diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index c1594b954..dabfd285c 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.4.4-20230728 ISO image built on 2023/07/28 +### 2.4.20-20231006 ISO image released on 2023/10/06 ### Download and Verify -2.4.4-20230728 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso - -MD5: F63E76245F3E745B5BDE9E6E647A7CB6 -SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA -SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F +2.4.20-20231006 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso + +MD5: 269F00308C53976BF0EAE788D1DB29DB +SHA1: 3F7C2324AE1271112F3B752BA4724AF36688FC27 +SHA256: 542B8B3F4F75AD24DC78007F8FE0857E00DC4CC9F4870154DCB8D5D0C4144B65 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231006.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231006.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso +gpg --verify securityonion-2.4.20-20231006.iso.sig securityonion-2.4.20-20231006.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013 +gpg: Signature made Tue 03 Oct 2023 11:40:51 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/README.md b/README.md index aa3aa6ddf..19a560419 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.4 Release Candidate 2 (RC2) +## Security Onion 2.4 -Security Onion 2.4 Release Candidate 2 (RC2) is here! +Security Onion 2.4 is here! ## Screenshots diff --git a/pillar/top.sls b/pillar/top.sls index 4893c44f9..53ec8a330 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -4,14 +4,9 @@ base: - global.adv_global - docker.soc_docker - docker.adv_docker - - firewall.soc_firewall - - firewall.adv_firewall - influxdb.token - logrotate.soc_logrotate - logrotate.adv_logrotate - - nginx.soc_nginx - - nginx.adv_nginx - - node_data.ips - ntp.soc_ntp - ntp.adv_ntp - patch.needs_restarting @@ -22,6 +17,13 @@ base: - telegraf.soc_telegraf - telegraf.adv_telegraf + '* and not *_desktop': + - firewall.soc_firewall + - firewall.adv_firewall + - nginx.soc_nginx + - nginx.adv_nginx + - node_data.ips + '*_manager or *_managersearch': - match: compound {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a3c5c75ab..4e3e57f9c 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -188,6 +188,9 @@ 'docker_clean' ], 'so-desktop': [ + 'ssl', + 'docker_clean', + 'telegraf' ], }, grain='role') %} diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 0fc067245..c5d2729fd 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -17,10 +17,10 @@ commonpkgs: - netcat-openbsd - sqlite3 - libssl-dev + - procps - python3-dateutil - python3-docker - python3-packaging - - python3-watchdog - python3-lxml - git - rsync @@ -46,10 +46,16 @@ python-rich: {% endif %} {% if GLOBALS.os_family == 'RedHat' %} + +remove_mariadb: + pkg.removed: + - name: mariadb-devel + commonpkgs: pkg.installed: - skip_suggestions: True - pkgs: + - python3-dnf-plugin-versionlock - curl - device-mapper-persistent-data - fuse @@ -62,25 +68,19 @@ commonpkgs: - httpd-tools - jq - lvm2 - {% if GLOBALS.os == 'CentOS Stream' %} - - MariaDB-devel - {% else %} - - mariadb-devel - {% endif %} - net-tools - nmap-ncat - - openssl - - python3-dnf-plugin-versionlock + - procps-ng - python3-docker - python3-m2crypto - python3-packaging - python3-pyyaml - python3-rich - - python3-watchdog - rsync - sqlite - tcpdump - unzip - wget - yum-utils + {% endif %} diff --git a/salt/common/soup_scripts.sls b/salt/common/soup_scripts.sls index 8dff85ddb..041649200 100644 --- a/salt/common/soup_scripts.sls +++ b/salt/common/soup_scripts.sls @@ -19,4 +19,5 @@ soup_manager_scripts: - source: salt://manager/tools/sbin - include_pat: - so-firewall - - soup \ No newline at end of file + - so-repo-sync + - soup diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 53c8664d2..f754b34ef 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,7 +5,16 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -ELASTIC_AGENT_TARBALL_VERSION="8.7.1" +# Elastic agent is not managed by salt. Because of this we must store this base information in a +# script that accompanies the soup system. Since so-common is one of those special soup files, +# and since this same logic is required during installation, it's included in this file. +ELASTIC_AGENT_TARBALL_VERSION="8.8.2" +ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" +ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" +ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" +ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" +ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent + DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" @@ -145,13 +154,11 @@ check_salt_minion_status() { return $status } - - copy_new_files() { # Copy new files over to the salt dir cd $UPDATE_DIR - rsync -a salt $DEFAULT_SALT_DIR/ - rsync -a pillar $DEFAULT_SALT_DIR/ + rsync -a salt $DEFAULT_SALT_DIR/ --delete + rsync -a pillar $DEFAULT_SALT_DIR/ --delete chown -R socore:socore $DEFAULT_SALT_DIR/ chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh cd /tmp @@ -161,6 +168,34 @@ disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } +download_and_verify() { + source_url=$1 + source_md5_url=$2 + dest_file=$3 + md5_file=$4 + expand_dir=$5 + + if [[ -n "$expand_dir" ]]; then + mkdir -p "$expand_dir" + fi + + if ! verify_md5_checksum "$dest_file" "$md5_file"; then + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'" "" "" + + if verify_md5_checksum "$dest_file" "$md5_file"; then + echo "Source file and checksum are good." + else + echo "Unable to download and verify the source file and checksum." + return 1 + fi + fi + + if [[ -n "$expand_dir" ]]; then + tar -xf "$dest_file" -C "$expand_dir" + fi +} + elastic_license() { read -r -d '' message <<- EOM @@ -205,13 +240,13 @@ gpg_rpm_import() { else local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys" fi - RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY') + RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY echo "Imported $RPMKEY" done elif [[ $is_rpm ]]; then - info "Importing the security onion GPG key" + echo "Importing the security onion GPG key" rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub fi } @@ -225,12 +260,15 @@ init_monitor() { if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do + ethtool -K "$MONITORNIC" "$i" off; + done else BIFACES=$MONITORNIC fi for DEVICE_IFACE in $BIFACES; do - for i in rx tx sg tso ufo gso gro lro; do + for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on @@ -406,6 +444,10 @@ set_os() { OS=centos OSVER=9 is_centos=true + elif grep -q "Oracle Linux Server release 9" /etc/system-release; then + OS=oel + OSVER=9 + is_oracle=true fi cron_service_name="crond" else @@ -467,6 +509,11 @@ has_uppercase() { || return 1 } +update_elastic_agent() { + echo "Checking if Elastic Agent update is necessary..." + download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" +} + valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 @@ -620,6 +667,23 @@ valid_username() { echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1 } +verify_md5_checksum() { + data_file=$1 + md5_file=${2:-${data_file}.md5} + + if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then + return 2 + fi + + SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }') + HASH=$(cat "$md5_file") + + if [[ "$HASH" == "$SOURCEHASH" ]]; then + return 0 + fi + return 1 +} + wait_for_web_response() { url=$1 expected=$2 diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check new file mode 100755 index 000000000..c2d16fd86 --- /dev/null +++ b/salt/common/tools/sbin/so-log-check @@ -0,0 +1,233 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +RECENT_LOG_LINES=200 +EXCLUDE_STARTUP_ERRORS=N +EXCLUDE_FALSE_POSITIVE_ERRORS=N +EXCLUDE_KNOWN_ERRORS=N + +while [[ $# -gt 0 ]]; do + case $1 in + --exclude-connection-errors) + EXCLUDE_STARTUP_ERRORS=Y + ;; + --exclude-false-positives) + EXCLUDE_FALSE_POSITIVE_ERRORS=Y + ;; + --exclude-known-errors) + EXCLUDE_KNOWN_ERRORS=Y + ;; + --unknown) + EXCLUDE_STARTUP_ERRORS=Y + EXCLUDE_FALSE_POSITIVE_ERRORS=Y + EXCLUDE_KNOWN_ERRORS=Y + ;; + --recent-log-lines) + shift + RECENT_LOG_LINES=$1 + ;; + *) + echo "Usage: $0 [options]" + echo "" + echo "where options are:" + echo " --recent-log-lines N looks at the most recent N log lines per file or container; defaults to 200" + echo " --exclude-connection-errors exclude errors caused by a recent server or container restart" + echo " --exclude-false-positives exclude logs that are known false positives" + echo " --exclude-known-errors exclude errors that are known and non-critical issues" + echo " --unknown exclude everything mentioned above; only show unknown errors" + echo "" + echo "A non-zero return value indicates errors were found" + exit 1 + ;; + esac + shift +done + +echo "Security Onion Log Check - $(date)" +echo "-------------------------------------------" +echo "" +echo "- RECENT_LOG_LINES: $RECENT_LOG_LINES" +echo "- EXCLUDE_STARTUP_ERRORS: $EXCLUDE_STARTUP_ERRORS" +echo "- EXCLUDE_FALSE_POSITIVE_ERRORS: $EXCLUDE_FALSE_POSITIVE_ERRORS" +echo "- EXCLUDE_KNOWN_ERRORS: $EXCLUDE_KNOWN_ERRORS" +echo "" + +function status() { + header "$1" +} + +function exclude_container() { + name=$1 + + exclude_id=$(docker ps | grep "$name" | awk '{print $1}') + if [[ -n "$exclude_id" ]]; then + CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g") + return $? + fi + return $? +} + +function exclude_log() { + name=$1 + + cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new + mv /tmp/log_check_files.new /tmp/log_check_files +} + +function check_for_errors() { + if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then + RESULT=1 + fi +} + +EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__" + +if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py" # server not yet ready (python stack output) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe" # server not yet ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502" # server not yet ready (nginx waiting on upstream) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded" # server not yet ready (telegraf waiting on elasticsearch) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes" # server not yet ready (telegraf waiting on influx) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at" # server not yet ready (telegraf waiting on health data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key" # server not yet ready (salt minion waiting on key acceptance) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes" # server not yet ready (logstash waiting on elastic) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll" # server not yet ready (sensoroni waiting on soc) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non" # server not yet ready (salt waiting on minions) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term" # server not yet ready (influxdb not yet setup) +fi + +if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror" # false positive + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror" # false positive (elastic command line) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template" # false positive (elastic security) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template" # false positive (elastic security) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors" # false positive (suricata stats) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template" # false positive (elastic templates) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml" # false positive (playbook) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h" # false positive (zeek test data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules" # false positive (error in rulename) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input" # false positive (Invalid user input in hunt query) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example" # false positive (example test data) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200" # false positive (request successful, contained error string in content) +fi + +if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise" # redis/python generic stack line, rely on other lines for actual error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)" # redis/python generic stack line, rely on other lines for actual error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror" # idstools connection timeout + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror" # idstools connection timeout + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden" # playbook + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml" # Elastic ML errors + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled" # elastic agent during shutdown + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128" # soctopus errors during forced restart by highstate + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update" # airgap can't update GeoIP DB + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror" # bug in 2.4.10 filecheck salt state caused duplicate cronjobs + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check" # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord" # playbook expected error + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics" # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf" # known issue with reposync on pre-2.4.20 + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record" # stenographer corrupt index + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field." # known ingest type collisions issue with earlier versions of SO + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip" # known issue in GH + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail" # zeek + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log" + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded" +fi + +RESULT=0 + +# Check Security Onion container stdout/stderr logs +CONTAINER_IDS=$(docker ps -q) +exclude_container so-kibana # kibana error logs are too verbose with large varieties of errors most of which are temporary +exclude_container so-idstools # ignore due to known issues and noisy logging +exclude_container so-playbook # ignore due to several playbook known issues + +for container_id in $CONTAINER_IDS; do + container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names") + status "Checking container $container_name" + docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1 + check_for_errors +done + +# Check Security Onion related log files +find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files +if [[ -f /var/log/cron ]]; then + echo "/var/log/cron" >> /tmp/log_check_files +fi +exclude_log "kibana.log" # kibana error logs are too verbose with large varieties of errors most of which are temporary +exclude_log "spool" # disregard zeek analyze logs as this is data specific +exclude_log "import" # disregard imported test data the contains error strings +exclude_log "update.log" # ignore playbook updates due to several known issues +exclude_log "playbook.log" # ignore due to several playbook known issues + +for log_file in $(cat /tmp/log_check_files); do + status "Checking log file $log_file" + tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check + check_for_errors +done + +# Cleanup temp files +rm -f /tmp/log_check_files +rm -f /tmp/log_check + +if [[ $RESULT -eq 0 ]]; then + echo -e "\nResult: No errors found" +else + echo -e "\nResult: One or more errors found" +fi + +exit $RESULT \ No newline at end of file diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 4a12d71b4..f4abd8aa3 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -103,7 +103,7 @@ def output(options, console, code, data): def check_container_status(options, console): code = 0 cli = "docker" - proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8") + proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8") if proc.returncode != 0: fail("Container system error; unable to obtain container process statuses") diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index 8d6bcf4e1..01b4da637 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -5,4 +5,14 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + +set -e + +# Playback live sample data onto monitor interface so-tcpreplay /opt/samples/* 2> /dev/null + +# Ingest sample pfsense log entry +if is_sensor_node; then + echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1 +fi diff --git a/salt/common/tools/sbin_jinja/so-desktop-install b/salt/common/tools/sbin_jinja/so-desktop-install index 448421f8e..6275bb3b6 100755 --- a/salt/common/tools/sbin_jinja/so-desktop-install +++ b/salt/common/tools/sbin_jinja/so-desktop-install @@ -5,15 +5,15 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +source /usr/sbin/so-common +doc_desktop_url="$DOC_BASE_URL/desktop.html" -{# we only want the script to install the desktop if it is Rocky -#} -{% if grains.os == 'Rocky' -%} +{# we only want the script to install the desktop if it is OEL -#} +{% if grains.os == 'OEL' -%} {# if this is a manager -#} {% if grains.master == grains.id.split('_')|first -%} -source /usr/sbin/so-common -doc_desktop_url="$DOC_BASE_URL/desktop.html" -pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls" +pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls" if [ -f "$pillar_file" ]; then if ! grep -q "^desktop:$" "$pillar_file"; then @@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then fi else # desktop is already added echo "The desktop pillar already exists in $pillar_file." - echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file." + echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced." echo "Additional documentation can be found at $doc_desktop_url." fi else # if the pillar file doesn't exist @@ -75,17 +75,22 @@ fi {#- if this is not a manager #} {% else -%} -echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url." +echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:" +echo "desktop:" +echo " gui:" +echo " enabled: true" +echo "" +echo "Please view the documentation at $doc_desktop_url." {#- endif if this is a manager #} {% endif -%} -{#- if not Rocky #} +{#- if not OEL #} {%- else %} -echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url." +echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url." -{#- endif grains.os == Rocky #} +{#- endif grains.os == OEL #} {% endif -%} exit 0 diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index fec7223b8..d12f34593 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy Options: --json Outputs summary in JSON format. Implies --quiet. --quiet Silences progress information to stdout. + --shift Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly. + Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx EOF } @@ -44,6 +46,10 @@ while [[ $# -gt 0 ]]; do --quiet) quiet=1 ;; + --shift) + SHIFTDATE=$1 + shift + ;; -*) echo "Encountered unexpected parameter: $param" usage @@ -68,12 +74,14 @@ function status { function evtx2es() { EVTX=$1 HASH=$2 + SHIFTDATE=$3 docker run --rm \ + -e "SHIFTTS=$SHIFTDATE" \ -v "$EVTX:/tmp/data.evtx" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ - -v "/nsm/import/evtx-end_newest:/tmp/newest" \ - -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ + -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \ + -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \ --entrypoint "/evtx_calc_timestamps.sh" \ {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 } @@ -103,17 +111,13 @@ INVALID_EVTXS_COUNT=0 VALID_EVTXS_COUNT=0 SKIPPED_EVTXS_COUNT=0 -touch /nsm/import/evtx-start_oldest -touch /nsm/import/evtx-end_newest - -echo $START_OLDEST > /nsm/import/evtx-start_oldest -echo $END_NEWEST > /nsm/import/evtx-end_newest - # paths must be quoted in case they include spaces for EVTX in $INPUT_FILES; do EVTX=$(/usr/bin/realpath "$EVTX") status "Processing Import: ${EVTX}" - + if ! [ -z "$SHIFTDATE" ]; then + status "- timeshifting logs to end date of $SHIFTDATE" + fi # generate a unique hash to assist with dedupe checks HASH=$(md5sum "${EVTX}" | awk '{ print $1 }') HASH_DIR=/nsm/import/${HASH} @@ -131,12 +135,19 @@ for