wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-10 00:28:51 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/docs/inventory-system.md
Álex Ruiz f04d6fcd90
Migrate code and documentation from wazuh-indexer (#265) 
* Migrate code and documentation from wazuh-indexer

* Migrate operational--integrations_maintenance_request.md

* Add ECS folder and workflow

* Add ECS workflow badge

* Adapt ECS workflow generator

* Trigger workflow

* Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities

* Remove unused code

* Update ECS templates for modified modules: agent alerts command states-fim states-inventory-hardware states-inventory-hotfixes states-inventory-networks states-inventory-packages states-inventory-ports states-inventory-processes states-inventory-system states-vulnerabilities

* Clean-up

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
2025-02-10 18:13:14 +01:00

3.0 KiB
Raw Blame History

wazuh-states-inventory-system index data model

Fields summary

The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612

Based on ECS:

Field name Data type Description Example
agent.* object All the agent fields. `
@timestamp date Date/time when the event originated. 2016-05-23T08:05:34.853Z
host.architecture keyword Operating system architecture. x86_64
host.hostname keyword Hostname of the host.
host.os.full keyword Operating system name, including the version or code name. Mac OS Mojave
host.os.kernel keyword Operating system kernel version as a raw string. 4.4.0-112-generic
host.os.name keyword Operating system name, without the version. Mac OS X
host.os.platform keyword Operating system platform (such centos, ubuntu, windows). darwin
host.os.type keyword [linux, macos, unix, windows, ios, android] macos
host.os.version keyword Operating system version as a raw string. 10.14.1

* Custom field

Details

Removed fields:

  • os_display_version
  • os_major (can be extracted from os_version)
  • os_minor (can be extracted from os_version)
  • os_patch (can be extracted from os_version)
  • os_release
  • reference
  • release
  • scan_id
  • sysname
  • version
  • checksum

Available fields:

  • os.family
  • hots.name

ECS mapping

---
name: wazuh-states-inventory-system
fields:
  base:
    fields:
      tags: []
      "@timestamp": {}
  agent:
    fields:
      groups: {}
      id: {}
      name: {}
      type: {}
      version: {}
      host:
        fields: "*"
  host:
    fields: "*"

Index settings

{
  "index_patterns": ["wazuh-states-inventory-system*"],
  "priority": 1,
  "template": {
    "settings": {
      "index": {
        "number_of_shards": "1",
        "number_of_replicas": "0",
        "refresh_interval": "5s",
        "query.default_field": [
          "agent.id",
          "agent.groups",
          "host.name",
          "host.os.type",
          "host.os.version"
        ]
      }
    }
  }
}