Add wazuh.protocol.location and wazuh.protocol.queue fields to WCS (#613)

* Add wazuh.protocol.location and wazuh.protocol.queue fields

* Update the Wazuh Common Schema

* Update CHANGELOG.md

* Add remaining modules

* Update CHANGELOG.md

Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>

---------

Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com>
Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
Co-authored-by: Alex Ruiz <alejandro.ruiz.becerra@wazuh.com>

CHANGELOG.md

@@ -23,6 +23,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Increase max_docvalue_fields_search to 200 [(#594)](https://github.com/wazuh/wazuh-indexer-plugins/pull/594)
 - Add cloud services subcategories [(#595)](https://github.com/wazuh/wazuh-indexer-plugins/pull/595)
 - Add AWS Bedrock integration [(#602)](https://github.com/wazuh/wazuh-indexer-plugins/pull/602)
+- Add wazuh.protocol.location and wazuh.protocol.queue fields to WCS [(#613)](https://github.com/wazuh/wazuh-indexer-plugins/pull/613)
+- Add version to the GH Workflow names [(#570)](https://github.com/wazuh/wazuh-indexer-plugins/pull/570)
+- Add browser-extensions and services inventory indices to documentation [(#574)](https://github.com/wazuh/wazuh-indexer-plugins/pull/574)
+- Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561)
 
 ### Dependencies
 -
@@ -35,16 +39,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Migrate WCS changes from 4.x [(#488)](https://github.com/wazuh/wazuh-indexer-plugins/pull/488) [(#552)](https://github.com/wazuh/wazuh-indexer-plugins/pull/552) [(#568)](https://github.com/wazuh/wazuh-indexer-plugins/pull/568)
 - Implement checksum fields into stateful ECS mappings [(#519)](https://github.com/wazuh/wazuh-indexer-plugins/pull/519) [(#569)](https://github.com/wazuh/wazuh-indexer-plugins/pull/569)
 - FIM indices rework [(#509)](https://github.com/wazuh/wazuh-indexer-plugins/pull/509)
-- Add state.modified_at to stateful indexes [(#561)](https://github.com/wazuh/wazuh-indexer-plugins/pull/561)
 - Update GitHub Actions versions in main branch [(#572)](https://github.com/wazuh/wazuh-indexer-plugins/pull/572)
-- Add browser-extensions and services inventory indices to documentation [(#574)](https://github.com/wazuh/wazuh-indexer-plugins/pull/574)
 - Update index templates with agent fields [(#578)](https://github.com/wazuh/wazuh-indexer-plugins/pull/578)
 - Rename indices from *-5.x-* to *-v5-* [(#597)](https://github.com/wazuh/wazuh-indexer-plugins/pull/597)
 - Use stricter field limits for the WCS indices [(#589)](https://github.com/wazuh/wazuh-indexer-plugins/pull/589)
 - Bump WCS to ECS v9.1.0 [(#600)](https://github.com/wazuh/wazuh-indexer-plugins/pull/600)
 - Replace genai.* nested fields with keyword array [(#608)](https://github.com/wazuh/wazuh-indexer-plugins/pull/608)
 - Check GitHub actions with dependabot [(#601)](https://github.com/wazuh/wazuh-indexer-plugins/pull/601)
-- Remove ECS object from WCS definitions [(#612)](https://github.com/wazuh/wazuh-indexer-plugins/pull/612)
 
 ### Deprecated
 -
@@ -53,7 +54,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Delete files not needed for `5.0.0` [(#439)](https://github.com/wazuh/wazuh-indexer-plugins/pull/439)
 - Remove extra fields from CSV documentation [(#479)](https://github.com/wazuh/wazuh-indexer-plugins/pull/479)
 - Remove outdated documentation [(#532)](https://github.com/wazuh/wazuh-indexer-plugins/pull/532)
-- Add version to the GH Workflow names [(#570)](https://github.com/wazuh/wazuh-indexer-plugins/pull/570)
+- Remove ECS object from WCS definitions [(#612)](https://github.com/wazuh/wazuh-indexer-plugins/pull/612)
 
 ### Fixed
 - Improve ECS folder structure [(#473)](https://github.com/wazuh/wazuh-indexer-plugins/pull/473)

ecs/stateless-access-management/docs/fields.csv

@@ -1936,5 +1936,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-applications/docs/fields.csv

@@ -2112,6 +2112,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.
 9.1.0,true,websphere,websphere.metrics.alarm_manager.cancelled.total,long,custom,,12345,Total number of cancelled alarms in the alarm manager.

ecs/stateless-cloud-services-aws/docs/fields.csv

@@ -2729,5 +2729,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-cloud-services-azure/docs/fields.csv

@@ -2426,5 +2426,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-cloud-services-gcp/docs/fields.csv

@@ -2243,5 +2243,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-cloud-services/docs/fields.csv

@@ -1973,5 +1973,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-network-activity/docs/fields.csv

@@ -3258,5 +3258,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-other/docs/fields.csv

@@ -1936,5 +1936,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless-security/docs/fields.csv

@@ -2136,6 +2136,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.
 9.1.0,true,zeek,zeek.capture_loss_acks,long,custom,,12345,Total number of ACKs seen in the previous measurement interval.

ecs/stateless-system-activity/docs/fields.csv

@@ -2311,6 +2311,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.
 9.1.0,true,windows,windows.EventData,object,custom,,,Complete Windows event data section with all event-specific fields

ecs/stateless/docs/fields.csv

@@ -1936,5 +1936,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name.
 9.1.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name.
 9.1.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event.
+9.1.0,true,wazuh,wazuh.protocol.location,keyword,custom,,/var/log/auth.log,Source of the log as retrieved by the Wazuh Agent.
+9.1.0,true,wazuh,wazuh.protocol.queue,byte,custom,,1,Ingestion queue for the log.
 9.1.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event.
 9.1.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version.

ecs/stateless/fields/custom/wazuh.yml

@@ -30,6 +30,18 @@
       description: >
         Wazuh cluster node name.
       example: "wazuh-cluster-node-1"
+    - name: protocol.location
+      type: keyword
+      level: custom
+      description: >
+        Source of the log as retrieved by the Wazuh Agent.
+      example: "/var/log/auth.log"
+    - name: protocol.queue
+      type: byte
+      level: custom
+      description: >
+        Ingestion queue for the log.
+      example: 1
     - name: schema.version
       type: keyword
       level: custom

plugins/setup/src/main/resources/index-template-access-management.json

@@ -8597,6 +8597,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-alerts.json

@@ -8597,6 +8597,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-applications.json

@@ -9573,6 +9573,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-archives.json

@@ -8597,6 +8597,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-cloud-services-aws.json

@@ -12376,6 +12376,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-cloud-services-azure.json

@@ -10876,6 +10876,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-cloud-services-gcp.json

@@ -10147,6 +10147,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-cloud-services.json

@@ -8753,6 +8753,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-network-activity.json

@@ -14087,6 +14087,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-other.json

@@ -8597,6 +8597,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-security.json

@@ -9408,6 +9408,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"

plugins/setup/src/main/resources/index-template-system-activity.json

@@ -10087,6 +10087,17 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "protocol": {
+            "properties": {
+              "location": {
+                "ignore_above": 1024,
+                "type": "keyword"
+              },
+              "queue": {
+                "type": "byte"
+              }
+            }
+          },
           "rules": {
             "ignore_above": 1024,
             "type": "keyword"