Skip to content

Inventory Category - Disks and Devices #806

New issue
New issue
Open
Feature
0 of 1 issue completed
Open
Inventory Category - Disks and Devices#806
Feature
0 of 1 issue completed
Labels
level/epicEpic issuemodule/inventoryInventory moduletype/enhancementEnhancement issue
@cborla

Description

@cborla
cborla
opened on May 26, 2025

Description

This epic tracks the design and implementation of a unified inventory model for Disks & Devices within the Wazuh architecture. The objective is to define a structured data contract that aggregates hardware-related information from multiple sources—including disk drives, memory modules, USB peripherals, and PCI devices—into a normalized schema. This contract will be respected throughout the data lifecycle: from collection at the Agent level to synchronization through Wazuh-DB and final indexing and visualization in the Dashboard.

Functional Requirements

  • Propose and agree on the data model (fields and structure) for:
    • Disk drives (physical and logical)
    • Memory devices (RAM modules)
    • PCI hardware
    • USB-connected peripherals
  • Ensure compatibility with ECS and define any required wazuh.* extensions.
  • Consolidate all disk-and-devices related inventory into a single index in the Indexer (e.g. wazuh-inventory-disk-and-devices).

Non-Functional Requirements

  • Maintain a lightweight and efficient inventory representation.
  • Normalize collector-specific fields for consistent indexing and querying.
  • Support global queries and API access with high performance across platforms.

Plan

Indexer

  • Define document structure for each device record:
    • Consolidate all disk-and-devices types into a common index.
    • Tag each entry with a device_type field (disk, usb, pci, memory, etc.).
  • Use a flat structure aligned with ECS where possible.

Agent

  • DBSync
    • Model the disk-and-devices inventory with a single table that receives records from all supported sources:
      • usb_devices
      • pci_devices
      • disk_info
      • memory_devices
    • Emit structured events using syscollector and extended_sources.

Issues:

Server

  • Wazuh-DB
    • Use Rsync protocol to synchronize disks_devices_inventory data.
    • Maintain schema compatibility with the agent table structure.

Dashboard

  • Define how the data will be visualized:
    • Group by device_type, vendor, or serial number.
    • Show host-level or organization-wide disk-and-devices views.
    • Provide filtering by platform, interface, or connection type.

Deliverables

  • Define and document the ECS/WCS field set for disks & devices.
  • Specify the preferred model for the Indexer (flat structure).
  • Propose a unified table schema for dbsync.
  • Define Wazuh-DB schema and Rsync synchronization format.
  • Align syscollector output with the unified schema.
  • Validate output and behavior on Tier 1 platforms (Linux, Windows, macOS).

Acceptance Criteria

  • A formal schema defines the normalized structure for disk, memory, USB, and PCI devices.
  • Agent emits disk-and-devices inventory events in the agreed format via syscollector.
  • Wazuh-DB stores and syncs the disk-and-devices data using Rsync.
  • Indexer receives structured, searchable inventory events under a single index.
  • Dashboard can render and filter disk-and-devices data based on type, interface, or platform.

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    level/epicEpic issuemodule/inventoryInventory moduletype/enhancementEnhancement issue

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions