search

wazuh / wazuh-agent

The Wazuh agent for endpoints.
https://wazuh.com
GNU Affero General Public License v3.0
32 stars 19 forks source link

Update queue and statless events models #267

Closed cborla closed 1 week ago

cborla commented 3 weeks ago
Related issue
#253

Description

The development of the following PR consists of 4 points.

  1. Adapt the queue to be able to support 2 columns for all tables, the fields to be added are the moduleType and the metadata.

  2. Adapt the logcollector module, so that when assembling the message to insert in the queue, it respects the following format.

{
    "agent":
    {
        "groups":
        [],
        "host":
        {
            "architecture": "x86_64",
            "hostname": "chb-VBox",
            "ip": "10.0.2.5",
            "os":
            {
                "name": "Ubuntu",
                "platform": "Linux"
            }
        },
        "id": "ee9009ba-f2db-4ac4-a74f-77f52c2d421a",
        "type": "Endpoint",
        "version": "5.0.0"
    }
}
{
    "module": "logcollector",
    "type": "file"
}
{
    "event":
    {
        "ingested": "",
        "module": "logcollector",
        "original": "hello wazuh!",
        "provider": "syslog"
    },
    "log":
    {
        "file":
        {
            "path": "/tmp/test.log"
        }
    },
    "tags":
    [
        "mvp"
    ]
}
  1. Modify the output data structure of the queue, to comply with the simil JSON streaming format.
  2. All indicated fields must comply with the ECS format.

Tests

TomasTurina commented 1 week ago

Changes related to dataType will be addressed in another PR. cc @cborla