From ae2af10d9a625c27ce4a41a4f4d59f471422b149 Mon Sep 17 00:00:00 2001
From: Fede Tux <federico.galland@wazuh.com>
Date: Wed, 11 Sep 2024 17:48:00 -0300
Subject: [PATCH] Adding template mappings and settings for
 states-inventory-system index

---
 .../event-generator/event_generator.py        | 114 ++++++++++++++++++
 .../fields/custom/wazuh-agent.yml             |  12 ++
 .../fields/mapping-settings.json              |   4 +
 ecs/states-inventory-system/fields/subset.yml |  23 ++++
 .../fields/template-settings-legacy.json      |  19 +++
 .../fields/template-settings.json             |  20 +++
 6 files changed, 192 insertions(+)
 create mode 100644 ecs/states-inventory-system/event-generator/event_generator.py
 create mode 100644 ecs/states-inventory-system/fields/custom/wazuh-agent.yml
 create mode 100644 ecs/states-inventory-system/fields/mapping-settings.json
 create mode 100644 ecs/states-inventory-system/fields/subset.yml
 create mode 100644 ecs/states-inventory-system/fields/template-settings-legacy.json
 create mode 100644 ecs/states-inventory-system/fields/template-settings.json

diff --git a/ecs/states-inventory-system/event-generator/event_generator.py b/ecs/states-inventory-system/event-generator/event_generator.py
new file mode 100644
index 0000000000000..f676f0176d444
--- /dev/null
+++ b/ecs/states-inventory-system/event-generator/event_generator.py
@@ -0,0 +1,114 @@
+#!/bin/python3
+
+import datetime
+import random
+import json
+import requests
+import warnings
+import logging
+
+# Constants and Configuration
+LOG_FILE = 'generate_data.log'
+GENERATED_DATA_FILE = 'generatedData.json'
+DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
+
+# Configure logging
+logging.basicConfig(filename=LOG_FILE, level=logging.INFO)
+
+# Suppress warnings
+warnings.filterwarnings("ignore")
+
+
+def generate_random_date():
+    start_date = datetime.datetime.now()
+    end_date = start_date - datetime.timedelta(days=10)
+    random_date = start_date + (end_date - start_date) * random.random()
+    return random_date.strftime(DATE_FORMAT)
+
+
+def generate_random_agent():
+    agent = {
+        'id': f'agent{random.randint(0, 99)}',
+        'name': f'Agent{random.randint(0, 99)}',
+        'type': random.choice(['filebeat', 'windows', 'linux', 'macos']),
+        'version': f'v{random.randint(0, 9)}-stable',
+        'is_connected': random.choice([True, False]),
+        'last_login': generate_random_date(),
+        'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'],
+        'key': f'key{random.randint(0, 999)}'
+    }
+    return agent
+
+
+def generate_random_host():
+    family = random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL'])
+    version = f'{random.randint(0, 99)}.{random.randint(0, 99)}'
+    host = {
+        'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}',
+        'os': {
+            'full': f'{family} {version}',
+        }
+    }
+    return host
+
+
+def generate_random_data(number):
+    data = []
+    for _ in range(number):
+        event_data = {
+            'agent': generate_random_agent(),
+            'host': generate_random_host(),
+        }
+        data.append(event_data)
+    return data
+
+
+def inject_events(ip, port, index, username, password, data):
+    url = f'https://{ip}:{port}/{index}/_doc'
+    session = requests.Session()
+    session.auth = (username, password)
+    session.verify = False
+    headers = {'Content-Type': 'application/json'}
+
+    try:
+        for event_data in data:
+            response = session.post(url, json=event_data, headers=headers)
+            if response.status_code != 201:
+                logging.error(f'Error: {response.status_code}')
+                logging.error(response.text)
+                break
+        logging.info('Data injection completed successfully.')
+    except Exception as e:
+        logging.error(f'Error: {str(e)}')
+
+
+def main():
+    try:
+        number = int(input("How many events do you want to generate? "))
+    except ValueError:
+        logging.error("Invalid input. Please enter a valid number.")
