Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comms API - Stateful endpoint with ECS compliant models #27079

Closed
3 tasks done
fdalmaup opened this issue Nov 27, 2024 · 1 comment · Fixed by #27127
Closed
3 tasks done

Comms API - Stateful endpoint with ECS compliant models #27079

fdalmaup opened this issue Nov 27, 2024 · 1 comment · Fixed by #27127
Assignees
@GGP1
Labels
level/task mvp type/enhancement New feature or request

Comments

@fdalmaup
Copy link
Member

fdalmaup commented Nov 27, 2024
edited by GGP1
Loading

Description

As part of the 5.0 MVP refinement, we need to make adjustments to the POST /events/stateful endpoint, specifically to the expected fields in the request body. In wazuh/wazuh-indexer#270, the Indexer team has defined the index data model (template) for the following stateful indices that can already be checked in the ecs/docs folder:

Taking into account the streaming protocol we have established for the stateful events in #26709 (comment), which has the following structure:

{
# Agent Metadata
}
{
# Module information
}
{
# Event
}
{
# Module information
}
{
# Event
}

Note

For the "operation": "delete" type we do not expect an Event.

The requirement is to only validate the information related to the Agent Metadata and the Module information since it is required for the query to the indexer and pass the Event without validating its fields.

Tasks

  • Make the necessary modifications to the StatefulEvent model.
  • Check that every module is mapped to its correspondent index name.
  • Test against a deployed indexer that the received bulk is correctly sent and indexed.
@wazuhci wazuhci moved this to Triage in Release 5.0.0 Nov 27, 2024
@wazuhci wazuhci moved this from Triage to Backlog in Release 5.0.0 Nov 28, 2024
@GGP1 GGP1 self-assigned this Dec 2, 2024
@wazuhci wazuhci moved this from Backlog to In progress in Release 5.0.0 Dec 2, 2024
@GGP1 GGP1 mentioned this issue Dec 2, 2024
Merged
@GGP1
Copy link
Member

GGP1 commented Dec 2, 2024

Update

Fixed various bugs in the batcher when sending and receiving multiple events and removed the events classes, moving the validation layer to the indexer.

@wazuhci wazuhci moved this from In progress to Pending review in Release 5.0.0 Dec 2, 2024
@wazuhci wazuhci moved this from Pending review to In review in Release 5.0.0 Dec 4, 2024
@wazuhci wazuhci moved this from In review to In final review in Release 5.0.0 Dec 4, 2024
@wazuhci wazuhci moved this from In final review to Done in Release 5.0.0 Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GGP1 GGP1

Labels
level/task mvp type/enhancement New feature or request
Projects
Release 5.0.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Comms API stateful events adjustments wazuh/wazuh
2 participants
@fdalmaup @GGP1