Change/570 remove ecs host field (#575)

* Fix indexes definitions * More fixes * Update event generators
wazuh · Dec 2, 2024 · a5b41a5 · a5b41a5
1 parent 979d7ad
commit a5b41a5
Show file tree

Hide file tree

Showing 25 changed files with 448 additions and 592 deletions.
diff --git a/ecs/docs/README.md b/ecs/docs/README.md
@@ -0,0 +1,22 @@
+# Wazuh Common Schema
+
+The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) (ECS) providing a common data schema for the different central components of Wazuh.
+
+- [agent](./agent.md)
+- [alerts](alerts.md)
+- [command](commands.md)
+- [states-fim](states-fim.md)
+- [states-inventory-hardware](states-inventory-hardware.md)
+- [states-inventory-hotfixes](states-inventory-hotfixes.md)
+- [states-inventory-networks](states-inventory-networks.md)
+- [states-inventory-packages](states-inventory-packages.md)
+- [states-inventory-ports](states-inventory-ports.md)
+- [states-inventory-processes](states-inventory-processes.md)
+- [states-inventory-system](states-inventory-system.md)
+- [states-vulnerabilities](states-vulnerabilities.md)
+
+---
+
+### Useful resources
+For more information and additional resources, please refer to the following links:
+- [ECS schemas repository](https://github.com/elastic/ecs/tree/main/schemas)
diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md
@@ -11,6 +11,7 @@ Based on ECS:
 
 |     | Field name                    | Data type | Description                          | Example                    |
 | --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- |
+|     | `agent.*`                     | object    | All the agent fields.                | `                          |
 |     | `@timestamp`                  | date      | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` |
 |     | `observer.serial_number`      | keyword   | Observer serial number.              |                            |
 | \*  | `host.cpu.name`               | keyword   | Name of the CPU                      |                            |
@@ -34,8 +35,13 @@ fields:
       "@timestamp": {}
   agent:
     fields:
-      id: {}
       groups: {}
+      id: {}
+      name: {}
+      type: {}
+      version: {}
+      host:
+        fields: "*"
   observer:
     fields:
       serial_number: {}
@@ -64,77 +70,10 @@ fields:
   "template": {
     "settings": {
       "index": {
-        "number_of_replicas": "0",
         "number_of_shards": "1",
-        "query.default_field": ["observer.board_serial"],
-        "refresh_interval": "5s"
-      }
-    },
-    "mappings": {
-      "date_detection": false,
-      "dynamic": "strict",
-      "properties": {
-        "@timestamp": {
-          "type": "date"
-        },
-        "agent": {
-          "properties": {
-            "groups": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "host": {
-          "properties": {
-            "cpu": {
-              "properties": {
-                "cores": {
-                  "type": "long"
-                },
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                },
-                "speed": {
-                  "type": "long"
-                }
-              },
-              "type": "object"
-            },
-            "memory": {
-              "properties": {
-                "free": {
-                  "type": "long"
-                },
-                "total": {
-                  "type": "long"
-                },
-                "used": {
-                  "properties": {
-                    "percentage": {
-                      "type": "long"
-                    }
-                  },
-                  "type": "object"
-                }
-              },
-              "type": "object"
-            }
-          }
-        },
-        "observer": {
-          "properties": {
-            "serial_number": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        }
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": ["observer.board_serial"]
       }
     }
   }

diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md
@@ -10,6 +10,7 @@ Based on ECS:
 
 |     | Field name            | Data type | Description           | Example                    |
 | --- | --------------------- | --------- | --------------------- | -------------------------- |
+|     | `agent.*`             | object    | All the agent fields. | `                          |
 |     | `@timestamp`          | date      | Timestamp of the scan | `2016-05-23T08:05:34.853Z` |
 | \*  | `package.hotfix.name` | keyword   | Name of the hotfix    |                            |
 
@@ -27,8 +28,13 @@ fields:
       "@timestamp": {}
   agent:
     fields:
-      id: {}
       groups: {}
+      id: {}
+      name: {}
+      type: {}
+      version: {}
+      host:
+        fields: "*"
   package:
     fields:
       hotfix:
@@ -40,49 +46,19 @@ fields:
 
 ```json
 {
-  "index_patterns": ["wazuh-states-inventory-hotfixes*"],
+  "index_patterns": [
+    "wazuh-states-inventory-hotfixes*"
+  ],
   "priority": 1,
   "template": {
     "settings": {
       "index": {
-        "number_of_replicas": "0",
         "number_of_shards": "1",
-        "query.default_field": ["package.hotfix.name"],
-        "refresh_interval": "5s"
-      }
-    },
-    "mappings": {
-      "date_detection": false,
-      "dynamic": "strict",
-      "properties": {
-        "@timestamp": {
-          "type": "date"
-        },
-        "agent": {
-          "properties": {
-            "groups": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            },
-            "id": {
-              "ignore_above": 1024,
-              "type": "keyword"
-            }
-          }
-        },
-        "package": {
-          "properties": {
-            "hotfix": {
-              "properties": {
-                "name": {
-                  "ignore_above": 1024,
-                  "type": "keyword"
-                }
-              },
-              "type": "object"
-            }
-          }
-        }
+        "number_of_replicas": "0",
+        "refresh_interval": "5s",
+        "query.default_field": [
+          "package.hotfix.name"
+        ]
       }
     }
   }