## `commands` index data model > [!NOTE] > rev 0.1 - September 18th, 2024: Add initial model. > rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. > rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. > rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. > rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. > rev 0.6 - January 24th, 2025: Rename index to `wazuh-commands`. The index is now visible to users. ### Fields summary This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. | | Field | Type | Description | | --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | | \* | `agent.groups` | keyword | List of groups the agent belong to. | | \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | | \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | | \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. | | \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | | \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | | \* | `command.action.args` | object | Command arguments. The Object type allows for ad-hoc format of the value. | | \* | `command.action.version` | keyword | Version of the command's schema. | | \* | `command.timeout` | short | Time window in which the command has to be sent to its target. | | \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | | \* | `command.result.code` | short | Status code returned by the target. | | \* | `command.result.message` | keyword | Result message returned by the target. | | \* | `command.result.data` | keyword | Result data returned by the target. | | \* | `command.request_id` | keyword | UUID generated by the Command Manager. | | \* | `command.order_id` | keyword | UUID generated by the Command Manager. | \* Custom field. ### ECS mapping ```yml --- name: command fields: base: fields: tags: [] "@timestamp": {} "delivery_timestamp": {} agent: fields: groups: {} command: fields: "*" ``` ```yml --- - name: command title: Wazuh commands short: Wazuh Inc. custom fields. description: > This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. type: group group: 2 fields: - name: source type: keyword level: custom description: > Origin of the request. - name: user type: keyword level: custom description: > The user that originated the request. - name: target.id type: keyword level: custom description: > Unique identifier of the destination to send the command to. - name: target.type type: keyword level: custom description: > The destination type. One of [`group`, `agent`, `server`] - name: action.name type: keyword level: custom description: > The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - name: action.args type: keyword level: custom description: > Array of command arguments, starting with the absolute path to the executable. - name: action.version type: keyword level: custom description: > Version of the command's schema. - name: timeout type: short level: custom description: > Time window in which the command has to be sent to its target. - name: status type: keyword level: custom description: > Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - name: result.code type: short level: custom description: > Status code returned by the target. - name: result.message type: keyword level: custom description: > Result message returned by the target. - name: result.data type: keyword level: custom description: > Result data returned by the target. - name: request_id type: keyword level: custom description: > UUID generated by the Command Manager. - name: order_id type: keyword level: custom description: > UUID generated by the Command Manager. ``` ```yml - name: base title: Wazuh base fields root: true fields: - name: delivery_timestamp type: date level: custom description: > The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. ``` ### Index settings ```json { "index_patterns": ["wazuh-commands*"], "priority": 1, "template": { "settings": { "index": { "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", "query.default_field": [ "command.source", "command.target.type", "command.status", "command.action.name" ] } } } } ```