Skip to content

Commit

Permalink
Add index templates definitions for Wazuh 5 (#543)
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlexRuiz7
AlexRuiz7 authored Nov 12, 2024
2 parents c8be472 + 3f9b1b8 commit e773599
Show file tree
Hide file tree
Showing 46 changed files with 2,639 additions and 12 deletions.
6 changes: 3 additions & 3 deletions ecs/agent/fields/custom/wazuh-agent.yml → ecs/agent/fields/custom/agent.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,17 @@
type: keyword
level: custom
description: >
The groups the agent belongs to.
List of groups the agent belong to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
The registration key of the agent.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
The last time the agent logged in.
- name: is_connected
type: boolean
level: custom
Expand Down
2 changes: 1 addition & 1 deletion ecs/command/fields/custom/agent.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@
type: keyword
level: custom
description: >
The groups the agent belongs to.
List of groups the agent belong to.
109 changes: 109 additions & 0 deletions ecs/docs/agents.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
## `agents` index data model

### Fields summary

The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993

Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html).

| | Field | Type | Description | Example |
| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- |
| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` |
| | `agent.name` | keyword | Custom name of the agent. | `foo` |
| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` |
| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` |
| | `agent.type` | keyword | Type of agent. | `endpoint` |
| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` |
| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | |
| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` |
| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` |
| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` |

\* Custom field.

### ECS mapping

```yml
---
name: agent
fields:
base:
fields:
tags: []
agent:
fields:
id: {}
name: {}
type: {}
version: {}
groups: {}
key: {}
last_login: {}
is_connected: {}
host:
fields:
ip: {}
os:
fields:
full: {}
```
```yml
---
---
- name: agent
title: Wazuh Agents
short: Wazuh Inc. custom fields.
type: group
group: 2
fields:
- name: groups
type: keyword
level: custom
description: >
The groups the agent belongs to.
- name: key
type: keyword
level: custom
description: >
The agent's registration key.
- name: last_login
type: date
level: custom
description: >
The agent's last login.
- name: is_connected
type: boolean
level: custom
description: >
Agents' interpreted connection status depending on `agent.last_login`.
```
### Index settings
```json
{
"index_patterns": [".agents*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"agent.id",
"agent.groups",
"agent.name",
"agent.type",
"agent.version",
"agent.name",
"host.os.full",
"host.ip"
]
}
}
}
}
```
Loading

0 comments on commit e773599

Please sign in to comment.