Skip to content

Commit

Permalink
Clean documentation of Wazuh 5 indices
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlexRuiz7
AlexRuiz7 committed Nov 18, 2024
1 parent 46accca commit f6aa26a
Show file tree
Hide file tree
Showing 9 changed files with 355 additions and 427 deletions.
6 changes: 3 additions & 3 deletions ecs/agent/fields/custom/agent.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,17 @@
type: keyword
level: custom
description: >
The groups the agent belongs to.
List of groups the agent belong to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
The registration key of the agent.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
The last time the agent logged in.
- name: is_connected
type: boolean
level: custom
Expand Down
2 changes: 1 addition & 1 deletion ecs/command/fields/custom/agent.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
type: keyword
level: custom
description: >
The groups the agent belongs to.
List of groups the agent belong to.
69 changes: 34 additions & 35 deletions ecs/docs/agents.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,20 @@ The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment

Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).

| Field | ECS field | Type | Description |
| ----------------- | ---------------------- | ------- | ---------------------------------------------------------------------- |
| uuid | `agent.id` | keyword | Agent's ID |
| name | `agent.name` | keyword | Agent's name |
| groups | \*`agent.groups` | keyword | Agent's groups |
| internal_key | \*`agent.key` | keyword | Agent's registration key |
| type | `agent.type` | keyword | Type of agent |
| version | `agent.version` | keyword | Agent's version |
| connection_status | \*`agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login` |
| last_keepalive | \*`agent.last_login` | date | Agent's last login |
| ip | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. |
| os\_\* | `host.os.full` | keyword | Operating system name, including the version or code name. |
| | Field | Type | Description | Example |
| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- |
| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` |
| | `agent.name` | keyword | Custom name of the agent. | `foo` |
| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` |
| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` |
| | `agent.type` | keyword | Type of agent. | `endpoint` |
| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` |
| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | |
| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` |
| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` |
| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` |

\* Custom field
\* Custom field.

### ECS mapping

Expand Down Expand Up @@ -77,34 +77,33 @@ fields:
level: custom
description: >
Agents' interpreted connection status depending on `agent.last_login`.
```
### Index settings
```json
{
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
}
}
```
226 changes: 113 additions & 113 deletions ecs/docs/commands.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,23 @@

This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time.

| ECS field | Type | Description |
| -------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| \*`agent.groups` | keyword | Agent's groups |
| \*`command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. |
| \*`command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. |
| \*`command.target.id` | keyword | Unique identifier of the destination to send the command to. |
| \*`command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], |
| \*`command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... |
| \*`command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. |
| \*`command.action.version` | keyword | Version of the command's schema. |
| \*`command.timeout` | short | Time window in which the command has to be sent to its target. |
| \*`command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. |
| \*`command.result.code` | short | Status code returned by the target. |
| \*`command.result.message` | keyword | Result message returned by the target. |
| \*`command.result.data` | keyword | Result data returned by the target. |
| \*`command.request_id` | keyword | UUID generated by the Command Manager. |
| \*`command.order_id` | keyword | UUID generated by the Command Manager. |
| | Field | Type | Description |
| --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| \* | `agent.groups` | keyword | List of groups the agent belong to. |
| \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. |
| \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. |
| \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. |
| \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], |
| \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... |
| \* | `command.action.args` | keyword | Array of command arguments, starting with the absolute path to the executable. |
| \* | `command.action.version` | keyword | Version of the command's schema. |
| \* | `command.timeout` | short | Time window in which the command has to be sent to its target. |
| \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. |
| \* | `command.result.code` | short | Status code returned by the target. |
| \* | `command.result.message` | keyword | Result message returned by the target. |
| \* | `command.result.data` | keyword | Result data returned by the target. |
| \* | `command.request_id` | keyword | UUID generated by the Command Manager. |
| \* | `command.order_id` | keyword | UUID generated by the Command Manager. |

\* Custom field.

Expand All @@ -36,14 +36,14 @@ This index stores information about the commands executed by the agents. The ind
---
name: command
fields:
base:
fields:
tags: []
agent:
fields:
groups: {}
command:
fields: "*"
base:
fields:
tags: []
agent:
fields:
groups: {}
command:
fields: "*"
```
```yml
Expand All @@ -52,103 +52,103 @@ fields:
title: Wazuh commands
short: Wazuh Inc. custom fields.
description: >
This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
type: group
group: 2
fields:
- name: source
type: keyword
level: custom
description: >
Origin of the request.
- name: user
type: keyword
level: custom
description: >
The user that originated the request.
- name: target.id
type: keyword
level: custom
description: >
Unique identifier of the destination to send the command to.
- name: target.type
type: keyword
level: custom
description: >
The destination type. One of [`group`, `agent`, `server`]
- name: action.name
type: keyword
level: custom
description: >
The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ...
- name: action.args
type: keyword
level: custom
description: >
Array of command arguments, starting with the absolute path to the executable.
- name: action.version
type: keyword
level: custom
description: >
Version of the command's schema.
- name: timeout
type: short
level: custom
description: >
Time window in which the command has to be sent to its target.
- name: status
type: keyword
level: custom
description: >
Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure'].
- name: result.code
type: short
level: custom
description: >
Status code returned by the target.
- name: result.message
type: keyword
level: custom
description: >
Result message returned by the target.
- name: result.data
type: keyword
level: custom
description: >
Result data returned by the target.
- name: request_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: order_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: source
type: keyword
level: custom
description: >
Origin of the request.
- name: user
type: keyword
level: custom
description: >
The user that originated the request.
- name: target.id
type: keyword
level: custom
description: >
Unique identifier of the destination to send the command to.
- name: target.type
type: keyword
level: custom
description: >
The destination type. One of [`group`, `agent`, `server`]
- name: action.name
type: keyword
level: custom
description: >
The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ...
- name: action.args
type: keyword
level: custom
description: >
Array of command arguments, starting with the absolute path to the executable.
- name: action.version
type: keyword
level: custom
description: >
Version of the command's schema.
- name: timeout
type: short
level: custom
description: >
Time window in which the command has to be sent to its target.
- name: status
type: keyword
level: custom
description: >
Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure'].
- name: result.code
type: short
level: custom
description: >
Status code returned by the target.
- name: result.message
type: keyword
level: custom
description: >
Result message returned by the target.
- name: result.data
type: keyword
level: custom
description: >
Result data returned by the target.
- name: request_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: order_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
```
### Index settings
```json
{
"index_patterns": [".commands*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"command.source",
"command.target.type",
"command.status",
"command.action.name"
]
}
}
"index_patterns": [".commands*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"command.source",
"command.target.type",
"command.status",
"command.action.name"
]
}
}
}
}
```
Loading

0 comments on commit f6aa26a

Please sign in to comment.