+        return
+
+    logging.info(f"Generating {number} events...")
+    data = generate_random_data(number)
+
+    with open(GENERATED_DATA_FILE, 'a') as outfile:
+        for event_data in data:
+            json.dump(event_data, outfile)
+            outfile.write('\n')
+
+    logging.info('Data generation completed.')
+
+    inject = input(
+        "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower()
+    if inject == 'y':
+        ip = input("Enter the IP of your Indexer: ")
+        port = input("Enter the port of your Indexer: ")
+        index = input("Enter the index name: ")
+        username = input("Username: ")
+        password = input("Password: ")
+        inject_events(ip, port, index, username, password, data)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ecs/states-inventory-system/fields/custom/wazuh-agent.yml b/ecs/states-inventory-system/fields/custom/wazuh-agent.yml
new file mode 100644
index 0000000000000..3482123af637a
--- /dev/null
+++ b/ecs/states-inventory-system/fields/custom/wazuh-agent.yml
@@ -0,0 +1,12 @@
+---
+- name: agent
+  title: Wazuh Agents
+  short: Wazuh Inc. custom fields.
+  type: group
+  group: 2
+  fields:
+    - name: groups
+      type: keyword
+      level: custom
+      description: >
+        The groups the agent belongs to.
diff --git a/ecs/states-inventory-system/fields/mapping-settings.json b/ecs/states-inventory-system/fields/mapping-settings.json
new file mode 100644
index 0000000000000..0ad2b48fcc1be
--- /dev/null
+++ b/ecs/states-inventory-system/fields/mapping-settings.json
@@ -0,0 +1,4 @@
+{
+    "dynamic": "strict",
+    "date_detection": false
+}
\ No newline at end of file
diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml
new file mode 100644
index 0000000000000..1186c2a7476ac
--- /dev/null
+++ b/ecs/states-inventory-system/fields/subset.yml
@@ -0,0 +1,23 @@
+---
+name: wazuh-states-inventory-system
+fields:
+  base:
+    fields:
+      tags: []
+      "@timestamp": {}
+    agent:
+      fields:
+        id: {}
+        groups: {}
+    host:
+      fields:
+        architecture: {}
+        hostname: {}
+        name: {}
+        os:
+          fields:
+            kernel: {}
+            full: {}
+            platform: {}
+            version: {}
+            type: {}
diff --git a/ecs/states-inventory-system/fields/template-settings-legacy.json b/ecs/states-inventory-system/fields/template-settings-legacy.json
new file mode 100644
index 0000000000000..04007e4bed32b
--- /dev/null
+++ b/ecs/states-inventory-system/fields/template-settings-legacy.json
@@ -0,0 +1,19 @@
+{
+  "index_patterns": ["wazuh-states-inventory-system*"],
+  "order": 1,
+  "settings": {
+    "index": {
+      "hidden": true,
+      "number_of_shards": "1",
+      "number_of_replicas": "0",
+      "refresh_interval": "5s",
+      "query.default_field": [
+        "agent.id",
+        "agent.groups",
+        "host.name",
+        "host.os.type",
+        "host.os.version"
+      ]
+    }
+  }
+}
diff --git a/ecs/states-inventory-system/fields/template-settings.json b/ecs/states-inventory-system/fields/template-settings.json
new file mode 100644
index 0000000000000..62249c19e72ea
--- /dev/null
+++ b/ecs/states-inventory-system/fields/template-settings.json
@@ -0,0 +1,20 @@
+{
+  "index_patterns": ["wazuh-states-inventory-system*"],
+  "priority": 1,
+  "template": {
+    "settings": {
+      "index": {
+        "number_of_shards": "1",
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": [
+          "agent.id",
+          "agent.groups",
+          "host.name",
+          "host.os.type",
+          "host.os.version"
+        ]
+      }
+    }
+  }
+}