Skip to content

Commit

Permalink
Some corrections
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlexRuiz7
AlexRuiz7 committed Nov 12, 2024
1 parent 6d73c3a commit 3f9b1b8
Show file tree
Hide file tree
Showing 14 changed files with 243 additions and 268 deletions.
33 changes: 14 additions & 19 deletions ecs/docs/inventory-hardware.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,19 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec

Based on ECS:

- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html).
- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html).
- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html).
- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html).

| | Field name | Data type | Description | Example |
| --- | --------------------------- | --------- | ------------------------------------ | ------------------------ |
| | @timestamp | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z |
| | observer.serial_number | keyword | Observer serial number. | |
| * | host.cpu.name | keyword | Name of the CPU | |
| * | host.cpu.cores | long | Number of CPU cores | |
| * | host.cpu.speed | long | Speed of the CPU in MHz | |
| * | host.memory.total | long | Total RAM in the system | |
| * | host.memory.free | long | Free RAM in the system | |
| * | host.memory.used.percentage | long | RAM usage as a percentage | |
| | Field name | Data type | Description | Example |
| --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- |
| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` |
| | `observer.serial_number` | keyword | Observer serial number. | |
| \* | `host.cpu.name` | keyword | Name of the CPU | |
| \* | `host.cpu.cores` | long | Number of CPU cores | |
| \* | `host.cpu.speed` | long | Speed of the CPU in MHz | |
| \* | `host.memory.total` | long | Total RAM in the system | |
| \* | `host.memory.free` | long | Free RAM in the system | |
| \* | `host.memory.used.percentage` | long | RAM usage as a percentage | |

\* Custom fields

Expand Down Expand Up @@ -59,18 +59,14 @@ fields:
```json
{
"index_patterns": [
"wazuh-states-inventory-hardware*"
],
"index_patterns": ["wazuh-states-inventory-hardware*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"observer.board_serial"
],
"query.default_field": ["observer.board_serial"],
"refresh_interval": "5s"
}
},
Expand Down Expand Up @@ -143,5 +139,4 @@ fields:
}
}
}

```
19 changes: 7 additions & 12 deletions ecs/docs/inventory-hotfixes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec

Based on ECS:

- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).
- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).

| | Field name | Data type | Description | Example |
| --- | ------------------- | --------- | --------------------- | ------------------------ |
| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z |
| * | package.hotfix.name | keyword | Name of the hotfix | |
| | Field name | Data type | Description | Example |
| --- | --------------------- | --------- | --------------------- | -------------------------- |
| | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` |
| \* | `package.hotfix.name` | keyword | Name of the hotfix | |

\* Custom fields

Expand Down Expand Up @@ -40,18 +40,14 @@ fields:
```json
{
"index_patterns": [
"wazuh-states-inventory-hotfixes*"
],
"index_patterns": ["wazuh-states-inventory-hotfixes*"],
"priority": 1,
"template": {
"settings": {
"index": {
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"package.hotfix.name"
],
"query.default_field": ["package.hotfix.name"],
"refresh_interval": "5s"
}
},
Expand Down Expand Up @@ -91,5 +87,4 @@ fields:
}
}
}

```
64 changes: 30 additions & 34 deletions ecs/docs/inventory-networks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,39 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec

Based on ECS:

- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html).
- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html).
- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html).
- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html).
- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html).
- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html).

