Runtime fields

[max a]

Hello,

Do Wazuh support runtime fields ?

I can't seem to add them in the index.

Thanks in advance !

[elw...@wazuh.com]

Hello Alberola,

Wazuh does not support the runtime fields. Can you please let me know what are you trying to achieve to suggest possible alternatives?

Regards,
Wali

[max a]

Thanks for your anwser.

I'm trying to replace my PRTG on my server. So far, I've :

- created custom script running on wazuh-agent via woodle cmd

- decoded the output of this cmd as json

- created custom fields in wazuh-alert index

- made TSVB visualization with CPU, Mem, disk-usage, interface load,etc metrics

Example :

<script running on agent return>:

..

..

healthcheck.process_check.sql.mysql.monitored: yes
healthcheck.process_check.sql.mysql.state: running

..

..

Now I'm trying to make a general dashboard where the state of some services (mysql, sshd,etc) are shown (either running or stopped), grouped by agent-group. For this,  I need the last value of the alert of my script and check if the process is currently monitored and running. In order to get the last values, I found a work-around with vega-lite visualization which isn't pretty.

{
  "$schema": "https://vega.github.io/schema/vega-lite/v4.json",
  "title": "Event counts from all indexes",
  "data": {
    "url": {
      "%context%": true,
      "index": "wazuh-alerts-4.x-2022.09.12",
      "body": {
        "size": 0,
        "_source": [
          "data.healthcheck.process_check.sql.mariadb.state",
          "data.healthcheck.process_check.sql.mariadb.monitored"
        ],
        "aggs": {
          "time_field": {
            "terms": {
              "field": "@timestamp",
              "size": 1,
              "order": {"_key": "desc"}
            },
            "aggs": {
              "current_state": {
                "terms": {
                  "field": "data.healthcheck.process_check.sql.mariadb.state",
                  "size": 1
                }
              },
              "ismonitored": {
                "terms": {
                  "field": "data.healthcheck.process_check.sql.mariadb.monitored",
                  "size": 1
                }
              }
            }
          }
        }
      }
    },
    "format": {"property": "aggregations.time_field.buckets"}
  },
  "vconcat": [
    {
      "encoding": {
        "text": {"field": "current_state.buckets[0].key", "type": "nominal"}
      },
      "mark": {
        "type": "text",
        "fill": "red",
        "fontSize": 100,
        "fillOpacity": 1,
        "x": 10,
        "y": 10
      }
    },
    {
      "encoding": {
        "text": {"field": "ismonitored.buckets[0].key", "type": "nominal"}
      },
      "mark": {
        "type": "text",
        "fill": "red",
        "fontSize": 100,
        "fillOpacity": 1,
        "x": 10,
        "y": 50
      }
    }
  ],
  "config": {"view": {"stroke": "transparent"}}
}

I need to process the aggregation values with a script :

(example)

if ( "data.healthcheck.process_check.sql.mariadb.monitored" == "yes")

{

   if ( "data.healthcheck.process_check.sql.mariadb.state" != "running")

    {

      return "problem";

   }

}

else

{

   return "not monitored";

[elw...@wazuh.com]

Hello Alberola,

Apologies for the late response.

I believe that scripted fields can help process the aggregation you need. Following are some use cases I replied to where you can see the use of them:

https://groups.google.com/g/wazuh/c/a8QQlyxN6oI/m/7ATcVT-GAQAJ?utm_medium=email&utm_source=footer

https://groups.google.com/g/wazuh/c/KFZgDtS7_yg/m/tZ1VupjrBAAJ

I hope this helps.

Regards,
Wali