From 73552c11239b83d62bf0f09fd6141e9ec521fcdf Mon Sep 17 00:00:00 2001 From: f-galland Date: Thu, 12 Sep 2024 18:01:14 -0300 Subject: [PATCH 1/4] Add index template to plugin --- .../main/resources/index-template-fim.json | 134 ++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json diff --git a/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json new file mode 100644 index 0000000..3912ed1 --- /dev/null +++ b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json @@ -0,0 +1,134 @@ +{ + "index_patterns": [ + "wazuh-states-fim*" + ], + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "order": 1, + "settings": { + "index": { + "hidden": true, + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ], + "refresh_interval": "5s" + } + } +} From 67b66c3ef7fb2704f35cff8952025ea6aeb5b434 Mon Sep 17 00:00:00 2001 From: f-galland Date: Thu, 12 Sep 2024 18:02:48 -0300 Subject: [PATCH 2/4] Create index template on plugin load --- .../src/main/java/org/wazuh/setup/index/WazuhIndices.java | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/wazuh-indexer-setup/src/main/java/org/wazuh/setup/index/WazuhIndices.java b/plugins/wazuh-indexer-setup/src/main/java/org/wazuh/setup/index/WazuhIndices.java index ec83b80..a6dd927 100644 --- a/plugins/wazuh-indexer-setup/src/main/java/org/wazuh/setup/index/WazuhIndices.java +++ b/plugins/wazuh-indexer-setup/src/main/java/org/wazuh/setup/index/WazuhIndices.java @@ -51,6 +51,7 @@ public WazuhIndices(Client client, ClusterService clusterService) { // Create Index Templates - Indices map this.indexTemplates.put("index-template-agent", ".agents"); this.indexTemplates.put("index-template-alerts", "wazuh-alerts-5.x-0001"); + this.indexTemplates.put("index-template-fim", "wazuh-states-fim"); } /** From ff813ac3882aaa3af854807557894fbf1a3e8016 Mon Sep 17 00:00:00 2001 From: f-galland Date: Thu, 12 Sep 2024 18:04:19 -0300 Subject: [PATCH 3/4] Remove hidden flag --- .../src/main/resources/index-template-fim.json | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json index 3912ed1..1f75814 100644 --- a/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json +++ b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json @@ -115,7 +115,6 @@ "order": 1, "settings": { "index": { - "hidden": true, "number_of_replicas": "0", "number_of_shards": "1", "query.default_field": [ From 257f56ae404043f457888a2a3425bc7992523e0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 13 Sep 2024 13:05:49 +0200 Subject: [PATCH 4/4] Update states-fim index template --- .../src/main/resources/index-template-fim.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json index 1f75814..7400513 100644 --- a/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json +++ b/plugins/wazuh-indexer-setup/src/main/resources/index-template-fim.json @@ -70,7 +70,7 @@ "path": { "fields": { "text": { - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024, @@ -82,7 +82,7 @@ "target_path": { "fields": { "text": { - "type": "text" + "type": "match_only_text" } }, "ignore_above": 1024,