| | Field name | Data type | Description | Example |
| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------------------------------------ |
| | @timestamp | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z |
| | device.id | keyword | The unique identifier of a device. | 00000000-54b3-e7c7-0000-000046bffd97 |
| | host.ip | ip | Host ip addresses | 192.168.0.100 |
| | host.mac | keyword | Host MAC addresses. | | |
| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | |
| | host.network.egress.packets | long | The number of packets sent on all network interfaces | |
| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | |
| | host.network.ingress.packets | long | The number of packets received on all network interfaces | |
| | network.protocol | keyword | Application protocol name | http |
| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | ipv4 |
| | observer.ingress.interface.alias | keyword | Interface alias | outside |
| | observer.ingress.interface.name | keyword | Interface name | eth0 |
| * | host.network.egress.drops | long | Number of dropped transmitted packets | |
| * | host.network.egress.errors | long | Number of transmission errors | |
| * | host.network.ingress.drops | long | Number of dropped received packets | |
| * | host.network.ingress.errors | long | Number of reception errors | |
| * | interface.mtu | long | Maximum transmission unit size | |
| * | interface.state | keyword | State of the network interface | |
| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | |
| * | network.broadcast | ip | Broadcast address | |
| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | |
| * | network.gateway | ip | Gateway address | |
| * | network.metric | long | Metric of the network protocol | |
| * | network.netmask | ip | Network mask | |
| | Field name | Data type | Description | Example |
| --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- |
| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` |
| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` |
| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` |
| | `host.mac` | keyword | Host MAC addresses. | |
| | `host.network.egress.bytes` | long | The number of bytes sent on all network interfaces. | |
| | `host.network.egress.packets` | long | The number of packets sent on all network interfaces. | |
| | `host.network.ingress.bytes` | long | The number of bytes received on all network interfaces. | |
| | `host.network.ingress.packets` | long | The number of packets received on all network interfaces. | |
| | `network.protocol` | keyword | Application protocol name. | `http` |
| | `network.type` | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc. | `ipv4` |
| | `observer.ingress.interface.alias` | keyword | Interface alias. | `outside` |
| | `observer.ingress.interface.name` | keyword | Interface name. | `eth0` |
| \* | `host.network.egress.drops` | long | Number of dropped transmitted packets. | |
| \* | `host.network.egress.errors` | long | Number of transmission errors. | |
| \* | `host.network.ingress.drops` | long | Number of dropped received packets. | |
| \* | `host.network.ingress.errors` | long | Number of reception errors. | |
| \* | `interface.mtu` | long | Maximum transmission unit size. | |
| \* | `interface.state` | keyword | State of the network interface. | |
| \* | `interface.type` | keyword | Interface type (eg. "wireless" or "ethernet"). | |
| \* | `network.broadcast` | ip | Broadcast address. | |
| \* | `network.dhcp` | keyword | DHCP status (enabled, disabled, unknown, BOOTP). | |
| \* | `network.gateway` | ip | Gateway address. | |
| \* | `network.metric` | long | Metric of the network protocol. | |
| \* | `network.netmask` | ip | Network mask. | |

\* Custom fields


### ECS mapping

```yml
Expand Down Expand Up @@ -104,9 +103,7 @@ fields:
```json
{
"index_patterns": [
"wazuh-states-inventory-networks*"
],
"index_patterns": ["wazuh-states-inventory-networks*"],
"priority": 1,
"template": {
"settings": {
Expand Down Expand Up @@ -269,5 +266,4 @@ fields:
}
}
}

```
58 changes: 29 additions & 29 deletions ecs/docs/inventory-packages.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,34 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec

Based on ECS:

- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).
- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html).

| | Field name | Data type | Description | Example |
| --- | ---------------------- | --------- | ------------------------------------ | ------- |
| | `@timestamp` | date | Timestamp of the scan | |
| | `@timestamp` | date | Timestamp of the scan. | |
| | `agent.id` | keyword | Unique identifier of this agent | |
| | `package.architecture` | keyword | Package architecture. | |
| | `package.description` | keyword | Description of the package. | |
| | `package.installed` | date | Time when package was installed. | |
| | `package.name` | keyword | Package name. | |
| | `package.path` | keyword | Path where the package is installed. | |
| | `package.size` | long | Package size in bytes. | |
| | `package.type` | keyword | Package type | |
| | `package.version` | keyword | Package version | |
| * | `agent.groups` | keyword | Agent's groups | |
| | `package.type` | keyword | Package type. | |
| | `package.version` | keyword | Package version. | |
| \* | `agent.groups` | keyword | List of groups the agent belong to. | |

\* Custom field

<details><summary>Fields not included in ECS</summary>
<p>

| | Field name | ECS field name | Data type | Description |
| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- |
| ? | priority | | | Priority of the program |
| ? | section | | | Section of the program category the package belongs to in DEB package managers |
| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. |
| ? | multiarch | | | Multi-architecture compatibility |
| X | source | | | Source of the program - package manager |
| | Field name | ECS field name | Data type | Description |
| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------------ |
| ? | priority | | | Priority of the program |
| ? | section | | | Section of the program category the package belongs to in DEB package managers |
| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. |
| ? | multiarch | | | Multi-architecture compatibility |
| X | source | | | Source of the program - package manager |

</p>
</details>
Expand All @@ -44,23 +44,23 @@ Based on ECS:
---
name: wazuh-states-inventory-packages
fields:
base:
fields:
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
package:
fields:
architecture: ""
description: ""
installed: {}
name: ""
path: ""
size: {}
type: ""
version: ""
base:
fields:
"@timestamp": {}
agent:
fields:
id: {}
groups: {}
package:
fields:
architecture: ""
description: ""
installed: {}
name: ""
path: ""
size: {}
type: ""
version: ""
```
### Index settings
Expand Down
Loading

0 comments on commit 3f9b1b8

Please sign in to comment.