mirror of
https://github.com/wazuh/wazuh-indexer-plugins.git
synced 2025-12-11 02:29:20 -06:00
b8879394b8
* Use v2 index templates * Replace stateless indices with data streams Replace legacy index template with v2 index templates * Clean-up and document code * Update 5_builderpackage_plugins_onpush.yml Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com> * Downgrade jackson to 2.18.2 to match OpenSearch's version * Adapt tests * Divide testClusters into two separates one to fix the test and allow the run * Format files * Fix index patterns and data streams creation --------- Signed-off-by: Álex Ruiz Becerra <alejandro.ruiz.becerra@wazuh.com> Co-authored-by: Jorge Sanchez <jorge.sanchez@wazuh.com>
8.6 KiB
8.6 KiB
Wazuh Indexer Initialization plugin
The wazuh-indexer-setup plugin is a module composing the Wazuh Indexer responsible for the initialization of the indices required by Wazuh to store all the data gathered and generated by other Central Components, such as the agents and the server (engine).
The Wazuh Indexer Setup Plugin in responsible for:
- Create the index templates, to define the mappings and settings for the indices.
- Create the initial indices. We distinguish between stateful and stream indices. While stream indices contain immutable time-series data and are rolled over periodically, stateful indices store dynamic data that can change over time and reside in a single index.
- Stream indices are created with a data stream configuration and an ISM rollover policy.
Indices
The following table lists the indices created by this plugin.
Stream indices
| Index | Description |
|---|---|
wazuh‑alerts-v5 |
Stores alerts generated by the Wazuh Server. These are created each time an event trips a rule with a high enough severity (this threshold is configurable). |
wazuh‑archives-v5 |
Stores all events (archive data) received by the Wazuh Server, whether they trip a rule. |
wazuh‑events-v5-<category> |
Stores events received by the Wazuh Server, categorized by their origin or type. Refer to Wazuh Common Schema for more information. |
Stateful indices
| Index | Description |
|---|---|
wazuh‑states-sca |
Security Configuration Assessment (SCA) scan results. |
wazuh-states-fim-files |
File Integrity Monitoring: information about monitored files. |
wazuh-states-fim-registry-keys |
File Integrity Monitoring: information about the Windows registry (keys). |
wazuh-states-fim-registry-values |
File Integrity Monitoring: information about the Windows registry (values). |
wazuh-states-inventory-browser-extensions |
Stores browser extensions/add-ons detected on the endpoint (Chromium-based browsers — Chrome/Edge/Brave/Opera —, Firefox, and Safari). |
wazuh-states-inventory-groups |
Stores existing groups on the endpoint. |
wazuh-states-inventory-hardware |
Basic information about the hardware components of the endpoint. |
wazuh-states-inventory-hotfixes |
Contains information about the updates installed on Windows endpoints. This information is used by the vulnerability detector module to discover what vulnerabilities have been patched on Windows endpoints. |
wazuh-states-inventory-interfaces |
Stores information (up and down interfaces) as well as packet transfer information about the interfaces on a monitored endpoint. |
wazuh-states-inventory-monitoring |
Stores the connection status history of Wazuh agents (active, disconnected, pending, or never connected). The index is used by the Wazuh Dashboard to display agent status and historical trends. |
wazuh-states-inventory-networks |
Stores the IPv4 and IPv6 addresses associated with each network interface, as referenced in the wazuh-states-inventory-interfaces index. |
wazuh-states-inventory-packages |
Stores information about the currently installed software on the endpoint. |
wazuh-states-inventory-ports |
Basic information about open network ports on the endpoint. |
wazuh-states-inventory-processes |
Stores the detected running processes on the endpoints. |
wazuh-states-inventory-protocols |
Stores routing configuration details for each network interface, as referenced in the wazuh-states-inventory-interfaces index. |
wazuh-states-inventory-services |
Stores system services detected on the endpoint (Windows Services, Linux systemd units, and macOS launchd daemons/agents). |
wazuh-states-inventory-system |
Operating system information, hostname and architecture. |
wazuh-states-inventory-users |
Stores existing users on the endpoint. |
wazuh-states-vulnerabilities |
Active vulnerabilities on the endpoint and its details. |
wazuh-statistics |
Stores statistics about the Wazuh Server usage and performance. The information includes the number of events decoded, bytes received, and TCP sessions. |
Install
The wazuh-indexer-setup plugin is part of the official Wazuh Indexer packages and is installed by default. However, to manually install the plugin, follow the next steps.
Note: You need to use the
wazuh-indexerorrootuser to run these commands.
/usr/share/wazuh-indexer/bin/opensearch-plugin install file://[absolute-path-to-the-plugin-zip]
Once installed, restart the Wazuh Indexer service.
Uninstall
Note
You need to use the
wazuh-indexerorrootuser to run these commands.
To list the installed plugins, run:
/usr/share/wazuh-indexer/bin/opensearch-plugin list
To remove a plugin, use its name as a parameter with the remove command:
/usr/share/wazuh-indexer/bin/opensearch-plugin remove <plugin-name>
/usr/share/wazuh-indexer/bin/opensearch-plugin remove wazuh-indexer-setup