Remove host fields at root level from stateful indices definitions (#572

) * Remove host fields at root level from stateful indices definitions * Remove host field from event_generators event data * Update documentation * Add README for ECS docs
wazuh · Dec 2, 2024 · 6f5398d · 6f5398d
1 parent abba78d
commit 6f5398d
Show file tree

Hide file tree

Showing 28 changed files with 168 additions and 378 deletions.
diff --git a/ecs/docs/README.md b/ecs/docs/README.md
@@ -0,0 +1,22 @@
+# Wazuh Common Schema
+
+The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) (ECS) providing a common data schema for the different central components of Wazuh.
+
+- [agent](./agent.md)
+- [alerts](alerts.md)
+- [command](commands.md)
+- [states-fim](states-fim.md)
+- [states-inventory-hardware](states-inventory-hardware.md)
+- [states-inventory-hotfixes](states-inventory-hotfixes.md)
+- [states-inventory-networks](states-inventory-networks.md)
+- [states-inventory-packages](states-inventory-packages.md)
+- [states-inventory-ports](states-inventory-ports.md)
+- [states-inventory-processes](states-inventory-processes.md)
+- [states-inventory-system](states-inventory-system.md)
+- [states-vulnerabilities](states-vulnerabilities.md)
+
+---
+
+### Useful resources
+For more information and additional resources, please refer to the following links:
+- [ECS schemas repository](https://github.com/elastic/ecs/tree/main/schemas)
diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md
@@ -34,25 +34,17 @@ fields:
       "@timestamp": {}
   agent:
     fields:
-      id: {}
       groups: {}
+      id: {}
+      name: {}
+      type: {}
+      version: {}
+      host:
+        fields: "*"
   observer:
     fields:
       serial_number: {}
-  host:
-    fields:
-      memory:
-        fields:
-          total: {}
-          free: {}
-          used:
-            fields:
-              percentage: {}
-      cpu:
-        fields:
-          name: {}
-          cores: {}
-          speed: {}
+
 ```
 
 ### Index settings
@@ -64,77 +56,12 @@ fields:
   "template": {
     "settings": {
       "index": {
-        "number_of_replicas": "0",
         "number_of_shards": "1",
-        "query.default_field": ["observer.board_serial"],
-        "refresh_interval": "5s"
-      }
-    },
-    "mappings": {
-      "date_detection": false,
-      "dynamic": "strict",
-      "properties": {
-        "@timestamp": {
-          "type": "date"
-        },
-        "agent": {
-          "properties": {
-            "groups": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "host": {
-          "properties": {
-            "cpu": {
-              "properties": {
-                "cores": {
-                  "type": "long"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "speed": {
-                  "type": "long"
-                }
-              },
-              "type": "object"
-            },
-            "memory": {
-              "properties": {
-                "free": {
-                  "type": "long"
-                },
-                "total": {
-                  "type": "long"
-                },
-                "used": {
-                  "properties": {
-                    "percentage": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                }
-              },
-              "type": "object"
-            }
-          }
-        },
-        "observer": {
-          "properties": {
-            "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        }
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": [
+          "observer.board_serial"
+        ]
       }
     }
   }

diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md
@@ -27,13 +27,19 @@ fields:
       "@timestamp": {}
   agent:
     fields:
-      id: {}
       groups: {}
+      id: {}
+      name: {}
+      type: {}
+      version: {}
+      host:
+        fields: "*"
   package:
     fields:
       hotfix:
         fields:
           name: {}
+
 ```
 
 ### Index settings
@@ -45,44 +51,12 @@ fields:
   "template": {
     "settings": {
       "index": {
-        "number_of_replicas": "0",
         "number_of_shards": "1",
-        "query.default_field": ["package.hotfix.name"],
-        "refresh_interval": "5s"
-      }
-    },
-    "mappings": {
-      "date_detection": false,
-      "dynamic": "strict",
-      "properties": {
-        "@timestamp": {
-          "type": "date"
-        },
-        "agent": {
-          "properties": {
-            "groups": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "package": {
-          "properties": {
-            "hotfix": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            }
-          }
-        }
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": [
+          "package.hotfix.name"
+        ]
       }
     }
   }