+        }
+
+        @Override
+        protected List<CustomLogType> loadBuiltinLogTypesMetadata() {
+            return List.of(
+                    new CustomLogType(null, null, APACHE_ACCESS, "Apache access logs", "Other", "Sigma", Map.of()),
+                    new CustomLogType(null, null, LINUX, "Linux logs", "Other", "Sigma", Map.of())
+            );
+        }
+    }
+}
+
@@ -0,0 +1,64 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.util;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.concurrent.ExecutionException;
+
+import org.mockito.ArgumentCaptor;
+import org.opensearch.action.support.PlainActionFuture;
+import org.opensearch.action.support.clustermanager.AcknowledgedResponse;
+import org.opensearch.action.admin.indices.template.put.PutComposableIndexTemplateAction;
+import org.opensearch.cluster.metadata.ComposableIndexTemplate;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.core.action.ActionListener;
+import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
+import org.opensearch.securityanalytics.logtype.LogTypeService;
+import org.opensearch.test.OpenSearchTestCase;
+import org.opensearch.transport.client.Client;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doAnswer;
+import static org.mockito.Mockito.mock;
+
+public class RuleTopicIndicesTests extends OpenSearchTestCase {
+
+    public void testInitRuleTopicIndexTemplateUsesLogTypeMetadata()
+            throws ExecutionException, InterruptedException, IOException {
+        Client client = mock(Client.class);
+        ClusterService clusterService = mock(ClusterService.class);
+        LogTypeService logTypeService = mock(LogTypeService.class);
+        RuleTopicIndices ruleTopicIndices = new RuleTopicIndices(client, clusterService, logTypeService);
+
+        List<String> logTypes = List.of("apache_access", "windows");
+        doAnswer(invocation -> {
+            ActionListener<List<String>> listener = invocation.getArgument(0);
+            listener.onResponse(logTypes);
+            return null;
+        }).when(logTypeService).getAllLogTypesMetadata(any());
+
+        ArgumentCaptor<PutComposableIndexTemplateAction.Request> requestCaptor =
+                ArgumentCaptor.forClass(PutComposableIndexTemplateAction.Request.class);
+        doAnswer(invocation -> {
+            ActionListener<AcknowledgedResponse> listener = invocation.getArgument(2);
+            listener.onResponse(new AcknowledgedResponse(true));
+            return null;
+        }).when(client).execute(eq(PutComposableIndexTemplateAction.INSTANCE), requestCaptor.capture(), any());
+
+        PlainActionFuture<AcknowledgedResponse> future = new PlainActionFuture<>();
+        ruleTopicIndices.initRuleTopicIndexTemplate(future);
+        future.get();
+
+        ComposableIndexTemplate template = requestCaptor.getValue().indexTemplate();
+        List<String> indexPatterns = template.indexPatterns();
+
+        assertEquals(2, indexPatterns.size());
+        assertTrue(indexPatterns.contains(DetectorMonitorConfig.getRuleIndex("apache_access") + "*"));
+        assertTrue(indexPatterns.contains(DetectorMonitorConfig.getRuleIndex("windows") + "*"));
+    }
+}
+