EVTX in $INPUT_FILES; do status "- this EVTX has already been imported; skipping" SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) else + # create EVTX directory EVTX_DIR=$HASH_DIR/evtx mkdir -p $EVTX_DIR + # create import timestamp files + for i in evtx-start_oldest evtx-end_newest; do + if ! [ -f "$i" ]; then + touch /nsm/import/$HASH/$i + fi + done # import evtx and write them to import ingest pipeline status "- importing logs to Elasticsearch..." - evtx2es "${EVTX}" $HASH + evtx2es "${EVTX}" $HASH "$SHIFTDATE" if [[ $? -ne 0 ]]; then INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1)) status "- WARNING: This evtx file may not have fully imported successfully" @@ -144,28 +155,37 @@ for EVTX in $INPUT_FILES; do VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) fi - # compare $START to $START_OLDEST - START=$(cat /nsm/import/evtx-start_oldest) - START_COMPARE=$(date -d $START +%s) - START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) - if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then - START_OLDEST=$START - fi - - # compare $ENDNEXT to $END_NEWEST - END=$(cat /nsm/import/evtx-end_newest) - ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` - ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) - END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) - if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then - END_NEWEST=$ENDNEXT - fi - cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx chmod 644 "${EVTX_DIR}"/data.evtx fi # end of valid evtx + # determine start and end and make sure they aren't reversed + START=$(cat /nsm/import/$HASH/evtx-start_oldest) + END=$(cat /nsm/import/$HASH/evtx-end_newest) + START_EPOCH=`date -d "$START" +"%s"` + END_EPOCH=`date -d "$END" +"%s"` + if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then + TEMP=$START + START=$END + END=$TEMP + fi + + # compare $START to $START_OLDEST + START_COMPARE=$(date -d $START +%s) + START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) + if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then + START_OLDEST=$START + fi + + # compare $ENDNEXT to $END_NEWEST + ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"` + ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s) + END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s) + if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then + END_NEWEST=$ENDNEXT + fi + status done # end of for-loop processing evtx files @@ -222,4 +242,4 @@ if [[ $json -eq 1 ]]; then }''' fi -exit $RESULT \ No newline at end of file +exit $RESULT diff --git a/salt/common/tools/sbin_jinja/so-raid-status b/salt/common/tools/sbin_jinja/so-raid-status index c5ac5fac6..0249f4ccd 100755 --- a/salt/common/tools/sbin_jinja/so-raid-status +++ b/salt/common/tools/sbin_jinja/so-raid-status @@ -1,7 +1,7 @@ #!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -9,25 +9,26 @@ . /usr/sbin/so-common -appliance_check() { - {%- if salt['grains.get']('sosmodel', '') %} - APPLIANCE=1 - {%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %} - exit 0 - {%- endif %} - DUDEYOUGOTADELL=$(dmidecode |grep Dell) - if [[ -n $DUDEYOUGOTADELL ]]; then - APPTYPE=dell - else - APPTYPE=sm - fi - mkdir -p /opt/so/log/raid - - {%- else %} - echo "This is not an appliance" - exit 0 - {%- endif %} -} +{%- if salt['grains.get']('sosmodel', '') %} +{%- set model = salt['grains.get']('sosmodel') %} +model={{ model }} +# Don't need cloud images to use this +if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then + exit 0 +fi +{%- else %} +echo "This is not an appliance" +exit 0 +{%- endif %} +if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then + is_bossraid=true +fi +if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then + is_swraid=true +fi +if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then + is_hwraid=true +fi check_nsm_raid() { PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl) @@ -49,61 +50,44 @@ check_nsm_raid() { check_boss_raid() { MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional) - if [[ -n $DUDEYOUGOTADELL ]]; then - if [[ -n $MVCLI ]]; then - BOSSRAID=0 - else - BOSSRAID=1 - fi + if [[ -n $MVCLI ]]; then + BOSSRAID=0 + else + BOSSRAID=1 fi } check_software_raid() { - if [[ -n $DUDEYOUGOTADELL ]]; then - SWRC=$(grep "_" /proc/mdstat) - - if [[ -n $SWRC ]]; then - # RAID is failed in some way - SWRAID=1 - else - SWRAID=0 - fi + SWRC=$(grep "_" /proc/mdstat) + if [[ -n $SWRC ]]; then + # RAID is failed in some way + SWRAID=1 + else + SWRAID=0 fi } -# This script checks raid status if you use SO appliances +# Set everything to 0 +SWRAID=0 +BOSSRAID=0 +HWRAID=0 -# See if this is an appliance - -appliance_check -check_nsm_raid -check_boss_raid -{%- if salt['grains.get']('sosmodel', '') %} -{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} -check_software_raid -{%- endif %} -{%- endif %} - -if [[ -n $SWRAID ]]; then - if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi -elif [[ -n $DUDEYOUGOTADELL ]]; then - if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi -elif [[ "$APPTYPE" == 'sm' ]]; then - if [[ -n "$HWRAID" ]]; then - RAIDSTATUS=0 - else - RAIDSTATUS=1 - fi +if [[ $is_hwraid ]]; then + check_nsm_raid +fi +if [[ $is_bossraid ]]; then + check_boss_raid +fi +if [[ $is_swraid ]]; then + check_software_raid fi -echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log +sum=$(($SWRAID + $BOSSRAID + $HWRAID)) +if [[ $sum == "0" ]]; then + RAIDSTATUS=0 +else + RAIDSTATUS=1 +fi +echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log \ No newline at end of file diff --git a/salt/common/tools/sbin/so-salt-minion-check b/salt/common/tools/sbin_jinja/so-salt-minion-check similarity index 100% rename from salt/common/tools/sbin/so-salt-minion-check rename to salt/common/tools/sbin_jinja/so-salt-minion-check diff --git a/salt/desktop/files/00-background b/salt/desktop/files/00-background new file mode 100644 index 000000000..6f76c6408 --- /dev/null +++ b/salt/desktop/files/00-background @@ -0,0 +1,8 @@ +# Specify the dconf path +[org/gnome/desktop/background] + +# Specify the path to the desktop background image file +picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg' + +# Specify one of the rendering options for the background image: +picture-options='zoom' diff --git a/salt/desktop/files/session.jinja b/salt/desktop/files/session.jinja new file mode 100644 index 000000000..823e62f2d --- /dev/null +++ b/salt/desktop/files/session.jinja @@ -0,0 +1,7 @@ +# This file is managed by Salt in the desktop.xwindows state +# It will not be overwritten if it already exists + +[User] +Session=gnome-classic +Icon=/home/{{USERNAME}}/.face +SystemAccount=false diff --git a/salt/desktop/packages.sls b/salt/desktop/packages.sls index 401be0cd6..3817f2e80 100644 --- a/salt/desktop/packages.sls +++ b/salt/desktop/packages.sls @@ -1,8 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} - +{% if grains.os == 'OEL' %} desktop_packages: pkg.installed: @@ -181,6 +178,7 @@ desktop_packages: - gstreamer1-plugins-good-gtk - gstreamer1-plugins-ugly-free - gtk-update-icon-cache + - gtk2 - gtk3 - gtk4 - gtkmm30 @@ -295,6 +293,7 @@ desktop_packages: - mesa-vulkan-drivers - microcode_ctl - mobile-broadband-provider-info + - mono-devel - mpfr - mpg123-libs - mtdev @@ -347,6 +346,7 @@ desktop_packages: - snappy - sound-theme-freedesktop - soundtouch + - securityonion-networkminer - speech-dispatcher - speech-dispatcher-espeak-ng - speex diff --git a/salt/desktop/remove_gui.sls b/salt/desktop/remove_gui.sls index 53d927cbe..d8de07a9a 100644 --- a/salt/desktop/remove_gui.sls +++ b/salt/desktop/remove_gui.sls @@ -1,7 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} +{% if grains.os == 'OEL' %} remove_graphical_target: file.symlink: diff --git a/salt/desktop/trusted-ca.sls b/salt/desktop/trusted-ca.sls index b9bde5ae5..87fc70ef9 100644 --- a/salt/desktop/trusted-ca.sls +++ b/salt/desktop/trusted-ca.sls @@ -31,6 +31,6 @@ update_ca_certs: desktop_trusted-ca_os_fail: test.fail_without_changes: - - comment: 'SO Desktop can only be installed on CentOS' + - comment: 'SO Desktop can only be installed on Oracle Linux' {% endif %} diff --git a/salt/desktop/xwindows.sls b/salt/desktop/xwindows.sls index ea0c7df4f..85da0590c 100644 --- a/salt/desktop/xwindows.sls +++ b/salt/desktop/xwindows.sls @@ -1,7 +1,5 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'OEL' %} +{% if grains.os == 'OEL' %} include: - desktop.packages @@ -14,6 +12,41 @@ graphical_target: - require: - desktop_packages +{# set users to use gnome-classic #} +{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} +{% set username = username.split('/')[2] %} +{% if username != 'zeek' %} +{% if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %} + +{{username}}_session: + file.managed: + - name: /var/lib/AccountsService/users/{{username}} + - source: salt://desktop/files/session.jinja + - template: jinja + - defaults: + USERNAME: {{username}} + +{% endif %} +{% endif %} +{% endfor %} + +desktop_wallpaper: + file.managed: + - name: /usr/local/share/backgrounds/so-wallpaper.jpg + - source: salt://desktop/files/so-wallpaper.jpg + - makedirs: True + +set_wallpaper: + file.managed: + - name: /etc/dconf/db/local.d/00-background + - source: salt://desktop/files/00-background + +run_dconf_update: + cmd.run: + - name: 'dconf update' + - onchanges: + - file: set_wallpaper + {% else %} desktop_xwindows_os_fail: diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e39feaf06..a5d6c5d6d 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -178,6 +178,9 @@ docker: extra_env: [] 'so-elastic-agent': final_octet: 46 + port_bindings: + - 0.0.0.0:514:514/tcp + - 0.0.0.0:514:514/udp custom_bind_mounts: [] extra_hosts: [] extra_env: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index 82f59e4dc..d227a3e85 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -8,7 +8,7 @@ docker: helpLink: docker.html advanced: True containers: - so-curator: &dockerOptions + so-dockerregistry: &dockerOptions final_octet: description: Last octet of the container IP address. helpLink: docker.html @@ -20,6 +20,7 @@ docker: helpLink: docker.html advanced: True multiline: True + forcedType: "[]string" custom_bind_mounts: description: List of custom local volume bindings. advanced: True @@ -38,12 +39,8 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" - so-dockerregistry: *dockerOptions - so-elastalert: *dockerOptions - so-elastic-fleet-package-registry: *dockerOptions so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions - so-idh: *dockerOptions so-idstools: *dockerOptions so-influxdb: *dockerOptions so-kibana: *dockerOptions @@ -53,11 +50,21 @@ docker: so-nginx: *dockerOptions so-playbook: *dockerOptions so-redis: *dockerOptions + so-sensoroni: *dockerOptions so-soc: *dockerOptions so-soctopus: *dockerOptions so-strelka-backend: *dockerOptions - so-strelka-coordinator: *dockerOptions so-strelka-filestream: *dockerOptions so-strelka-frontend: *dockerOptions - so-strelka-gatekeeper: *dockerOptions so-strelka-manager: *dockerOptions + so-strelka-gatekeeper: *dockerOptions + so-strelka-coordinator: *dockerOptions + so-elastalert: *dockerOptions + so-curator: *dockerOptions + so-elastic-fleet-package-registry: *dockerOptions + so-idh: *dockerOptions + so-elastic-agent: *dockerOptions + so-telegraf: *dockerOptions + so-steno: *dockerOptions + so-suricata: *dockerOptions + so-zeek: *dockerOptions diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index c11af4f56..ee60f5591 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -9,6 +9,7 @@ prune_images: cmd.run: - name: so-docker-prune + - order: last {% else %} diff --git a/salt/elasticagent/config.sls b/salt/elasticagent/config.sls index 8b24f3b22..b54186fab 100644 --- a/salt/elasticagent/config.sls +++ b/salt/elasticagent/config.sls @@ -28,6 +28,13 @@ elasticagentconfdir: - group: 939 - makedirs: True +elasticagentlogdir: + file.directory: + - name: /opt/so/log/elasticagent + - user: 949 + - group: 939 + - makedirs: True + elasticagent_sbin_jinja: file.recurse: - name: /usr/sbin diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 4c00920ac..7d0f401e9 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -31,22 +31,31 @@ so-elastic-agent: - {{ XTRAHOST }} {% endfor %} {% endif %} + - port_bindings: + {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro + - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro + - /opt/so/log:/opt/so/log:ro {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} - {{ BIND }} {% endfor %} - {% endif %} + {% endif %} - environment: - FLEET_CA=/etc/pki/tls/certs/intca.crt + - LOGS_PATH=logs {% if DOCKER.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + - require: + - file: create-elastic-agent-config - watch: - file: create-elastic-agent-config diff --git a/salt/elasticagent/files/elastic-agent.yml.jinja b/salt/elasticagent/files/elastic-agent.yml.jinja index 2d32a3b17..7d0b93344 100644 --- a/salt/elasticagent/files/elastic-agent.yml.jinja +++ b/salt/elasticagent/files/elastic-agent.yml.jinja @@ -3,7 +3,7 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} id: aea1ba80-1065-11ee-a369-97538913b6a9 -revision: 2 +revision: 1 outputs: default: type: elasticsearch @@ -22,56 +22,369 @@ agent: metrics: false features: {} inputs: - - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85 - name: suricata-logs - revision: 1 + - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62 + name: import-evtx-logs + revision: 2 type: logfile use_output: default meta: package: name: log - version: + version: data_stream: namespace: so - package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85 + package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62 streams: - - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85 + - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62 + data_stream: + dataset: import + paths: + - /nsm/import/*/evtx/*.json + processors: + - dissect: + field: log.file.path + tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}' + target_prefix: '' + - decode_json_fields: + fields: + - message + target: '' + - drop_fields: + ignore_missing: true + fields: + - host + - add_fields: + fields: + dataset: system.security + type: logs + namespace: default + target: data_stream + - add_fields: + fields: + dataset: system.security + module: system + imported: true + target: event + - then: + - add_fields: + fields: + dataset: windows.sysmon_operational + target: data_stream + - add_fields: + fields: + dataset: windows.sysmon_operational + module: windows + imported: true + target: event + if: + equals: + winlog.channel: Microsoft-Windows-Sysmon/Operational + - then: + - add_fields: + fields: + dataset: system.application + target: data_stream + - add_fields: + fields: + dataset: system.application + target: event + if: + equals: + winlog.channel: Application + - then: + - add_fields: + fields: + dataset: system.system + target: data_stream + - add_fields: + fields: + dataset: system.system + target: event + if: + equals: + winlog.channel: System + - then: + - add_fields: + fields: + dataset: windows.powershell_operational + target: data_stream + - add_fields: + fields: + dataset: windows.powershell_operational + module: windows + target: event + if: + equals: + winlog.channel: Microsoft-Windows-PowerShell/Operational + tags: + - import + - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0 + name: redis-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: redis + version: + data_stream: + namespace: default + package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0 + streams: + - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0 + data_stream: + dataset: redis.log + type: logs + exclude_files: + - .gz$ + paths: + - /opt/so/log/redis/redis.log + tags: + - redis-log + exclude_lines: + - '^\s+[\-`(''.|_]' + - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8 + name: import-suricata-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8 + streams: + - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8 + data_stream: + dataset: import + pipeline: suricata.common + paths: + - /nsm/import/*/suricata/eve*.json + processors: + - add_fields: + fields: + module: suricata + imported: true + category: network + target: event + - dissect: + field: log.file.path + tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}' + target_prefix: '' + - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d + name: soc-server-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d + streams: + - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/sensoroni-server.log + processors: + - decode_json_fields: + add_error_key: true + process_array: true + max_depth: 2 + fields: + - message + target: soc + - add_fields: + fields: + module: soc + dataset_temp: server + category: host + target: event + - rename: + ignore_missing: true + fields: + - from: soc.fields.sourceIp + to: source.ip + - from: soc.fields.status + to: http.response.status_code + - from: soc.fields.method + to: http.request.method + - from: soc.fields.path + to: url.path + - from: soc.message + to: event.action + - from: soc.level + to: log.level + tags: + - so-soc + - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + name: soc-sensoroni-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + streams: + - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/sensoroni/sensoroni.log + processors: + - decode_json_fields: + add_error_key: true + process_array: true + max_depth: 2 + fields: + - message + target: sensoroni + - add_fields: + fields: + module: soc + dataset_temp: sensoroni + category: host + target: event + - rename: + ignore_missing: true + fields: + - from: sensoroni.fields.sourceIp + to: source.ip + - from: sensoroni.fields.status + to: http.response.status_code + - from: sensoroni.fields.method + to: http.request.method + - from: sensoroni.fields.path + to: url.path + - from: sensoroni.message + to: event.action + - from: sensoroni.level + to: log.level + - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515 + name: soc-salt-relay-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515 + streams: + - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/salt-relay.log + processors: + - dissect: + field: message + tokenizer: '%{soc.ts} | %{event.action}' + target_prefix: '' + - add_fields: + fields: + module: soc + dataset_temp: salt_relay + category: host + target: event + tags: + - so-soc + - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0 + name: soc-auth-sync-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0 + streams: + - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0 + data_stream: + dataset: soc + pipeline: common + paths: + - /opt/so/log/soc/sync.log + processors: + - dissect: + field: message + tokenizer: '%{event.action}' + target_prefix: '' + - add_fields: + fields: + module: soc + dataset_temp: auth_sync + category: host + target: event + tags: + - so-soc + - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253 + name: suricata-logs + revision: 2 + type: logfile + use_output: default + meta: + package: + name: log + version: + data_stream: + namespace: so + package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253 + streams: + - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253 data_stream: dataset: suricata + pipeline: suricata.common paths: - /nsm/suricata/eve*.json processors: - add_fields: - target: event fields: - category: network module: suricata - pipeline: suricata.common - - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc + category: network + target: event + - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327 name: strelka-logs - revision: 1 + revision: 2 type: logfile use_output: default meta: package: name: log - version: + version: data_stream: namespace: so - package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc + package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327 streams: - - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc + - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327 data_stream: dataset: strelka + pipeline: strelka.file paths: - /nsm/strelka/log/strelka.log processors: - add_fields: - target: event fields: - category: file module: strelka - pipeline: strelka.file + category: file + target: event - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d name: zeek-logs revision: 1 @@ -117,3 +430,54 @@ inputs: exclude_files: - >- broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$ + - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60 + name: syslog-udp-514 + revision: 3 + type: udp + use_output: default + meta: + package: + name: udp + version: 1.10.0 + data_stream: + namespace: so + package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60 + streams: + - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60 + data_stream: + dataset: syslog + pipeline: syslog + host: '0.0.0.0:514' + max_message_size: 10KiB + processors: + - add_fields: + fields: + module: syslog + target: event + tags: + - syslog + - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + name: syslog-tcp-514 + revision: 3 + type: tcp + use_output: default + meta: + package: + name: tcp + version: 1.10.0 + data_stream: + namespace: so + package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + streams: + - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60 + data_stream: + dataset: syslog + pipeline: syslog + host: '0.0.0.0:514' + processors: + - add_fields: + fields: + module: syslog + target: event + tags: + - syslog diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 902b5eb4c..d2e357c91 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -37,6 +37,8 @@ elasticfleet_sbin_jinja: - group: 939 - file_mode: 755 - template: jinja + - exclude_pat: + - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes eaconfdir: file.directory: @@ -59,6 +61,14 @@ eastatedir: - group: 939 - makedirs: True +eapackageupgrade: + file.managed: + - name: /usr/sbin/so-elastic-fleet-package-upgrade + - source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade + - user: 947 + - group: 939 + - template: jinja + {% if GLOBALS.role != "so-fleet" %} eaintegrationsdir: file.directory: @@ -88,6 +98,7 @@ ea-integrations-load: - onchanges: - file: eaintegration - file: eadynamicintegration + - file: eapackageupgrade {% endif %} {% else %} diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 46d496955..a4862623d 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -2,7 +2,7 @@ elasticfleet: enabled: False config: server: - custom_fqdn: '' + custom_fqdn: [] enable_auto_configuration: True endpoints_enrollment: '' es_token: '' @@ -13,7 +13,10 @@ elasticfleet: - broker - capture_loss - cluster + - conn-summary + - console - ecat_arp_info + - known_certs - known_hosts - known_services - loaded_scripts @@ -25,11 +28,53 @@ elasticfleet: - stderr - stdout packages: + - apache + - auditd - aws - azure + - barracuda + - cisco_asa - cloudflare + - crowdstrike + - darktrace + - elasticsearch - endpoint + - f5_bigip + - fleet_server - fim + - fortinet + - fortinet_fortigate + - gcp - github - google_workspace + - http_endpoint + - httpjson + - juniper + - juniper_srx + - kafka_log + - lastpass + - log + - m365_defender + - microsoft_defender_endpoint + - microsoft_dhcp + - netflow + - o365 + - okta + - osquery_manager + - panw + - pfsense + - redis + - sentinel_one + - sonicwall_firewall + - symantec_endpoint + - system + - tcp + - ti_abusech + - ti_misp + - ti_otx + - ti_recordedfuture + - udp + - windows + - zscaler_zia + - zscaler_zpa - 1password diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 025a87e14..320b6d6b6 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -15,12 +15,14 @@ include: - elasticfleet.config - elasticfleet.sostatus + - ssl # If enabled, automatically update Fleet Logstash Outputs {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %} so-elastic-fleet-auto-configure-logstash-outputs: cmd.run: - name: /usr/sbin/so-elastic-fleet-outputs-update + - retry: True {% endif %} # If enabled, automatically update Fleet Server URLs & ES Connection @@ -28,6 +30,7 @@ so-elastic-fleet-auto-configure-logstash-outputs: so-elastic-fleet-auto-configure-server-urls: cmd.run: - name: /usr/sbin/so-elastic-fleet-urls-update + - retry: True {% endif %} # Automatically update Fleet Server Elasticsearch URLs @@ -35,6 +38,7 @@ so-elastic-fleet-auto-configure-server-urls: so-elastic-fleet-auto-configure-elasticsearch-urls: cmd.run: - name: /usr/sbin/so-elastic-fleet-es-url-update + - retry: True {% endif %} {% if SERVICETOKEN != '' %} @@ -61,11 +65,9 @@ so-elastic-fleet: - {{ BINDING }} {% endfor %} - binds: - - /etc/pki:/etc/pki:ro - {% if GLOBALS.os_family == 'Debian' %} - - /etc/ssl:/etc/ssl:ro - {% endif %} - #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro + - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro + - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} @@ -80,25 +82,28 @@ so-elastic-fleet: - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key - {% if GLOBALS.os_family == 'Debian' %} - - FLEET_CA=/etc/ssl/certs/intca.crt - - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt - {% else %} - - FLEET_CA=/etc/pki/tls/certs/intca.crt + - FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - {% endif %} - LOGS_PATH=logs {% if DOCKER.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + - watch: + - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_crt {% endif %} {% if GLOBALS.role != "so-fleet" %} so-elastic-fleet-integrations: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-policy-load + +so-elastic-agent-grid-upgrade: + cmd.run: + - name: /usr/sbin/so-elastic-agent-grid-upgrade + - retry: True {% endif %} delete_so-elastic-fleet_so-status.disabled: diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json index 4c22f0446..0979f98b6 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json @@ -13,7 +13,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json index 2cec88bf2..32bff857b 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json @@ -14,7 +14,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json index 7d7f5bb35..8ab4f748e 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json @@ -5,17 +5,16 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "" + "version": "8.8.0" }, "enabled": true, "policy_id": "endpoints-initial", - "vars": {}, "inputs": [{ - "type": "endpoint", + "type": "ENDPOINT_INTEGRATION_CONFIG", "enabled": true, "streams": [], "config": { - "integration_config": { + "_config": { "value": { "type": "endpoint", "endpointConfig": { @@ -25,4 +24,4 @@ } } }] -} \ No newline at end of file +} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json index 32055112a..29cc1a879 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index d9f8daeb9..4887a1a01 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -12,7 +12,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ @@ -20,8 +20,8 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n namespace: default\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows", - "tags": [ + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.34.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.34.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.34.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "tags": [ "import" ] } diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json index f17ee33d1..3b8cffcc1 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json index c342b57bd..b1fb71077 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json index 84e9ae94d..3aa740881 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json index 07bd89b89..840f36f6b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json index bee14ebf5..60ee95f45 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json index 285d79148..b789adc1d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json index 6f6beca99..089b5d4f8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json index 7ff43c3a8..a9d857b24 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json @@ -11,7 +11,7 @@ "logs-logfile": { "enabled": true, "streams": { - "log.log": { + "log.logs": { "enabled": true, "vars": { "paths": [ diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json deleted file mode 100644 index 711602775..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "package": { - "name": "elasticsearch", - "version": "" - }, - "name": "elasticsearch-logs", - "namespace": "default", - "description": "Elasticsearch Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "elasticsearch-logfile": { - "enabled": true, - "streams": { - "elasticsearch.audit": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_audit.json" - ] - } - }, - "elasticsearch.deprecation": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_deprecation.json" - ] - } - }, - "elasticsearch.gc": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/gc.log.[0-9]*", - "/var/log/elasticsearch/gc.log" - ] - } - }, - "elasticsearch.server": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/elasticsearch/*.log" - ] - } - }, - "elasticsearch.slowlog": { - "enabled": false, - "vars": { - "paths": [ - "/var/log/elasticsearch/*_index_search_slowlog.json", - "/var/log/elasticsearch/*_index_indexing_slowlog.json" - ] - } - } - } - }, - "elasticsearch-elasticsearch/metrics": { - "enabled": false, - "vars": { - "hosts": [ - "http://localhost:9200" - ], - "scope": "node" - }, - "streams": { - "elasticsearch.stack_monitoring.ccr": { - "enabled": false - }, - "elasticsearch.stack_monitoring.cluster_stats": { - "enabled": false - }, - "elasticsearch.stack_monitoring.enrich": { - "enabled": false - }, - "elasticsearch.stack_monitoring.index": { - "enabled": false - }, - "elasticsearch.stack_monitoring.index_recovery": { - "enabled": false, - "vars": { - "active.only": true - } - }, - "elasticsearch.stack_monitoring.index_summary": { - "enabled": false - }, - "elasticsearch.stack_monitoring.ml_job": { - "enabled": false - }, - "elasticsearch.stack_monitoring.node": { - "enabled": false - }, - "elasticsearch.stack_monitoring.node_stats": { - "enabled": false - }, - "elasticsearch.stack_monitoring.pending_tasks": { - "enabled": false - }, - "elasticsearch.stack_monitoring.shard": { - "enabled": false - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json deleted file mode 100644 index c9e4183de..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "kratos-logs", - "namespace": "so", - "description": "Kratos logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/kratos/kratos.log" - ], - "data_stream.dataset": "kratos", - "tags": ["so-kratos"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", - "custom": "pipeline: kratos" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json index d0281c111..b1454d4bd 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json @@ -3,7 +3,7 @@ "name": "osquery_manager", "version": "" }, - "name": "osquery-grid-nodes", + "name": "osquery-grid-nodes_heavy", "namespace": "default", "policy_id": "so-grid-nodes_heavy", "inputs": { diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json deleted file mode 100644 index cddcedfd8..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "package": { - "name": "redis", - "version": "" - }, - "name": "redis-logs", - "namespace": "default", - "description": "Redis logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "redis-logfile": { - "enabled": true, - "streams": { - "redis.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/redis/redis.log" - ], - "tags": [ - "redis-log" - ], - "preserve_original_event": false - } - } - } - }, - "redis-redis": { - "enabled": false, - "streams": { - "redis.slowlog": { - "enabled": false, - "vars": { - "hosts": [ - "127.0.0.1:6379" - ], - "password": "" - } - } - } - }, - "redis-redis/metrics": { - "enabled": false, - "vars": { - "hosts": [ - "127.0.0.1:6379" - ], - "idle_timeout": "20s", - "maxconn": 10, - "network": "tcp", - "password": "" - }, - "streams": { - "redis.info": { - "enabled": false, - "vars": { - "period": "10s" - } - }, - "redis.key": { - "enabled": false, - "vars": { - "key.patterns": "- limit: 20\n pattern: *\n", - "period": "10s" - } - }, - "redis.keyspace": { - "enabled": false, - "vars": { - "period": "10s" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json deleted file mode 100644 index 2004c8c5d..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-auth-sync-logs", - "namespace": "so", - "description": "Security Onion - Elastic Auth Sync - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/sync.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json deleted file mode 100644 index b1b6098c1..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-salt-relay-logs", - "namespace": "so", - "description": "Security Onion - Salt Relay - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/salt-relay.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json deleted file mode 100644 index 5954e5052..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-sensoroni-logs", - "namespace": "so", - "description": "Security Onion - Sensoroni - Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/sensoroni/sensoroni.log" - ], - "data_stream.dataset": "soc", - "tags": [], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json deleted file mode 100644 index 89e26563a..000000000 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "package": { - "name": "log", - "version": "" - }, - "name": "soc-server-logs", - "namespace": "so", - "description": "Security Onion Console Logs", - "policy_id": "so-grid-nodes_heavy", - "inputs": { - "logs-logfile": { - "enabled": true, - "streams": { - "log.log": { - "enabled": true, - "vars": { - "paths": [ - "/opt/so/log/soc/sensoroni-server.log" - ], - "data_stream.dataset": "soc", - "tags": ["so-soc"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" - } - } - } - } - } -} diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json index 31d30d4e0..3df514f0b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json @@ -4,7 +4,7 @@ "name": "system", "version": "" }, - "name": "system-grid-nodes", + "name": "system-grid-nodes_heavy", "namespace": "default", "inputs": { "system-logfile": { diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 9b918f0ac..af660358a 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -12,10 +12,11 @@ elasticfleet: config: server: custom_fqdn: - description: Custom FQDN for Agents to connect to. + description: Custom FQDN for Agents to connect to. One per line. global: True helpLink: elastic-fleet.html advanced: True + forcedType: "[]string" enable_auto_configuration: description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. global: True diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 73c36e5c8..6ada43003 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -56,9 +56,15 @@ elastic_fleet_package_version_check() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version' } +elastic_fleet_package_latest_version_check() { + PACKAGE=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion' +} + elastic_fleet_package_install() { - PKGKEY=$1 - curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY" + PKG=$1 + VERSION=$2 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } elastic_fleet_package_is_installed() { diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index 49bfb69ac..ae0fbb6ba 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -9,16 +9,17 @@ RETURN_CODE=0 if [ ! -f /opt/so/state/eaintegrations.txt ]; then + # First, check for any package upgrades + /usr/sbin/so-elastic-fleet-package-upgrade + # Initial Endpoints for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json do printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then - if [ "$NAME" != "elastic-defend-endpoints" ]; then - printf "\n\nIntegration $NAME exists - Updating integration\n" - elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" - fi + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" else printf "\n\nIntegration does not exist - Creating integration\n" elastic_fleet_integration_create "@$INTEGRATION" diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list new file mode 100755 index 000000000..7e68c6e83 --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list @@ -0,0 +1,15 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-elastic-fleet-common + +# Let's snag a cookie from Kibana +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + +# List configured package policies +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq + +echo diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 2a19dcbd9..275bc6a11 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -11,6 +11,12 @@ . /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common +LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log" + +# Check to see if we are already running +NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers") +[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0 + for i in {1..30} do ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') @@ -40,7 +46,7 @@ do done printf "\n### Stripping out unused components" -find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete +find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete printf "\n### Tarring everything up again" for OS in "${OSARCH[@]}" @@ -59,7 +65,7 @@ do if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi printf "\n\n### Generating $GOOS/$GOARCH Installer...\n" docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \ - --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ + --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade new file mode 100644 index 000000000..b1ca8c476 --- /dev/null +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -0,0 +1,38 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +. /usr/sbin/so-common + +# Only run on Managers +if ! is_manager_node; then + printf "Not a Manager Node... Exiting" + exit 0 +fi + +# Get current list of Grid Node Agents that need to be upgraded +RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true") + +# Check to make sure that the server responded with good data - else, bail from script +CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON") +if [ "$CHECKSUM" -ne 1 ]; then + printf "Failed to query for current Grid Agents...\n" + exit 1 +fi + +# Generate list of Node Agents that need updates +OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)' <<< "$RAW_JSON") + +if [ "$OUTDATED_LIST" != '[]' ]; then + AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON") + printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n" + + # Generate updated JSON payload + JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }') + + # Update Node Agents + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +else + printf "No Agents need updates... Exiting\n\n" + exit 0 +fi \ No newline at end of file diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update index 6acda746c..5d5b7e7e0 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update @@ -12,9 +12,13 @@ if ! is_manager_node; then fi function update_es_urls() { - # Generate updated JSON payload - JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}') - + + # Generate updated JSON payload +{% if grains.role not in ['so-import', 'so-eval'] %} + JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}') +{%- else %} + JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}') +{%- endif %} # Update Fleet Elasticsearch URLs curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } @@ -42,6 +46,13 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$ NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}') # Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs +if [ "$1" = "--force" ]; then + printf "\nUpdating List, since --force was specified.\n" + printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" + update_es_urls + exit 0 +fi + if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then printf "\nHashes match - no update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index 042084d84..b88b564ed 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -2,7 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} . /usr/sbin/so-common @@ -41,9 +41,14 @@ else NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055") fi -{% if CUSTOMFQDN != "" %} -# Add Custom Hostname to list -NEW_LIST+=("{{ CUSTOMFQDN }}:5055") +# Query for FQDN entries & add them to the list +{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} +CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}') +readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST") +for CUSTOMNAME in "${CUSTOMFQDN[@]}" +do + NEW_LIST+=("$CUSTOMNAME:5055") +done {% endif %} # Query for the current Grid Nodes that are running Logstash diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load index c1e14f64f..819d7ecff 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load @@ -11,7 +11,7 @@ {%- for PACKAGE in SUPPORTED_PACKAGES %} echo "Setting up {{ PACKAGE }} package..." VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}") -elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" echo {%- endfor %} echo diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade new file mode 100644 index 000000000..a092e3ecb --- /dev/null +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade @@ -0,0 +1,18 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %} + +. /usr/sbin/so-elastic-fleet-common + +{%- for PACKAGE in SUPPORTED_PACKAGES %} +echo "Upgrading {{ PACKAGE }} package..." +VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}") +elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION" +echo +{%- endfor %} +echo +/usr/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index ac0ce4db9..83a155ae6 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,11 +6,7 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os_family == 'Debian' %} -INTCA=/etc/ssl/certs/intca.crt -{% else %} INTCA=/etc/pki/tls/certs/intca.crt -{% endif %} . /usr/sbin/so-elastic-fleet-common diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 24c5dabed..31c7becca 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -2,7 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} . /usr/sbin/so-common @@ -41,9 +41,14 @@ else NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220") fi -{% if CUSTOMFQDN != "" %} -# Add Custom Hostname to list -NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220") +# Query for FQDN entries & add them to the list +{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %} +CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}') +readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST") +for CUSTOMNAME in "${CUSTOMFQDN[@]}" +do + NEW_LIST+=("https://$CUSTOMNAME:8220") +done {% endif %} # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes) @@ -62,7 +67,7 @@ fi NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}") NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}') -# Compare the current & new list of URLs - if different, update the Fleet Server URLs +# Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then printf "\nHashes match - no update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" @@ -71,4 +76,5 @@ else printf "\nHashes don't match - update needed.\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" update_fleet_urls + /sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log & fi diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index ed4a5033f..37447cabb 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -21,7 +21,7 @@ {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} {% if grains.id.split('_') | last == 'manager' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %} + {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %} {% else %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %} {% endif %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 035079f54..91e5191f6 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -58,6 +58,12 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: + global_overrides: + index_template: + template: + settings: + index: + number_of_replicas: default_placeholder so-logs: index_sorting: False index_template: @@ -113,7 +119,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-system.auth: + so-logs-system_x_auth: index_sorting: False index_template: index_patterns: @@ -132,7 +138,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-system.syslog: + so-logs-system_x_syslog: index_sorting: False index_template: index_patterns: @@ -151,7 +157,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-system.system: + so-logs-system_x_system: index_sorting: False index_template: index_patterns: @@ -170,7 +176,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-system.application: + so-logs-system_x_application: index_sorting: False index_template: index_patterns: @@ -189,7 +195,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-system.security: + so-logs-system_x_security: index_sorting: False index_template: index_patterns: @@ -208,7 +214,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-windows.forwarded: + so-logs-windows_x_forwarded: index_sorting: False index_template: index_patterns: @@ -226,7 +232,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-windows.powershell: + so-logs-windows_x_powershell: index_sorting: False index_template: index_patterns: @@ -244,7 +250,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-windows.powershell_operational: + so-logs-windows_x_powershell_operational: index_sorting: False index_template: index_patterns: @@ -262,7 +268,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-windows.sysmon_operational: + so-logs-windows_x_sysmon_operational: index_sorting: False index_template: index_patterns: @@ -280,7 +286,61 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.cloudtrail: + so-logs-apache_x_access: + index_sorting: False + index_template: + index_patterns: + - "logs-apache.access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-apache.access@package" + - "logs-apache.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-apache_x_error: + index_sorting: False + index_template: + index_patterns: + - "logs-apache.error-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-apache.error@package" + - "logs-apache.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-auditd_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-auditd.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-auditd.log@package" + - "logs-auditd.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws_x_cloudtrail: index_sorting: False index_template: index_patterns: @@ -298,7 +358,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.cloudwatch_logs: + so-logs-aws_x_cloudwatch_logs: index_sorting: False index_template: index_patterns: @@ -316,7 +376,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.ec2_logs: + so-logs-aws_x_ec2_logs: index_sorting: False index_template: index_patterns: @@ -334,7 +394,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.elb_logs: + so-logs-aws_x_elb_logs: index_sorting: False index_template: index_patterns: @@ -352,7 +412,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.firewall_logs: + so-logs-aws_x_firewall_logs: index_sorting: False index_template: index_patterns: @@ -370,7 +430,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.route53_public_logs: + so-logs-aws_x_route53_public_logs: index_sorting: False index_template: index_patterns: @@ -388,7 +448,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.route53_resolver_logs: + so-logs-aws_x_route53_resolver_logs: index_sorting: False index_template: index_patterns: @@ -406,7 +466,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.s3access: + so-logs-aws_x_s3access: index_sorting: False index_template: index_patterns: @@ -424,7 +484,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.vpcflow: + so-logs-aws_x_vpcflow: index_sorting: False index_template: index_patterns: @@ -442,7 +502,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.waf: + so-logs-aws_x_waf: index_sorting: False index_template: index_patterns: @@ -460,7 +520,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.activitylogs: + so-logs-azure_x_activitylogs: index_sorting: False index_template: index_patterns: @@ -478,7 +538,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.application_gateway: + so-logs-azure_x_application_gateway: index_sorting: False index_template: index_patterns: @@ -496,7 +556,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.auditlogs: + so-logs-azure_x_auditlogs: index_sorting: False index_template: index_patterns: @@ -514,7 +574,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.eventhub: + so-logs-azure_x_eventhub: index_sorting: False index_template: index_patterns: @@ -532,7 +592,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.firewall_logs: + so-logs-azure_x_firewall_logs: index_sorting: False index_template: index_patterns: @@ -550,7 +610,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.identity_protection: + so-logs-azure_x_identity_protection: index_sorting: False index_template: index_patterns: @@ -568,7 +628,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.platformlogs: + so-logs-azure_x_platformlogs: index_sorting: False index_template: index_patterns: @@ -586,7 +646,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.provisioning: + so-logs-azure_x_provisioning: index_sorting: False index_template: index_patterns: @@ -604,7 +664,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.signinlogs: + so-logs-azure_x_signinlogs: index_sorting: False index_template: index_patterns: @@ -622,7 +682,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.springcloudlogs: + so-logs-azure_x_springcloudlogs: index_sorting: False index_template: index_patterns: @@ -640,7 +700,43 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-cloudflare.audit: + so-logs-barracuda_x_waf: + index_sorting: False + index_template: + index_patterns: + - "logs-barracuda.waf-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-barracuda.waf@package" + - "logs-barracuda.waf@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cisco_asa_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_asa.