Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enrich index templates with agents' information #525

Closed
1 task
Tracked by #496
GGP1 opened this issue Nov 6, 2024 · 0 comments · Fixed by #544 or #549
Closed
1 task
Tracked by #496

Enrich index templates with agents' information #525

GGP1 opened this issue Nov 6, 2024 · 0 comments · Fixed by #544 or #549
Assignees
@f-galland
Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue

Comments

@GGP1
Copy link
Member

GGP1 commented Nov 6, 2024
edited by AlexRuiz7
Loading

Description

Currently, indices store the agent.id and agent.groups fields along with the event information to build a relationship between an agent and its events.

However, we want to make more information available to correlate events from different indices. For example, the agent's information of an event would look like this:

{
  "agent": {
      "id": "2887e1cf-9bf2-431a-b066-a46860080f56",
      "name": "agent-name",
      "type": "endpoint",
      "version": "5.0.0",
      "groups": ["group1", "group2"],
      "host": {
          "hostname": "myhost",
          "os": {
              "name": "Amazon Linux 2",
              "platform": "Linux"
          },
          "ip": ["192.168.1.2"],
          "architecture": "x86_64"
      }
  }
}

Aside from that, we also want to do some adjustments to the .agents index data model itself, which are:

  • Rename agent.is_connected field to agent.status, of type keyword. Expected values are: active. disconnected.
{
  "agent": {
      "id": "2887e1cf-9bf2-431a-b066-a46860080f56",
      "key": "BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR",
      "name": "agent-name",
      "type": "endpoint",
      "version": "5.0.0",
      "groups": ["group1", "group2"],
      "host": {
          "hostname": "myhost",
          "os": {
              "name": "Amazon Linux 2",
              "platform": "Linux"
          },
          "ip": ["192.168.1.2"],
          "architecture": "x86_64"
      },
      "last_login": "11/11/2024 00:00:00",
      "status": "active"
  }
}

Note

Take in consideration the requirements in #539, as all the Host fields must be included in the mappings.

Functional requirements

Implementation restrictions

Plan

  • Rename agent.is_connected field to agent.status, of type keyword. Expected values are: active. disconnected.
@GGP1 GGP1 added level/task Task issue type/enhancement Enhancement issue labels Nov 6, 2024
@AlexRuiz7 AlexRuiz7 changed the title Update event indices agent information Update stateful index templates with agents' information Nov 6, 2024
@GGP1 GGP1 mentioned this issue Nov 6, 2024
Closed
@AlexRuiz7 AlexRuiz7 mentioned this issue Nov 7, 2024
Closed
14 tasks
@AlexRuiz7 AlexRuiz7 added the mvp Minimum Viable Product label Nov 7, 2024
@AlexRuiz7 AlexRuiz7 mentioned this issue Nov 11, 2024
Closed
3 tasks
@AlexRuiz7 AlexRuiz7 changed the title Update stateful index templates with agents' information Update .agents index data model Nov 11, 2024
This was referenced Nov 6, 2024
Open
Open
This was referenced Nov 12, 2024
Closed
Merged
@AlexRuiz7 AlexRuiz7 changed the title Update .agents index data model Enrich index templates with agents' information Nov 12, 2024
@f-galland f-galland mentioned this issue Nov 13, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-galland f-galland

Labels
level/task Task issue mvp Minimum Viable Product type/enhancement Enhancement issue
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
3 participants
@AlexRuiz7 @GGP1 @f-galland