Enhance FIM and Inventory indices settings (#939)

Co-authored-by: Álex Ruiz Becerra <[email protected]>

Author: abbonno

ecs/states-fim-files/docs/fields.csv

@@ -13,7 +13,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,file,file.mtime,date,extended,,,Last time the file content was modified.
 8.11.0,true,file,file.owner,keyword,extended,,alice,File owner's username.
 8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
-8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 8.11.0,true,file,file.size,long,extended,,16384,File size in bytes.
 8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.

ecs/states-fim-files/fields/template-settings-legacy.json

@@ -5,6 +5,7 @@
     "index": {
       "number_of_shards": "1",
       "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
       "refresh_interval": "5s",
       "query.default_field": [
         "agent.host.architecture",

ecs/states-fim-files/fields/template-settings.json

@@ -6,6 +6,7 @@
       "index": {
         "number_of_shards": "1",
         "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
         "refresh_interval": "5s",
         "query.default_field": [
           "agent.host.architecture",

ecs/states-fim-registries/fields/template-settings-legacy.json

@@ -5,6 +5,7 @@
     "index": {
       "number_of_shards": "1",
       "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
       "refresh_interval": "5s",
       "query.default_field": [
         "agent.host.architecture",

ecs/states-fim-registries/fields/template-settings.json

@@ -6,6 +6,7 @@
       "index": {
         "number_of_shards": "1",
         "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
         "refresh_interval": "5s",
         "query.default_field": [
           "agent.host.architecture",

ecs/states-inventory-hardware/fields/template-settings-legacy.json

@@ -5,9 +5,19 @@
     "index": {
       "number_of_shards": "1",
       "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
       "refresh_interval": "5s",
       "query.default_field": [
-        "host.serial_number"
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "agent.host.ip",
+        "host.serial_number",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
       ]
     }
   }

ecs/states-inventory-hardware/fields/template-settings.json

@@ -8,11 +8,21 @@
       "index": {
         "number_of_shards": "1",
         "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
         "refresh_interval": "5s",
         "query.default_field": [
-          "host.serial_number"
+          "agent.host.architecture",
+          "agent.host.ip",
+          "agent.id",
+          "agent.name",
+          "agent.version",
+          "agent.host.ip",
+          "host.serial_number",
+          "wazuh.cluster.name",
+          "wazuh.cluster.node",
+          "wazuh.schema.version"
         ]
       }
     }
   }
-}
+}

ecs/states-inventory-hotfixes/fields/template-settings-legacy.json

@@ -5,9 +5,18 @@
     "index": {
       "number_of_shards": "1",
       "number_of_replicas": "0",
+      "auto_expand_replicas": "0-1",
       "refresh_interval": "5s",
       "query.default_field": [
-        "package.hotfix.name"
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "package.hotfix.name",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
       ]
     }
   }

ecs/states-inventory-hotfixes/fields/template-settings.json

@@ -8,11 +8,20 @@
       "index": {
         "number_of_shards": "1",
         "number_of_replicas": "0",
+        "auto_expand_replicas": "0-1",
         "refresh_interval": "5s",
         "query.default_field": [
-          "package.hotfix.name"
+        "agent.host.architecture",
+        "agent.host.ip",
+        "agent.id",
+        "agent.name",
+        "agent.version",
+        "package.hotfix.name",
+        "wazuh.cluster.name",
+        "wazuh.cluster.node",
+        "wazuh.schema.version"
         ]
       }
     }
   }
-}
+}

ecs/states-inventory-interfaces/docs/fields.csv

@@ -13,6 +13,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.11.0,true,host,host.network.ingress.drops,long,custom,,,Number of dropped received packets.
 8.11.0,true,host,host.network.ingress.errors,long,custom,,,Number of reception errors.
 8.11.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces.
+8.11.0,true,interface,interface.alias,keyword,extended,,outside,Interface alias
+8.11.0,true,interface,interface.mtu,long,custom,,,Maximum transmission unit size.
+8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name
+8.11.0,true,interface,interface.state,keyword,custom,,,State of the network interface.
+8.11.0,true,interface,interface.type,keyword,custom,,,Interface type.
 8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,,Wazuh cluster name.
 8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,,Wazuh cluster node name.
 8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,,Wazuh schema version.