Implement commands index creation #42
Assignees
Labels
Comments
AlexRuiz7
changed the title
This was referenced Sep 13, 2024
|
| ECS field | Type | Description |
|---|---|---|
*command.source |
keyword | Origin of the request. One of [Users/Services (via Management API), Engine (via Management API), Content manager (directly)]. |
*command.user |
keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. |
*command.target |
keyword | Wazuh Server Cluster name to send the command to. |
*command.type |
keyword | The requested action type. One of [agent_group, agent, wazuh_server], |
*command.action.type |
keyword | The actual requested action. One of [Agent groups, Agent, Server cluster]. |
*command.action.args |
keyword | Array of command arguments, starting with the absolute path to the executable. |
*command.action.version |
keyword | Version of the command's schema. |
*command.timeout |
short | Time window in which the command has to be sent to its target. |
*command.status |
keyword | Status within the Command Manager's context. One of [pending, sent, success, failure]. |
*command.result.code |
short | Status code returned by the target. |
*command.result.message |
keyword | Result message returned by the target. |
*command.result.data |
keyword | Result data returned by the target. |
*command.request_id |
short | Unique identifier generated by the Command Manager. Auto-incremental. |
*command.order_id |
short | Unique identifier generated by the Command Manager. Auto-incremental within the same Command Request ID. |
*command.id |
short | Document ID. Generated combining the Order ID and the Command Request ID. This is the document ID, not part of the document. |
* Custom field.
ECS mapping
---
name: command
fields:
base:
fields:
tags: []
command:
fields: "*"---
- name: command
title: Wazuh commands
short: Wazuh Inc. custom fields.
description: >
This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers.
type: group
group: 2
fields:
- name: source
type: keyword
level: custom
description: >
Origin of the request.
- name: user
type: keyword
level: custom
description: >
The user that originated the request.
- name: target
type: keyword
level: custom
description: >
Wazuh Server Cluster name to send the command to.
- name: type
type: keyword
level: custom
description: >
The requested action type. One of 'agent_group', 'agent', 'wazuh_server'.
- name: action.type
type: keyword
level: custom
description: >
The actual requested action. One of Agent groups, Agent, Server cluster.
- name: action.args
type: keyword
level: custom
description: >
Array of command arguments, starting with the absolute path to the executable.
- name: action.version
type: keyword
level: custom
description: >
Version of the command's schema.
- name: timeout
type: short
level: custom
description: >
Time window in which the command has to be sent to its target.
- name: status
type: keyword
level: custom
description: >
Status within the Command Manager's context. One of 'pending', 'sent', 'success', 'failure'.
- name: result.code
type: short
level: custom
description: >
Status code returned by the target.
- name: result.message
type: keyword
level: custom
description: >
Result message returned by the target.
- name: result.data
type: keyword
level: custom
description: >
Result data returned by the target.
- name: request_id
type: short
level: custom
description: >
Unique identifier generated by the Command Manager. Auto-incremental.
- name: order_id
type: short
level: custom
description: >
Unique identifier generated by the Command Manager. Auto-incremental within the same Command Request ID.
Index settings
{
"index_patterns": [".commands*"],
"priority": 1,
"template": {
"settings": {
"index": {
"hidden": true,
"number_of_shards": "1",
"number_of_replicas": "0",
"refresh_interval": "5s",
"query.default_field": [
"command.source",
"command.target",
"command.status",
"command.type"
]
}
}
}
}
12 tasks
8 tasks
8 tasks
|
commands index template {
"index_patterns": [
".commands*"
],
"mappings": {
"date_detection": false,
"dynamic": "strict",
"properties": {
"command": {
"properties": {
"action": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"order_id": {
"type": "short"
},
"request_id": {
"type": "short"
},
"result": {
"properties": {
"code": {
"type": "short"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"timeout": {
"type": "short"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"order": 1,
"settings": {
"index": {
"hidden": true,
"number_of_replicas": "0",
"number_of_shards": "1",
"query.default_field": [
"command.source",
"command.target",
"command.status",
"command.type"
],
"refresh_interval": "5s"
}
}
}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Include the latest version of the commands index template to the Command Manager plugin.
The fields of the command index are described on wazuh/wazuh-indexer#349
Note: this index must be hidden.
The text was updated successfully, but these errors were encountered: