Update metadata fields in Logcollector events to match specification

[vikman90]

Description

Currently, Logcollector events sent by the Wazuh Agent have the following structure:

{ 
  "module": "logcollector",
  "type": "file"
}
{ 
  "event": {
    "created": "2025-01-17T22:05:02.319Z",
    "module": "logcollector",
    "original": "2025-01-17T19:05:01.978041-03:00 chb-VBox CRON[13715]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)",
    "provider": "syslog"
  },
  "log": {
    "file": {
      "path": "/var/log/auth.log"
    }
  },
  "tags": ["mvp"]
}

As specified by the Engine team, the event.module field should correspond to the specific collector (a submodule of Logcollector) rather than being statically set to "logcollector". For instance:

• module = "logcollector"
• event.module = "syslog"
• event.provider = path to the file

Tasks

1. Discuss with Management:
   Align on the most appropriate format for event.module based on specifications and use cases.
2. Coordinate with the Server Team:
   Ensure the proposed format aligns with Engine requirements and is supported on the Server side.
3. Implement Changes:
   Modify the Wazuh Agent Logcollector to correctly populate the event.module field with the collector name.
4. E2E Testing:
   Perform end-to-end tests to verify that the changes fulfill the specification and do not break existing functionality.

[vikman90]

Proposal

• Replace type with collector in both Inventory and Logcollector modules, for both Stateful and Stateless messages.
• Apply the allowed values for collector field (in Logcollector):
  • windows-eventlog instead of windows.
  • macos-uls instead of macos.
• Remove event.module from messages of modules.
• Use either event.provider or log.file.path to refer the log source.
• Remove tag from Logcollector messages.

Examples

Stateful Inventory

{ 
  "module": "inventory",
  "collector": "network | hardware | process | package",
  "operation": "add" 
  "id": "2acaee4887da22ef89988caa0ac7c25d3986ae8b" 
}
{ ... }

Stateless Inventory

{ 
  "module": "inventory",
  "collector": "network | hardware | process | package"
}

Stateless Logcollector

{ 
  "module": "logcollector"
  "collector": "windows-eventlog | file | journald | macos-uls"
}
{ 
  "event": {
    "created": "2025-01-17T22:05:02.319Z",
    "provider": "Application",
    "original": "2025-01-17T19:05:01.978041-03:00 chb-VBox CRON[13715]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)"
  },
  "log": {
    "file": {
      "path": "/var/log/auth.log"
    }
  }
}

[cborla]

Evidence of events collected.

The following events were obtained using the mock server.

Logcollector stateless events

File event

{
    "collector": "file",
    "module": "logcollector"
}
{
    "event":
    {
        "created": "2025-01-22T21:45:01.916Z",
        "original": "2025-01-22T18:45:01.555243-03:00 chb-VBox CRON[23505]: pam_unix(cron:session): session closed for user root"
    },
    "log":
    {
        "file":
        {
            "path": "/var/log/auth.log"
        }
    }
}

Journald event

{
    "collector": "journald",
    "module": "logcollector"
}
{
    "event":
    {
        "created": "2025-01-22T21:54:06.056Z",
        "original": "Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service...",
        "provider": "init.scope"
    }
}

Inventory stateless events

Processes event

{"collector":"processes","module":"inventory"}
{"event":{"action":"process-updated","category":["process"],"changed_fields":["process.start"],"created":"2025-01-22T21:42:28.012Z","reason":"Process systemd (PID: systemd) was updated","type":["change"]},"process":{"args":"splash","command_line":"/sbin/init","group":{"id":"root"},"name":"systemd","parent":{"pid":0},"pid":"1","previous":{"start":1737462341},"real_group":{"id":"root"},"real_user":{"id":"root"},"saved_group":{"id":"root"},"saved_user":{"id":"root"},"start":1737556137,"thread":{"id":1},"tty":{"char_device":{"major":0}},"user":{"id":"root"}}}

Hardware event

{"collector":"hardware","module":"inventory"}
{"event":{"action":"hardware-updated","category":["host"],"changed_fields":["host.memory.free","host.memory.used.percentage"],"created":"2025-01-22T21:42:28.012Z","reason":"Hardware changed","type":["change"]},"host":{"cpu":{"cores":4,"name":"AMD Ryzen 7 3500U with Radeon Vega Mobile Gfx","speed":2097},"memory":{"free":7605896,"previous":{"free":7671308},"total":9706920,"used":{"percentage":22,"previous":{"percentage":21}}}},"observer":{"serial_number":"0"}}

Inventory statefull events

Networks event

{"collector":"networks","id":"2026039b88b91e4e2e66408f624c0b9318983271","module":"inventory","operation":"update"}
{"@timestamp":"2025-01-22T21:42:28.012Z","host":{"ip":["192.168.56.102"],"mac":"08:00:27:70:ef:90","network":{"egress":{"bytes":1005162,"drops":0,"errors":0,"packets":15705},"ingress":{"bytes":1159956,"drops":0,"errors":0,"packets":16269}}},"interface":{"mtu":1500,"state":"up","type":"ethernet"},"network":{"broadcast":["192.168.56.255"],"dhcp":null,"gateway":[],"metric":"101","netmask":["255.255.255.0"],"protocol":null,"type":"ipv4"},"observer":{"ingress":{"interface":{"alias":"","name":"enp0s8"}}}}

Ports event

{"collector":"ports","id":"664c1e64427c4c987f34c1f859c7f885775d2a3d","module":"inventory","operation":"create"}
{"@timestamp":"2025-01-22T21:42:28.012Z","destination":{"ip":["::"],"port":0},"file":{"inode":15534},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp6"},"process":{"name":"smbd","pid":1995},"source":{"ip":["::"],"port":139}}