From 3f9b1b82a0083acb2ca0a4eb3576b704b97020ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 17:33:06 +0100 Subject: [PATCH] Some corrections --- ecs/docs/inventory-hardware.md | 33 ++-- ecs/docs/inventory-hotfixes.md | 19 +-- ecs/docs/inventory-networks.md | 64 ++++---- ecs/docs/inventory-packages.md | 58 +++---- ecs/docs/inventory-ports.md | 42 +++-- ecs/docs/inventory-processes.md | 147 +++++++++--------- ecs/docs/inventory-system.md | 128 +++++++-------- .../fields/custom/agent.yml | 2 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- .../fields/custom/agent.yml | 3 +- 14 files changed, 243 insertions(+), 268 deletions(-) diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md index 438b60ae1feb7..75baa484b83d1 100644 --- a/ecs/docs/inventory-hardware.md +++ b/ecs/docs/inventory-hardware.md @@ -6,19 +6,19 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -| | Field name | Data type | Description | Example | -| --- | --------------------------- | --------- | ------------------------------------ | ------------------------ | -| | @timestamp | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | -| | observer.serial_number | keyword | Observer serial number. | | -| * | host.cpu.name | keyword | Name of the CPU | | -| * | host.cpu.cores | long | Number of CPU cores | | -| * | host.cpu.speed | long | Speed of the CPU in MHz | | -| * | host.memory.total | long | Total RAM in the system | | -| * | host.memory.free | long | Free RAM in the system | | -| * | host.memory.used.percentage | long | RAM usage as a percentage | | +| | Field name | Data type | Description | Example | +| --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `observer.serial_number` | keyword | Observer serial number. | | +| \* | `host.cpu.name` | keyword | Name of the CPU | | +| \* | `host.cpu.cores` | long | Number of CPU cores | | +| \* | `host.cpu.speed` | long | Speed of the CPU in MHz | | +| \* | `host.memory.total` | long | Total RAM in the system | | +| \* | `host.memory.free` | long | Free RAM in the system | | +| \* | `host.memory.used.percentage` | long | RAM usage as a percentage | | \* Custom fields @@ -59,18 +59,14 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-hardware*" - ], + "index_patterns": ["wazuh-states-inventory-hardware*"], "priority": 1, "template": { "settings": { "index": { "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": [ - "observer.board_serial" - ], + "query.default_field": ["observer.board_serial"], "refresh_interval": "5s" } }, @@ -143,5 +139,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md index 10b3f755c6df5..fadc5377da19c 100644 --- a/ecs/docs/inventory-hotfixes.md +++ b/ecs/docs/inventory-hotfixes.md @@ -6,12 +6,12 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | --------------------- | ------------------------ | -| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | -| * | package.hotfix.name | keyword | Name of the hotfix | | +| | Field name | Data type | Description | Example | +| --- | --------------------- | --------- | --------------------- | -------------------------- | +| | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` | +| \* | `package.hotfix.name` | keyword | Name of the hotfix | | \* Custom fields @@ -40,18 +40,14 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], + "index_patterns": ["wazuh-states-inventory-hotfixes*"], "priority": 1, "template": { "settings": { "index": { "number_of_replicas": "0", "number_of_shards": "1", - "query.default_field": [ - "package.hotfix.name" - ], + "query.default_field": ["package.hotfix.name"], "refresh_interval": "5s" } }, @@ -91,5 +87,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md index 7c24a6bcf56dc..6459cde110aac 100644 --- a/ecs/docs/inventory-networks.md +++ b/ecs/docs/inventory-networks.md @@ -6,40 +6,39 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------------- | --------- | ----------------------------------------------------------------------------- | ------------------------------------ | -| | @timestamp | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | -| | device.id | keyword | The unique identifier of a device. | 00000000-54b3-e7c7-0000-000046bffd97 | -| | host.ip | ip | Host ip addresses | 192.168.0.100 | -| | host.mac | keyword | Host MAC addresses. | | | -| | host.network.egress.bytes | long | The number of bytes sent on all network interfaces | | -| | host.network.egress.packets | long | The number of packets sent on all network interfaces | | -| | host.network.ingress.bytes | long | The number of bytes received on all network interfaces | | -| | host.network.ingress.packets | long | The number of packets received on all network interfaces | | -| | network.protocol | keyword | Application protocol name | http | -| | network.type | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc | ipv4 | -| | observer.ingress.interface.alias | keyword | Interface alias | outside | -| | observer.ingress.interface.name | keyword | Interface name | eth0 | -| * | host.network.egress.drops | long | Number of dropped transmitted packets | | -| * | host.network.egress.errors | long | Number of transmission errors | | -| * | host.network.ingress.drops | long | Number of dropped received packets | | -| * | host.network.ingress.errors | long | Number of reception errors | | -| * | interface.mtu | long | Maximum transmission unit size | | -| * | interface.state | keyword | State of the network interface | | -| * | interface.type | keyword | Interface type (eg. "wireless" or "ethernet") | | -| * | network.broadcast | ip | Broadcast address | | -| * | network.dhcp | keyword | DHCP status (enabled, disabled, unknown, BOOTP) | | -| * | network.gateway | ip | Gateway address | | -| * | network.metric | long | Metric of the network protocol | | -| * | network.netmask | ip | Network mask | | +| | Field name | Data type | Description | Example | +| --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | +| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | +| | `host.mac` | keyword | Host MAC addresses. | | +| | `host.network.egress.bytes` | long | The number of bytes sent on all network interfaces. | | +| | `host.network.egress.packets` | long | The number of packets sent on all network interfaces. | | +| | `host.network.ingress.bytes` | long | The number of bytes received on all network interfaces. | | +| | `host.network.ingress.packets` | long | The number of packets received on all network interfaces. | | +| | `network.protocol` | keyword | Application protocol name. | `http` | +| | `network.type` | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc. | `ipv4` | +| | `observer.ingress.interface.alias` | keyword | Interface alias. | `outside` | +| | `observer.ingress.interface.name` | keyword | Interface name. | `eth0` | +| \* | `host.network.egress.drops` | long | Number of dropped transmitted packets. | | +| \* | `host.network.egress.errors` | long | Number of transmission errors. | | +| \* | `host.network.ingress.drops` | long | Number of dropped received packets. | | +| \* | `host.network.ingress.errors` | long | Number of reception errors. | | +| \* | `interface.mtu` | long | Maximum transmission unit size. | | +| \* | `interface.state` | keyword | State of the network interface. | | +| \* | `interface.type` | keyword | Interface type (eg. "wireless" or "ethernet"). | | +| \* | `network.broadcast` | ip | Broadcast address. | | +| \* | `network.dhcp` | keyword | DHCP status (enabled, disabled, unknown, BOOTP). | | +| \* | `network.gateway` | ip | Gateway address. | | +| \* | `network.metric` | long | Metric of the network protocol. | | +| \* | `network.netmask` | ip | Network mask. | | \* Custom fields - ### ECS mapping ```yml @@ -104,9 +103,7 @@ fields: ```json { - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], + "index_patterns": ["wazuh-states-inventory-networks*"], "priority": 1, "template": { "settings": { @@ -269,5 +266,4 @@ fields: } } } - ``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md index ae912f706096f..8091da88b85fa 100644 --- a/ecs/docs/inventory-packages.md +++ b/ecs/docs/inventory-packages.md @@ -6,11 +6,11 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). +- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). | | Field name | Data type | Description | Example | | --- | ---------------------- | --------- | ------------------------------------ | ------- | -| | `@timestamp` | date | Timestamp of the scan | | +| | `@timestamp` | date | Timestamp of the scan. | | | | `agent.id` | keyword | Unique identifier of this agent | | | | `package.architecture` | keyword | Package architecture. | | | | `package.description` | keyword | Description of the package. | | @@ -18,22 +18,22 @@ Based on ECS: | | `package.name` | keyword | Package name. | | | | `package.path` | keyword | Path where the package is installed. | | | | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Package type | | -| | `package.version` | keyword | Package version | | -| * | `agent.groups` | keyword | Agent's groups | | +| | `package.type` | keyword | Package type. | | +| | `package.version` | keyword | Package version. | | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field
Fields not included in ECS

-| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | -------------------------------------------------------------------------------- | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | +| | Field name | ECS field name | Data type | Description | +| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------------ | +| ? | priority | | | Priority of the program | +| ? | section | | | Section of the program category the package belongs to in DEB package managers | +| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | +| ? | multiarch | | | Multi-architecture compatibility | +| X | source | | | Source of the program - package manager |

@@ -44,23 +44,23 @@ Based on ECS: --- name: wazuh-states-inventory-packages fields: - base: - fields: - "@timestamp": {} - agent: - fields: - id: {} - groups: {} - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + package: + fields: + architecture: "" + description: "" + installed: {} + name: "" + path: "" + size: {} + type: "" + version: "" ``` ### Index settings diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md index 12aa286ce5021..863d2a000ac41 100644 --- a/ecs/docs/inventory-ports.md +++ b/ecs/docs/inventory-ports.md @@ -6,29 +6,28 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). +- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -| | Field name | Data type | Description | Example | -| --- | -------------------------- | --------- | --------------------------------------------- | ------------------------------------ | -| | @timestamp | date | Timestamp of the scan | 2016-05-23T08:05:34.853Z | -| | destination.ip | ip | IP address of the destination | 192.168.0.100 | -| | destination.port | long | Port of the destination | | -| | device.id | keyword | The unique identifier of a device | 00000000-54b3-e7c7-0000-000046bffd97 | -| | file.inode | keyword | Inode representing the file in the filesystem | 256383 | -| | network.protocol | keyword | Application protocol name | http | -| | process.name | keyword | Process name | ssh | -| | process.pid | long | Process ID | 4242 | -| | source.ip | ip | IP address of the source | | -| | source.port | long | Port of the source | | -| * | host.network.egress.queue | long | Transmit queue length | | -| * | host.network.ingress.queue | long | Receive queue length | | -| * | interface.state | keyword | State of the network interface | | +| | Field name | Data type | Description | Example | +| --- | ---------------------------- | --------- | ---------------------------------------------- | -------------------------------------- | +| | `@timestamp` | date | Timestamp of the scan. | `2016-05-23T08:05:34.853Z` | +| | `destination.ip` | ip | IP address of the destination. | `["192.168.0.100"]` | +| | `destination.port` | long | Port of the destination. | | +| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | +| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | +| | `network.protocol` | keyword | Application protocol name. | `http` | +| | `process.name` | keyword | Process name. | `ssh` | +| | `process.pid` | long | Process ID. | `4242` | +| | `source.ip` | ip | IP address of the source. | `["192.168.0.100"]` | +| | `source.port` | long | Port of the source. | | +| \* | `host.network.egress.queue` | long | Transmit queue length. | | +| \* | `host.network.ingress.queue` | long | Receive queue length. | | +| \* | `interface.state` | keyword | State of the network interface. | | \* Custom fields - ### ECS mapping ```yml @@ -77,16 +76,13 @@ fields: interface: fields: state: {} - ``` ### Index settings ```json { - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], + "index_patterns": ["wazuh-states-inventory-ports*"], "priority": 1, "template": { "settings": { diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index f0b00ee1123c3..087838f7f9c46 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -6,27 +6,27 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). +- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | Data type | Description | Examples | Comments | -| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------- | -| | `@timestamp` | date | Date/time when the event originated | 2016-05-23T08:05:34.853Z | | -| | `agent.id` | keyword | Unique identifier of this agent | 8a4f500d | | -| | `process.args` | keyword | Array of process arguments | ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] | | -| | `process.command_line` | wildcard | process.command_line | /usr/bin/ssh -l user 10.0.0.16 | | -| | `process.name` | keyword | Process name | ssh | | -| | `process.parent.pid` | long | Parent process ID | 4242 | | -| | `process.pid` | long | Process ID | 4242 | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.real_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| | `process.start` | date | The time the process started | 2016-05-23T08:05:34.853Z | | -| | `process.user.id` | keyword | Unique identifier of the user | S-1-5-21-202424912787-2692429404-2351956786-1000 | | -| ! | `process.thread.id` | long | Thread ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | -| * | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | -| * | agent.groups | keyword | Agent's groups | | | +| | Field name | Data type | Description | Examples | Comments | +| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | | +| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | +| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | +| | `process.name` | keyword | Process name. | `ssh` | | +| | `process.parent.pid` | long | Parent process ID. | `4242` | | +| | `process.pid` | long | Process ID. | `4242` | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | +| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | | \* Custom field @@ -57,75 +57,74 @@ Based on ECS:

- ### ECS mapping ```yml --- name: wazuh-states-inventory-processes fields: - base: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + process: + fields: + pid: {} + name: "" + parent: + fields: + pid: {} + command_line: "" + args: "" + user: + fields: + id: "" + real_user: + fields: + id: "" + saved_user: + fields: + id: "" + group: + fields: + id: "" + real_group: fields: - "@timestamp": {} - agent: + id: "" + saved_group: fields: - id: {} - groups: {} - process: + id: "" + start: {} + thread: fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: {} + id: "" + tty: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } + "index_patterns": ["wazuh-states-inventory-processes*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } } + } } ``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md index 28109f2d99599..1dbc69ff1139e 100644 --- a/ecs/docs/inventory-system.md +++ b/ecs/docs/inventory-system.md @@ -6,22 +6,22 @@ The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuec Based on ECS: -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). - -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | ------------------------ | -| | `@timestamp` | date | Date/time when the event originated. | 2016-05-23T08:05:34.853Z | -| | `agent.id` | keyword | Unique identifier of this agent. | 8a4f500d | -| | `host.architecture` | keyword | Operating system architecture. | x86_64 | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | Mac OS Mojave | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | 4.4.0-112-generic | -| | `host.os.name` | keyword | Operating system name, without the version. | Mac OS X | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | darwin | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | macos | -| | `host.os.version` | keyword | Operating system version as a raw string. | 10.14.1 | -| * | `agent.groups` | keyword | Agent's groups | | +- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). +- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). + +| | Field name | Data type | Description | Example | +| --- | ------------------- | --------- | ---------------------------------------------------------- | -------------------------- | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | +| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | +| | `host.architecture` | keyword | Operating system architecture. | `x86_64` | +| | `host.hostname` | keyword | Hostname of the host. | | +| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | +| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | `4.4.0-112-generic` | +| | `host.os.name` | keyword | Operating system name, without the version. | `Mac OS X` | +| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | `darwin` | +| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | `macos` | +| | `host.os.version` | keyword | Operating system version as a raw string. | `10.14.1` | +| \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* Custom field @@ -30,22 +30,22 @@ Based on ECS: Removed fields: -- os_display_version -- os_major (can be extracted from os_version) -- os_minor (can be extracted from os_version) -- os_patch (can be extracted from os_version) -- os_release -- reference -- release -- scan_id -- sysname -- version -- checksum +- os_display_version +- os_major (can be extracted from os_version) +- os_minor (can be extracted from os_version) +- os_patch (can be extracted from os_version) +- os_release +- reference +- release +- scan_id +- sysname +- version +- checksum Available fields: -- `os.family` -- `hots.name` +- `os.family` +- `hots.name`

@@ -56,48 +56,48 @@ Available fields: --- name: wazuh-states-inventory-system fields: - base: + base: + fields: + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + architecture: {} + hostname: {} + name: {} + os: fields: - "@timestamp": {} - agent: - fields: - id: {} - groups: {} - host: - fields: - architecture: {} - hostname: {} - name: {} - os: - fields: - kernel: {} - full: {} - platform: {} - version: {} - type: {} + kernel: {} + full: {} + platform: {} + version: {} + type: {} ``` ### Index settings ```json { - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } + "index_patterns": ["wazuh-states-inventory-system*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } } + } } ``` diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml index 7f23b6a463e49..d1a6751bcc934 100644 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ b/ecs/states-inventory-hardware/fields/custom/agent.yml @@ -8,4 +8,4 @@ type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ b/ecs/states-inventory-hotfixes/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ b/ecs/states-inventory-networks/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ b/ecs/states-inventory-ports/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to. diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml index 3482123af637a..d1a6751bcc934 100644 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -3,10 +3,9 @@ title: Wazuh Agents short: Wazuh Inc. custom fields. type: group - group: 2 fields: - name: groups type: keyword level: custom description: > - The groups the agent belongs to. + List of groups the agent belong to.