forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add bash tool to copy the generated ECS templates to the plugins repo
Update GHA to use the new tool Signed-off-by: --unset <--unset> Update ecs README with new tool usage Signed-off-by: --unset <--unset> Update ECS generator script name Signed-off-by: --unset <--unset> Remove unused index upload option Fix issue with exit codes on branch checking Signed-off-by: --unset <--unset>
- Loading branch information
Showing
5 changed files
with
234 additions
and
226 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,140 +16,20 @@ jobs: | |
| with: | ||
| fetch-depth: 2 | ||
|
|
||
| - name: Extract branch name | ||
| shell: bash | ||
| run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | ||
| id: branch-name | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Set up Docker Compose | ||
| run: sudo apt-get install docker-compose | ||
|
|
||
| - name: Extract ECS Modules and Run ECS Generator | ||
| id: run-ecs-generator | ||
| run: | | ||
| # Fetch base branch | ||
| git fetch origin +refs/heads/master:refs/remotes/origin/master | ||
| # Extract the ECS module names from the modified files | ||
| modified_files=$(git diff --name-only origin/master) | ||
| updated_modules=() | ||
| for file in $modified_files; do | ||
| if [[ $file == ecs/* ]]; then | ||
| ecs_module=$(echo $file | cut -d'/' -f2) | ||
| if [[ ! " ${updated_modules[*]} " =~ " ${ecs_module} " ]]; then | ||
| updated_modules+=("$ecs_module") | ||
| fi | ||
| fi | ||
| done | ||
| # Filter out modules that do not have corresponding JSON files | ||
| declare -A module_to_file=( | ||
| [agent]="index-template-agent.json" | ||
| [alerts]="index-template-alerts.json" | ||
| [commands]="index-template-commands.json" | ||
| [hardware]="index-template-hardware.json" | ||
| [hotfixes]="index-template-hotfixes.json" | ||
| [fim]="index-template-fim.json" | ||
| [networks]="index-template-networks.json" | ||
| [packages]="index-template-packages.json" | ||
| [ports]="index-template-ports.json" | ||
| [processes]="index-template-processes.json" | ||
| [scheduled-commands]="index-template-scheduled-commands.json" | ||
| [system]="index-template-system.json" | ||
| [vulnerabilities]="index-template-vulnerabilities.json" | ||
| ) | ||
| relevant_modules=() | ||
| for ecs_module in "${updated_modules[@]}"; do | ||
| if [[ -n "${module_to_file[$ecs_module]}" ]]; then | ||
| relevant_modules+=("$ecs_module") | ||
| fi | ||
| done | ||
| if [[ ${#relevant_modules[@]} -gt 0 ]]; then | ||
| export REPO_PATH=$(pwd) | ||
| for ecs_module in "${relevant_modules[@]}"; do | ||
| # Run the ECS generator script for each relevant module | ||
| bash ecs/generator/mapping-generator.sh run "$ecs_module" | ||
| echo "Processed ECS module: $ecs_module" | ||
| done | ||
| echo "relevant_modules=${relevant_modules[*]}" >> $GITHUB_ENV | ||
| else | ||
| echo "No relevant modifications detected in ecs/ directory." | ||
| exit 0 | ||
| fi | ||
| - name: Tear down ECS Generator | ||
| if: always() | ||
| run: bash ecs/generator/mapping-generator.sh down | ||
|
|
||
| - name: Upload artifact | ||
| if: always() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: ecs-template | ||
| path: ecs/**/mappings/v8.11.0/generated/elasticsearch/legacy/template.json | ||
|
|
||
| - name: Checkout target repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: wazuh/wazuh-indexer-plugins | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| path: wazuh-indexer-plugins | ||
|
|
||
| - name: Copy generated files to target repository | ||
| run: | | ||
| # Map ECS modules to target JSON filenames | ||
| declare -A module_to_file=( | ||
| [agent]="index-template-agent.json" | ||
| [alerts]="index-template-alerts.json" | ||
| [commands]="index-template-commands.json" | ||
| [hardware]="index-template-hardware.json" | ||
| [hotfixes]="index-template-hotfixes.json" | ||
| [fim]="index-template-fim.json" | ||
| [networks]="index-template-networks.json" | ||
| [packages]="index-template-packages.json" | ||
| [ports]="index-template-ports.json" | ||
| [processes]="index-template-processes.json" | ||
| [scheduled-commands]="index-template-scheduled-commands.json" | ||
| [system]="index-template-system.json" | ||
| [vulnerabilities]="index-template-vulnerabilities.json" | ||
| ) | ||
| for ecs_module in ${relevant_modules[@]}; do | ||
| target_file=${module_to_file[$ecs_module]} | ||
| if [[ -z "$target_file" ]]; then | ||
| echo "No corresponding file for module $ecs_module" | ||
| continue | ||
| fi | ||
| mkdir -p wazuh-indexer-plugins/plugins/setup/src/main/resources/ | ||
| cp ecs/$ecs_module/mappings/v8.11.0/generated/elasticsearch/legacy/template.json wazuh-indexer-plugins/plugins/setup/src/main/resources/$target_file | ||
| done | ||
| - name: Commit and push changes | ||
| - name: Generate PR to wazuh-indxer-plugins | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} | ||
| run: | | ||
| cd wazuh-indexer-plugins | ||
| git config --global user.email "[email protected]" | ||
| git config --global user.name "GitHub Actions" | ||
| branch_name="update-ecs-templates" | ||
| # Check if branch exists | ||
| if git ls-remote --heads origin $branch_name | grep $branch_name; then | ||
| git checkout $branch_name | ||
| else | ||
| git checkout -b $branch_name | ||
| fi | ||
| git add . | ||
| git commit -m "Update ECS templates for modified modules: $relevant_modules" | ||
