From ffae22beefe5984c97b1b8ee242e13e3148126fb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Mar 2022 13:04:11 +0000 Subject: [PATCH 1/2] Add DTC syslog mappings for .keyword and add refs to defaults.yml --- salt/elasticsearch/defaults.yaml | 7 ++ .../component/so/dtc-syslog-mappings.json | 73 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index faa2caeca..55299013c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -845,6 +845,8 @@ elasticsearch: - source-mappings - dtc-source-mappings - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings @@ -1342,6 +1344,8 @@ elasticsearch: - source-mappings - dtc-source-mappings - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings @@ -3900,6 +3904,7 @@ elasticsearch: - dtc-source-mappings - pb-override-source-mappings - syslog-mappings + - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings @@ -4064,6 +4069,8 @@ elasticsearch: - source-mappings - dtc-source-mappings - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings - threat-mappings - tls-mappings - tracing-mappings diff --git a/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json new file mode 100644 index 000000000..332538e0d --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-syslog-mappings.json @@ -0,0 +1,73 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-syslog.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "syslog": { + "properties": { + "facility": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "priority": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} + From 254cf53c2febe667ef846a381a1e4fc4756524a3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 4 Mar 2022 10:36:37 -0500 Subject: [PATCH 2/2] Increase clause count to 3500 --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 55299013c..8c8600719 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -55,7 +55,7 @@ elasticsearch: indices: query: bool: - max_clause_count: 3000 + max_clause_count: 3500 id_field_data: enabled: false logger: