From e2eb3ab79fde04b46627689cfc6703945339cf8b Mon Sep 17 00:00:00 2001 From: QU3B1M Date: Thu, 23 Jan 2025 11:55:48 -0300 Subject: [PATCH 1/3] Make agents and commands indexes visible Rename commands and agents indexes templates to wazuh-agents and wazuh-commands accordingly Update ECS documents Update .commands and .agents references --- ecs/agent/event-generator/event_generator.py | 2 +- ecs/agent/fields/template-settings-legacy.json | 5 ++--- ecs/agent/fields/template-settings.json | 5 ++--- ecs/command/event-generator/event_generator.py | 2 +- ecs/command/fields/template-settings-legacy.json | 5 ++--- ecs/command/fields/template-settings.json | 5 ++--- ecs/docs/agents.md | 3 +-- ecs/docs/commands.md | 5 ++--- test-tools/scripts/07_validate_command_manager.sh | 6 +++--- 9 files changed, 16 insertions(+), 22 deletions(-) diff --git a/ecs/agent/event-generator/event_generator.py b/ecs/agent/event-generator/event_generator.py index 81f53bf393c5f..32743e2665c79 100644 --- a/ecs/agent/event-generator/event_generator.py +++ b/ecs/agent/event-generator/event_generator.py @@ -12,7 +12,7 @@ GENERATED_DATA_FILE = 'generatedData.json' DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" # Default values -INDEX_NAME = ".agents" +INDEX_NAME = "wazuh-agents" USERNAME = "admin" PASSWORD = "admin" IP = "127.0.0.1" diff --git a/ecs/agent/fields/template-settings-legacy.json b/ecs/agent/fields/template-settings-legacy.json index 157c89196df07..9f32141d95b23 100644 --- a/ecs/agent/fields/template-settings-legacy.json +++ b/ecs/agent/fields/template-settings-legacy.json @@ -1,11 +1,10 @@ { "index_patterns": [ - ".agents*" + "wazuh-agents*" ], "order": 1, "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", @@ -20,4 +19,4 @@ ] } } -} \ No newline at end of file +} diff --git a/ecs/agent/fields/template-settings.json b/ecs/agent/fields/template-settings.json index 30c94f204d38c..610687b43595d 100644 --- a/ecs/agent/fields/template-settings.json +++ b/ecs/agent/fields/template-settings.json @@ -1,12 +1,11 @@ { "index_patterns": [ - ".agents*" + "wazuh-agents*" ], "priority": 1, "template": { "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", @@ -22,4 +21,4 @@ } } } -} \ No newline at end of file +} diff --git a/ecs/command/event-generator/event_generator.py b/ecs/command/event-generator/event_generator.py index 10a850886adf0..316f888e5745b 100644 --- a/ecs/command/event-generator/event_generator.py +++ b/ecs/command/event-generator/event_generator.py @@ -13,7 +13,7 @@ GENERATED_DATA_FILE = 'generatedData.json' DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" # Default values -INDEX_NAME = ".commands" +INDEX_NAME = "wazuh-commands" USERNAME = "admin" PASSWORD = "admin" IP = "127.0.0.1" diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json index 75ef7b40f81f8..dc1d938585d9f 100644 --- a/ecs/command/fields/template-settings-legacy.json +++ b/ecs/command/fields/template-settings-legacy.json @@ -1,11 +1,10 @@ { "index_patterns": [ - ".commands*" + "wazuh-commands*" ], "order": 1, "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", @@ -17,4 +16,4 @@ ] } } -} \ No newline at end of file +} diff --git a/ecs/command/fields/template-settings.json b/ecs/command/fields/template-settings.json index 70b65197303ad..b773aee50d87c 100644 --- a/ecs/command/fields/template-settings.json +++ b/ecs/command/fields/template-settings.json @@ -1,12 +1,11 @@ { "index_patterns": [ - ".commands*" + "wazuh-commands*" ], "priority": 1, "template": { "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", @@ -19,4 +18,4 @@ } } } -} \ No newline at end of file +} diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md index a0d48de7f6d16..135c081fbb00a 100644 --- a/ecs/docs/agents.md +++ b/ecs/docs/agents.md @@ -83,12 +83,11 @@ fields: ```json { - "index_patterns": [".agents*"], + "index_patterns": ["wazuh-agents*"], "priority": 1, "template": { "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md index 40539a224b2b8..53929a1dc4316 100644 --- a/ecs/docs/commands.md +++ b/ecs/docs/commands.md @@ -5,7 +5,7 @@ > rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. > rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. > rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. -> rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. +> rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. ### Fields summary @@ -146,12 +146,11 @@ fields: ```json { - "index_patterns": [".commands*"], + "index_patterns": ["wazuh-commands*"], "priority": 1, "template": { "settings": { "index": { - "hidden": true, "number_of_shards": "1", "number_of_replicas": "0", "refresh_interval": "5s", diff --git a/test-tools/scripts/07_validate_command_manager.sh b/test-tools/scripts/07_validate_command_manager.sh index e96209bd4c8f6..6c92131078b25 100644 --- a/test-tools/scripts/07_validate_command_manager.sh +++ b/test-tools/scripts/07_validate_command_manager.sh @@ -48,7 +48,7 @@ while [[ "$#" -gt 0 ]]; do shift done -COMMANDS_INDEX=".commands" +COMMANDS_INDEX="wazuh-commands" SRC="Engine" USR="TestUser" TRG_ID="TestTarget" @@ -81,7 +81,7 @@ curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_forcemerg sleep 2 # Fetch the indices -echo "Validating .commands index is created..." +echo "Validating commands index is created..." INDICES_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") # shellcheck disable=SC2181 if [ $? -ne 0 ]; then @@ -98,7 +98,7 @@ fi sleep 5 echo "Validate the command is created" # Validate the command was created -SEARCH_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/.commands/_search") +SEARCH_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/$COMMANDS_INDEX/_search") # Check if the request was successful # shellcheck disable=SC2181 if [ $? -ne 0 ]; then From e0acece3b6ee1031f67876542a8146c7a7c73ed2 Mon Sep 17 00:00:00 2001 From: QU3B1M Date: Thu, 23 Jan 2025 13:23:52 -0300 Subject: [PATCH 2/3] Fix command ECS definitions not being applied --- ecs/command/fields/template-settings-legacy.json | 4 +--- ecs/scripts/generate-pr-to-plugins.sh | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json index dc1d938585d9f..1223dfb62db58 100644 --- a/ecs/command/fields/template-settings-legacy.json +++ b/ecs/command/fields/template-settings-legacy.json @@ -1,7 +1,5 @@ { - "index_patterns": [ - "wazuh-commands*" - ], + "index_patterns": ["wazuh-commands*"], "order": 1, "settings": { "index": { diff --git a/ecs/scripts/generate-pr-to-plugins.sh b/ecs/scripts/generate-pr-to-plugins.sh index 42c73bf91f286..6a178618536e7 100644 --- a/ecs/scripts/generate-pr-to-plugins.sh +++ b/ecs/scripts/generate-pr-to-plugins.sh @@ -68,7 +68,7 @@ detect_modified_modules() { module_to_file=( [agent]="index-template-agent.json" [alerts]="index-template-alerts.json" - [commands]="index-template-commands.json" + [command]="index-template-commands.json" [states-fim]="index-template-fim.json" [states-inventory-hardware]="index-template-hardware.json" [states-inventory-hotfixes]="index-template-hotfixes.json" From 50665677b68b538e760f6ae2d1b248c86ccb42cf Mon Sep 17 00:00:00 2001 From: Alex Ruiz Date: Fri, 24 Jan 2025 12:23:42 +0100 Subject: [PATCH 3/3] Add revision note after changes on the commands index --- ecs/docs/commands.md | 1 + test-tools/scripts/07_validate_command_manager.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md index 53929a1dc4316..5cd6d34eed49a 100644 --- a/ecs/docs/commands.md +++ b/ecs/docs/commands.md @@ -6,6 +6,7 @@ > rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. > rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. > rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. +> rev 0.6 - January 24th, 2025: Rename index to `wazuh-commands`. The index is now visible to users. ### Fields summary diff --git a/test-tools/scripts/07_validate_command_manager.sh b/test-tools/scripts/07_validate_command_manager.sh index 6c92131078b25..53fb764a67818 100644 --- a/test-tools/scripts/07_validate_command_manager.sh +++ b/test-tools/scripts/07_validate_command_manager.sh @@ -81,7 +81,7 @@ curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_forcemerg sleep 2 # Fetch the indices -echo "Validating commands index is created..." +echo "Validating $COMMANDS_INDEX index is created..." INDICES_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") # shellcheck disable=SC2181 if [ $? -ne 0 ]; then