From 28f5dcd43b352ed32e3b17c0c11a97b1ce3413c6 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 22 Mar 2023 19:57:46 +0000 Subject: [PATCH] Add managed generic Elastic Agent log component templates --- .../logs-elastic_agent.apm_server@custom.json | 12 + ...logs-elastic_agent.apm_server@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.auditbeat@custom.json | 12 + .../logs-elastic_agent.auditbeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.cloudbeat@custom.json | 12 + .../logs-elastic_agent.cloudbeat@package.json | 510 ++++++++++++++++++ ...lastic_agent.endpoint_security@custom.json | 12 + ...astic_agent.endpoint_security@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.filebeat@custom.json | 12 + .../logs-elastic_agent.filebeat@package.json | 505 +++++++++++++++++ ...ogs-elastic_agent.fleet_server@custom.json | 12 + ...gs-elastic_agent.fleet_server@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.heartbeat@custom.json | 12 + .../logs-elastic_agent.heartbeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.metricbeat@custom.json | 12 + ...logs-elastic_agent.metricbeat@package.json | 505 +++++++++++++++++ ...logs-elastic_agent.osquerybeat@custom.json | 12 + ...ogs-elastic_agent.osquerybeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.packetbeat@custom.json | 12 + ...logs-elastic_agent.packetbeat@package.json | 498 +++++++++++++++++ .../component/logs-elastic_agent@custom.json | 12 + .../component/logs-elastic_agent@package.json | 505 +++++++++++++++++ .../component/so-data-streams-mappings.json | 67 +++ .../so-fleet_agent_id_verification-1.json | 67 +++ .../component/so-fleet_globals-1.json | 66 +++ .../templates/component/so-logs-mappings.json | 21 + .../templates/component/so-logs-settings.json | 22 + 27 files changed, 5928 insertions(+) create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@package.json create mode 100644 salt/elasticsearch/templates/component/so-data-streams-mappings.json create mode 100644 salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json create mode 100644 salt/elasticsearch/templates/component/so-fleet_globals-1.json create mode 100644 salt/elasticsearch/templates/component/so-logs-mappings.json create mode 100644 salt/elasticsearch/templates/component/so-logs-settings.json diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..9fd8c928f --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..9fd8c928f --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..c4874ed3c --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,510 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..f353ac542 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..9e593d3f8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,498 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent@package.json new file mode 100644 index 000000000..7df3309b1 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/so-data-streams-mappings.json b/salt/elasticsearch/templates/component/so-data-streams-mappings.json new file mode 100644 index 000000000..b4373799b --- /dev/null +++ b/salt/elasticsearch/templates/component/so-data-streams-mappings.json @@ -0,0 +1,67 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "match_ip": { + "mapping": { + "type": "ip" + }, + "match_mapping_type": "string", + "match": "ip" + } + }, + { + "match_message": { + "mapping": { + "type": "match_only_text" + }, + "match_mapping_type": "string", + "match": "message" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "type": "object" + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "general mapping conventions for data streams" + } + } diff --git a/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json new file mode 100644 index 000000000..e2548d539 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json @@ -0,0 +1,67 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "final_pipeline": ".fleet_final_pipeline-1" + } + }, + "mappings": { + "properties": { + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + } + } + } + }, + "_meta": { + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/so-fleet_globals-1.json new file mode 100644 index 000000000..e1529ba82 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-fleet_globals-1.json @@ -0,0 +1,66 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "_meta": { + "managed_by": "security_onion", + "managed": true + }, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + } + }, + "_meta": { + "managed_by": "security_onion", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/so-logs-mappings.json b/salt/elasticsearch/templates/component/so-logs-mappings.json new file mode 100644 index 000000000..09b0db6b2 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-logs-mappings.json @@ -0,0 +1,21 @@ + { + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "type": { + "type": "constant_keyword", + "value": "logs" + } + } + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "default mappings for the logs index template installed by x-pack" + } + } diff --git a/salt/elasticsearch/templates/component/so-logs-settings.json b/salt/elasticsearch/templates/component/so-logs-settings.json new file mode 100644 index 000000000..dc739c83c --- /dev/null +++ b/salt/elasticsearch/templates/component/so-logs-settings.json @@ -0,0 +1,22 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "query": { + "default_field": [ + "message" + ] + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "default settings for the logs index template installed by x-pack" + } + }