From 3c50072690be00918e17e6d887a33609ca11a3ad Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 18:51:57 +0000 Subject: [PATCH] Add Elastic Agent component templates --- .../logs-elastic_agent.apm_server@custom.json | 12 + ...logs-elastic_agent.apm_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.auditbeat@custom.json | 12 + .../logs-elastic_agent.auditbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.cloudbeat@custom.json | 12 + .../logs-elastic_agent.cloudbeat@package.json | 692 ++++++++++++++++++ ...lastic_agent.endpoint_security@custom.json | 12 + ...astic_agent.endpoint_security@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.filebeat@custom.json | 12 + .../logs-elastic_agent.filebeat@package.json | 681 +++++++++++++++++ ...ogs-elastic_agent.fleet_server@custom.json | 12 + ...gs-elastic_agent.fleet_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.heartbeat@custom.json | 12 + .../logs-elastic_agent.heartbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.metricbeat@custom.json | 12 + ...logs-elastic_agent.metricbeat@package.json | 681 +++++++++++++++++ ...logs-elastic_agent.osquerybeat@custom.json | 12 + ...ogs-elastic_agent.osquerybeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.packetbeat@custom.json | 12 + ...logs-elastic_agent.packetbeat@package.json | 674 +++++++++++++++++ .../logs-elastic_agent@custom.json | 12 + .../logs-elastic_agent@package.json | 681 +++++++++++++++++ 22 files changed, 7627 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..85ba08239 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,692 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..22fef0fb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..591717165 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,674 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +}