Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make command.action.args type object instead of keyword type value #630

Merged
merged 4 commits into from
Jan 10, 2025
Merged

Make command.action.args type object instead of keyword type value #630

merged 4 commits into from
Jan 10, 2025

Conversation

f-galland
Copy link
Member

Description

This PR changes command.action.args from the .commands index template from keyword into object to accommodate for various data types, including arrays.

Related Issues

Resolves #618

Check List

  • Functionality includes testing.
  • API changes companion pull request created, if applicable.
  • Public documentation issue/PR created, if applicable.

@f-galland
Copy link
Member Author

Generating the mapping:

(env) fede@tyner:~/src/ecs ((ce2e1da5...))
$ ./generate.sh v8.11.0 ~/src/wazuh-indexer command
Loading schemas from git ref v8.11.0
Running generator. ECS version 8.11.0
Loading user defined schemas: ['/home/fede/src/wazuh-indexer/ecs/command/fields/custom/']
Replacing "constant_keyword" type with "keyword"
Replacing "wildcard" type with "keyword"
Replacing "match_only_text" type with "keyword"
Replacing "flattened" type with "flat_object"
Replacing "scaled_float" type with "float"
Removing scaling_factor lines
Deleting the "tags" field from the index template
Removing multi-fields from the index template
Mappings saved to /home/fede/src/wazuh-indexer/ecs/command/mappings/v8.11.0

command.action.args is of the right type:

(env) fede@tyner:~/src/wazuh-indexer/ecs/command/mappings/v8.11.0/generated/elasticsearch/legacy (master)
$ jq .mappings.properties.command.properties.action.properties.args template.json 
{
  "type": "object"
}

Template push is acknowledged:

(env) fede@tyner:~/src/wazuh-indexer/ecs/command/mappings/v8.11.0/generated/elasticsearch/legacy (master)
$ curl -sku admin:admin -XPUT https://192.168.60.30:9200/_template/index-template-commands -H "Content-Type: application/json" -d $(jq . template.json -c)
{"acknowledged":true}

Writing different types of data works as intended:

(env) fede@tyner:~/src/wazuh-indexer/ecs/command/mappings/v8.11.0/generated/elasticsearch/legacy (master)
$ curl -sku admin:admin -XPUT https://192.168.60.30:9200/_template/index-template-commands -H "Content-Type: application/json" -d $(jq . template.json -c)
curl -sku admin:admin -XPOST https://192.168.60.30:9200/.commands/_doc -H "Content-Type: application/json" -d '{"command": {"action": {"args": "test"}}}'
(env) fede@tyner:~/src/wazuh-indexer/ecs/command/mappings/v8.11.0/generated/elasticsearch/legacy (master)
$ curl -sku admin:admin -XPOST https://192.168.60.30:9200/.commands/_doc -H "Content-Type: application/json" -d '{"command": {"action": {"args": ["one","two","three"]}}}'
{"_index":".commands","_id":"z8lFRpQB3d5DUA5N-Eiv","_version":1,"result":"created","_shards":{"total":1,"successful":1,"failed":0},"_seq_no":228853,"_primary_term":15}

@f-galland f-galland marked this pull request as ready for review January 8, 2025 14:27
@f-galland f-galland requested a review from a team as a code owner January 8, 2025 14:27
AlexRuiz7
AlexRuiz7 requested changes Jan 9, 2025
View reviewed changes
Copy link
Member

@AlexRuiz7 AlexRuiz7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some things missing in order to consider the issue ready to review. Refer to the Plan described in the issue.

  • Update index model and documentation.
  • Update index template on the setup plugin and tooling.
  • Update Management API commands (orders) schema.
  • Update Agent commands (orders) schema.

@AlexRuiz7 AlexRuiz7 merged commit 8ef4b39 into master Jan 10, 2025
5 checks passed
@AlexRuiz7 AlexRuiz7 deleted the enhancement/618-make-action.args-object branch January 10, 2025 16:10
f-galland added a commit that referenced this pull request Feb 20, 2025
@f-galland @AlexRuiz7
Make command.action.args type object instead of keyword type va…
2cba7d3 
…lue (#630)

* Make command.action.args an object instead of a keyword value

* Update description and dynamic setting

* Updating event_generator.py

* Update command.action.args description

---------

Co-authored-by: Álex Ruiz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexRuiz7 AlexRuiz7 AlexRuiz7 approved these changes

@QU3B1M QU3B1M QU3B1M approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve interoperability of commands by changing action.args to object
3 participants
@f-galland @AlexRuiz7 @QU3B1M