From 378d37d74ebb0530fd070eddde2a196c01fab6e5 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Tue, 14 Oct 2025 12:44:51 -0500
Subject: [PATCH] add event.module to elasticsearch server logs

---
 salt/elasticsearch/defaults.yaml              | 64 +++++++++++++++++++
 salt/elasticsearch/files/ingest/global@custom |  1 +
 salt/elasticsearch/soc_elasticsearch.yaml     |  1 +
 salt/manager/tools/sbin/soup                  |  2 +
 4 files changed, 68 insertions(+)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 23eee8df0..592f47a2b 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1991,6 +1991,70 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-logs-elasticsearch_x_server:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - logs-elasticsearch.server@package
+        - logs-elasticsearch.server@custom
+        - so-fleet_integrations.ip_mappings-1
+        - so-fleet_globals-1
+        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
+        ignore_missing_component_templates:
+        - logs-elasticsearch.server@custom
+        index_patterns:
+        - logs-elasticsearch.server-*
+        priority: 501
+        template:
+          mappings:
+            _meta:
+              managed: true
+              managed_by: security_onion
+              package:
+                name: elastic_agent
+          settings:
+            index:
+              lifecycle:
+                name: so-logs-elasticsearch.server-logs
+              mapping:
+                total_fields:
+                  limit: 5000
+              number_of_replicas: 0
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        _meta:
+          managed: true
+          managed_by: security_onion
+          package:
+            name: elastic_agent
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 60d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
     so-logs-endpoint_x_actions:
       index_sorting: false
       index_template:
diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom
index c92c15612..8e48eb0b9 100644
--- a/salt/elasticsearch/files/ingest/global@custom
+++ b/salt/elasticsearch/files/ingest/global@custom
@@ -23,6 +23,7 @@
     { "set":        { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },
     { "rename":       { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } },
     { "set":        { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
+    { "set":        { "if": "ctx.event?.dataset != null && ctx.event?.dataset == 'elasticsearch.server'", "field": "event.module", "value":"elasticsearch" }},
     {"append":      {"field":"related.ip","value":["{{source.ip}}","{{destination.ip}}"],"allow_duplicates":false,"if":"ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null","ignore_failure":true}},
     {"foreach":     {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null","ignore_missing":true, "description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}},
     { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml
index c268cc493..097a53296 100644
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -392,6 +392,7 @@ elasticsearch:
     so-logs-elastic_agent_x_metricbeat: *indexSettings
     so-logs-elastic_agent_x_osquerybeat: *indexSettings
     so-logs-elastic_agent_x_packetbeat: *indexSettings
+    so-logs-elasticsearch_x_server: *indexSettings
     so-metrics-endpoint_x_metadata: *indexSettings
     so-metrics-endpoint_x_metrics: *indexSettings
     so-metrics-endpoint_x_policy: *indexSettings
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 8c607963f..952645c61 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -627,6 +627,8 @@ post_to_2.4.190() {
             update_default_logstash_output
         fi
     fi
+    # Apply new elasticsearch.server index template
+    rollover_index "logs-elasticsearch.server-default"
 
   POSTVERSION=2.4.190
 }