From 3b6344e7f0163a4e27c71a7bd27eab1edbd61299 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Thu, 20 Feb 2025 12:42:30 -0600
Subject: [PATCH] add back settings previously defined when overwritting
 logs-elastic_agent@package and logs-endpoint.diagnostics.collection@package

---
 salt/elasticsearch/defaults.yaml | 66 ++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 82a75bf6b..673739952 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1146,15 +1146,65 @@ elasticsearch:
                 name: elastic_agent
           settings:
             index:
+              codec: best_compression
               lifecycle:
                 name: so-logs-elastic_agent-logs
               mapping:
                 total_fields:
                   limit: 5000
+                ignore_malformed: true
               number_of_replicas: 0
               sort:
                 field: '@timestamp'
                 order: desc
+              query:
+                default_field:
+                  - cloud.account.id
+                  - cloud.availability_zone
+                  - cloud.instance.id
+                  - cloud.instance.name
+                  - cloud.machine.type
+                  - cloud.provider
+                  - cloud.region
+                  - cloud.project.id
+                  - cloud.image.id
+                  - container.id
+                  - container.image.name
+                  - container.name
+                  - host.architecture
+                  - host.hostname
+                  - host.id
+                  - host.mac
+                  - host.name
+                  - host.os.family
+                  - host.os.kernel
+                  - host.os.name
+                  - host.os.platform
+                  - host.os.version
+                  - host.os.build
+                  - host.os.codename
+                  - host.type
+                  - ecs.version
+                  - agent.build.original
+                  - agent.ephemeral_id
+                  - agent.id
+                  - agent.name
+                  - agent.type
+                  - agent.version
+                  - log.level
+                  - message
+                  - elastic_agent.id
+                  - elastic_agent.process
+                  - elastic_agent.version
+                  - component.id
+                  - component.type
+                  - component.binary
+                  - component.state
+                  - component.old_state
+                  - unit.id
+                  - unit.type
+                  - unit.state
+                  - unit.old_state
       policy:
         _meta:
           managed: true
@@ -1988,15 +2038,31 @@ elasticsearch:
         template:
           settings:
             index:
+              codec: best_compression
               lifecycle:
                 name: so-logs-endpoint.diagnostic.collection-logs
               mapping:
                 total_fields:
                   limit: 5000
+                ignore_malformed: true
               number_of_replicas: 0
               sort:
                 field: '@timestamp'
                 order: desc
+              query:
+                default_field:
+                  - ecs.version
+                  - event.action
+                  - event.category
+                  - event.code
+                  - event.dataset
+                  - event.hash
+                  - event.id
+                  - event.kind
+                  - event.module
+                  - event.outcome
+                  - event.provider
+                  - event.type
       policy:
         _meta:
           managed: true