| git push origin $branch_name | ||
| - name: Create Pull Request | ||
| uses: peter-evans/create-pull-request@v4 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| commit-message: "Update ECS templates for modified modules: $relevant_modules" | ||
| branch: update-ecs-templates | ||
| title: "Update ECS templates for modified modules: $relevant_modules" | ||
| body: "This PR updates the ECS templates for the following modules: $relevant_modules." | ||
| base: master | ||
| bash ecs/scripts/generate-pr-to-plugins.sh \ | ||
| -b ${{ steps.branch-name.outputs.branch }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,9 +4,8 @@ This script generates the ECS mappings for the Wazuh indices. | |
|
|
||
| ### Requirements | ||
|
|
||
| - ECS repository clone. The script is meant to be launched from the root level of that repository. | ||
| - `Python` 3.6 or higher + `venv` module | ||
| - `jq` | ||
| - [Docker Desktop](https://docs.docker.com/desktop/setup/install/linux/) | ||
| > Other option is to install the [docker-compose plugin](https://docs.docker.com/compose/install/#scenario-two-install-the-docker-compose-plugin). | ||
| ### Folder structure | ||
|
|
||
|
|
@@ -15,67 +14,21 @@ files to generate the mappings. These are the inputs for the ECS generator. | |
|
|
||
| ### Usage | ||
|
|
||
| 1. Get a copy of the ECS repository at the same level as the `wazuh-indexer` repo: | ||
|
|
||
| ```console | ||
| git clone [email protected]:elastic/ecs.git | ||
| ``` | ||
|
|
||
| 2. Install the dependencies: | ||
|
|
||
| ```console | ||
| cd ecs | ||
| python3 -m venv env | ||
| source env/bin/activate | ||
| pip install -r scripts/requirements.txt | ||
| ``` | ||
|
|
||
| 2. Copy the `generate.sh` script to the root level of the ECS repository. | ||
|
|
||
| ```console | ||
| cp generate.sh ../../ecs | ||
| cd ../../ecs | ||
| bash generate.sh | ||
| ``` | ||
|
|
||
| Expected output: | ||
| ``` | ||
| Usage: generate.sh <ECS_VERSION> <INDEXER_SRC> <MODULE> [--upload <URL>] | ||
| * ECS_VERSION: ECS version to generate mappings for | ||
| * INDEXER_SRC: Path to the wazuh-indexer repository | ||
| * MODULE: Module to generate mappings for | ||
| * --upload <URL>: Upload generated index template to the OpenSearch cluster. Defaults to https://localhost:9200 | ||
| Example: generate.sh v8.11.0 ~/wazuh-indexer states-vulnerabilities --upload https://indexer:9200 | ||
| ``` | ||
|
|
||
| 3. Use the `generate.sh` script to generate the mappings for a module. The script takes 3 arguments, | ||
| plus 2 optional arguments to upload the mappings to the `wazuh-indexer`. Both, composable and legacy mappings | ||
| are generated. For example, to generate the mappings for the `states-vulnerabilities` module using the | ||
| ECS version `v8.11.0` and assuming that path of this repository is `~/wazuh/wazuh-indexer`: | ||
|
|
||
| 1. Execute the mapping-generator tool | ||
| ```bash | ||
| ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer states-vulnerabilities | ||
| ``` | ||
|
|
||
| The tool will output the folder where they have been generated. | ||
|
|
||
| ```console | ||
| Loading schemas from git ref v8.11.0 | ||
| Running generator. ECS version 8.11.0 | ||
| Mappings saved to ~/wazuh/wazuh-indexer/ecs/states-vulnerabilities/mappings/v8.11.0 | ||
| bash ecs/generator/mapping-generator.sh run <MODULE_NAME> | ||
| ``` | ||
|
|
||
| 4. When you are done. Exit the virtual environment. | ||
|
|
||
| ```console | ||
| deactivate | ||
| 2. (Optional) Run the tool's cleanup | ||
| > The tool stops the container automatically, but it is recommended to run the down command if the tool is not going to be used anymore. | ||
| ```bash | ||
| bash ecs/generator/mapping-generator.sh down | ||
| ``` | ||
| ### Output | ||
| A new `mappings` folder will be created inside the module folder, containing all the generated files. | ||
| The files are versioned using the ECS version, so different versions of the same module can be generated. | ||
| For our use case, the most important files are under `mappings/<ECS_VERSION>/generated/elasticsearch/legacy/`: | ||
| For our use case, the most important files are under `mappings/v8.11.0/generated/elasticsearch/legacy/`: | ||
| - `template.json`: Elasticsearch compatible index template for the module | ||
| - `opensearch-template.json`: OpenSearch compatible index template for the module | ||
|
|
@@ -137,31 +90,3 @@ The script uses log file. Check it out for debugging or additional information. | |
| - [ECS repository](https://github.com/elastic/ecs) | ||
| - [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) | ||
| - [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) | ||
|
|
||
| ### All-in-one script | ||
|
|
||
| ```bash | ||
| #!/bin/bash | ||
|
|
||
| indices=( | ||
| agent | ||
| alerts | ||
| command | ||
| states-fim | ||
| states-inventory-hardware | ||
| states-inventory-hotfixes | ||
| states-inventory-networks | ||
| states-inventory-packages | ||
| states-inventory-ports | ||
| states-inventory-processes | ||
| states-inventory-system | ||
| states-vulnerabilities | ||
| ) | ||
|
|
||
| ECS="v8.11.0" | ||
| WI_REPO_PATH=~/wazuh/wazuh-indexer | ||
|
|
||
| for index in "${indices[@]}"; do | ||
| bash generate.sh $ECS $WI_REPO_PATH "$index" | ||
| done | ||
| ``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.