-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement commands index creation #42
Implement commands index creation #42
Comments
|
ECS field | Type | Description |
---|---|---|
*agent.groups |
keyword | Agent's groups |
*command.source |
keyword | Origin of the request. One of [Users/Services (via Management API), Engine (via Management API), Content manager (directly)]. |
*command.user |
keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. |
*command.target.id |
keyword | Unique identifier of the destination to send the command to. |
*command.target.type |
keyword | The destination type. One of [group , agent , server ], |
*command.action.name |
keyword | The requested action type. Examples: restart , update , change_group , apply_policy , ... |
*command.action.args |
keyword | Array of command arguments, starting with the absolute path to the executable. |
*command.action.version |
keyword | Version of the command's schema. |
*command.timeout |
short | Time window in which the command has to be sent to its target. |
*command.status |
keyword | Status within the Command Manager's context. One of [pending , sent , success , failure ]. |
*command.result.code |
short | Status code returned by the target. |
*command.result.message |
keyword | Result message returned by the target. |
*command.result.data |
keyword | Result data returned by the target. |
*command.request_id |
keyword | UUID generated by the Command Manager. |
*command.order_id |
keyword | UUID generated by the Command Manager. |
* Custom field.
ECS mapping
---
name: command
fields:
base:
fields:
tags: []
agent:
fields:
groups: {}
command:
fields: "*"
---
- name: command
title: Wazuh commands
short: Wazuh Inc. custom fields.
description: >
This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
type: group
group: 2
fields:
- name: source
type: keyword
level: custom
description: >
Origin of the request.
- name: user
type: keyword
level: custom
description: >
The user that originated the request.
- name: target.id
type: keyword
level: custom
description: >
Unique identifier of the destination to send the command to.
- name: target.type
type: keyword
level: custom
description: >
The destination type. One of [`group`, `agent`, `server`]
- name: action.name
type: keyword
level: custom
description: >
The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ...
- name: action.args
type: keyword
level: custom
description: >
Array of command arguments, starting with the absolute path to the executable.
- name: action.version
type: keyword
level: custom
description: >
Version of the command's schema.
- name: timeout
type: short
level: custom
description: >
Time window in which the command has to be sent to its target.
- name: status
type: keyword
level: custom
description: >
Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure'].
- name: result.code
type: short
level: custom
description: >
Status code returned by the target.
- name: result.message
type: keyword
level: custom
description: >
Result message returned by the target.
- name: result.data
type: keyword
level: custom
description: >
Result data returned by the target.
- name: request_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
- name: order_id
type: keyword
level: custom
description: >
UUID generated by the Command Manager.
Index settings
{
"index_patterns": [".commands*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"command.source",
"command.target.type",
"command.status",
"command.action.name"
]
}
}
}
}
commands index template {
"index_patterns": [
".commands*"
],
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"agent": {
"properties": {
"groups": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command": {
"properties": {
"action": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"order_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"properties": {
"code": {
"type": "short"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"timeout": {
"type": "short"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"hidden": true,
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"command.source",
"command.target.type",
"command.status",
"command.action.name"
],
"refresh_interval": "5s"
}
}
}
|
Description
Include the latest version of the commands index template to the Command Manager plugin.
The fields of the command index are described on wazuh/wazuh-indexer#349
Note: this index must be hidden.
The text was updated successfully, but these errors were encountered: