Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Inventory Fields Do Not Fully Adhere to ECS #370

Closed
Tracked by #241
vikman90 opened this issue Nov 29, 2024 · 2 comments
Closed
Tracked by #241

Network Inventory Fields Do Not Fully Adhere to ECS #370

vikman90 opened this issue Nov 29, 2024 · 2 comments
Assignees
@cborla
Labels
level/task Task issue module/inventory Inventory module type/bug Bug issue

Comments

@vikman90
Copy link
Member

Parent Issue: #241

Description

The network inventory messages in the Wazuh Agent include fields that are not compliant with the Elastic Common Schema (ECS). Specifically, there is an interface field in the inventory data that is not aligned with the ECS proposal (#294):

Example of the current network inventory message:

{
  "@timestamp": "2024/11/29 12:44:16",
  "host": {
    "ip": ["172.28.54.98"],
    "mac": "00:15:5d:b2:93:68",
    "network": {
      "egress": {
        "bytes": 3863215,
        "drops": 0,
        "errors": 0,
        "packets": 18423
      },
      "ingress": {
        "bytes": 10916732,
        "drops": 0,
        "errors": 0,
        "packets": 24630
      }
    }
  },
  "interface": {
    "mtu": 1500,
    "state": "up",
    "type": "ethernet"
  },
  "network": {
    "broadcast": ["172.28.63.255"],
    "dhcp": "unknown",
    "gateway": ["172.28.48.1"],
    "metric": "0",
    "netmask": ["255.255.240.0"],
    "protocol": "",
    "type": "ipv4"
  },
  "observer": {
    "ingress": {
      "interface": {
        "alias": "",
        "name": "eth0"
      }
    }
  }
}
  • The interface field contains information such as mtu, state, and type, which may either need to be mapped to existing ECS fields or moved to a different structure.
  • This raises the question of whether the ECS indexer lacks fields for such data, or whether these fields are being incorrectly placed in the Agent's message structure.

Expected Behavior

  • Ensure that all fields in network inventory messages are compliant with ECS.
  • If ECS does not currently support certain fields (e.g., interface.mtu, interface.state), propose updates to the ECS schema or provide an alternate mapping.
@vikman90 vikman90 added level/task Task issue type/bug Bug issue module/inventory Inventory module mvp Minimum Viable Product refinement labels Nov 29, 2024
@vikman90 vikman90 mentioned this issue Nov 29, 2024
Open
53 tasks
@wazuhci wazuhci moved this to Backlog in Release 5.0.0 Nov 29, 2024
@cborla
Copy link
Member

cborla commented Nov 29, 2024

According to the indexer documentation we followed to complete the issue #294, the interface object is part of the network table.

@cborla cborla self-assigned this Nov 29, 2024
@wazuhci wazuhci moved this from Backlog to Blocked in Release 5.0.0 Nov 29, 2024
@davidjiglesias
Copy link
Member

The fix on indexer side should be enough.

@davidjiglesias davidjiglesias closed this as not planned Won't fix, can't repro, duplicate, stale Dec 2, 2024
@davidjiglesias davidjiglesias removed the mvp Minimum Viable Product refinement label Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cborla cborla

Labels
level/task Task issue module/inventory Inventory module type/bug Bug issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vikman90 @cborla @davidjiglesias