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cisco_asa.log@package" + - "logs-cisco_asa.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cloudflare_x_audit: index_sorting: False index_template: index_patterns: @@ -658,7 +754,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-cloudflare.logpull: + so-logs-cloudflare_x_logpull: index_sorting: False index_template: index_patterns: @@ -676,7 +772,115 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-fim.event: + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.falcon-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.falcon@package" + - "logs-crowdstrike.falcon@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-crowdstrike_x_fdr: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.fdr-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.fdr@package" + - "logs-crowdstrike.fdr@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_ai_analyst_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.ai_analyst_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.ai_analyst_alert@package" + - "logs-darktrace.ai_analyst_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_model_breach_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.model_breach_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.model_breach_alert@package" + - "logs-darktrace.model_breach_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_system_status_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.system_status_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.system_status_alert@package" + - "logs-darktrace.system_status_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-f5_bigip_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-f5_bigip.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-f5_bigip.log@package" + - "logs-f5_bigip.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fim_x_event: index_sorting: False index_template: index_patterns: @@ -694,7 +898,187 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-github.audit: + so-logs-fortinet_x_clientendpoint: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.clientendpoint-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.clientendpoint@package" + - "logs-fortinet.clientendpoint@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.firewall@package" + - "logs-fortinet.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimail: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimail-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimail@package" + - "logs-fortinet.fortimail@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimanager: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimanager-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimanager@package" + - "logs-fortinet.fortimanager@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_fortigate_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet_fortigate.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet_fortigate.log@package" + - "logs-fortinet_fortigate.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.audit@package" + - "logs-gcp.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.dns@package" + - "logs-gcp.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.firewall@package" + - "logs-gcp.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_loadbalancing_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.loadbalancing_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.loadbalancing_logs@package" + - "logs-gcp.loadbalancing_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_vpcflow: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.vpcflow-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.vpcflow@package" + - "logs-gcp.vpcflow@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github_x_audit: index_sorting: False index_template: index_patterns: @@ -712,7 +1096,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-github.code_scanning: + so-logs-github_x_code_scanning: index_sorting: False index_template: index_patterns: @@ -730,7 +1114,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-github.dependabot: + so-logs-github_x_dependabot: index_sorting: False index_template: index_patterns: @@ -748,7 +1132,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-github.issues: + so-logs-github_x_issues: index_sorting: False index_template: index_patterns: @@ -766,7 +1150,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-github.secret_scanning: + so-logs-github_x_secret_scanning: index_sorting: False index_template: index_patterns: @@ -784,7 +1168,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.access_transparency: + so-logs-google_workspace_x_access_transparency: index_sorting: False index_template: index_patterns: @@ -802,7 +1186,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.admin: + so-logs-google_workspace_x_admin: index_sorting: False index_template: index_patterns: @@ -820,7 +1204,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.alert: + so-logs-google_workspace_x_alert: index_sorting: False index_template: index_patterns: @@ -838,7 +1222,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.context_aware_access: + so-logs-google_workspace_x_context_aware_access: index_sorting: False index_template: index_patterns: @@ -856,7 +1240,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.device: + so-logs-google_workspace_x_device: index_sorting: False index_template: index_patterns: @@ -874,7 +1258,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.drive: + so-logs-google_workspace_x_drive: index_sorting: False index_template: index_patterns: @@ -892,7 +1276,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.gcp: + so-logs-google_workspace_x_gcp: index_sorting: False index_template: index_patterns: @@ -910,7 +1294,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.group_enterprise: + so-logs-google_workspace_x_group_enterprise: index_sorting: False index_template: index_patterns: @@ -928,7 +1312,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.groups: + so-logs-google_workspace_x_groups: index_sorting: False index_template: index_patterns: @@ -946,7 +1330,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.login: + so-logs-google_workspace_x_login: index_sorting: False index_template: index_patterns: @@ -964,7 +1348,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.rules: + so-logs-google_workspace_x_rules: index_sorting: False index_template: index_patterns: @@ -982,7 +1366,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.saml: + so-logs-google_workspace_x_saml: index_sorting: False index_template: index_patterns: @@ -1000,7 +1384,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.token: + so-logs-google_workspace_x_token: index_sorting: False index_template: index_patterns: @@ -1018,7 +1402,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace.user_accounts: + so-logs-google_workspace_x_user_accounts: index_sorting: False index_template: index_patterns: @@ -1036,7 +1420,835 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-1password.item_usages: + so-logs-http_endpoint_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-http_endpoint.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-http_endpoint.generic@package" + - "logs-http_endpoint.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-httpjson_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-httpjson.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-httpjson.generic@package" + - "logs-httpjson.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_junos: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.junos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.junos@package" + - "logs-juniper.junos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_netscreen: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.netscreen-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.netscreen@package" + - "logs-juniper.netscreen@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_srx: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.srx-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.srx@package" + - "logs-juniper.srx@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_srx_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper_srx.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper_srx.log@package" + - "logs-juniper_srx.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-kafka_log_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-kafka_log.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-kafka_log.generic@package" + - "logs-kafka_log.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_detailed_shared_folder: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.detailed_shared_folder-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.detailed_shared_folder@package" + - "logs-lastpass.detailed_shared_folder@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_event_report: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.event_report-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.event_report@package" + - "logs-lastpass.event_report@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_user: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.user-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.user@package" + - "logs-lastpass.user@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_event: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.event-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.event@package" + - "logs-m365_defender.event@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_incident: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.incident-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.incident@package" + - "logs-m365_defender.incident@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.log@package" + - "logs-m365_defender.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_defender_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_defender_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_defender_endpoint.log@package" + - "logs-microsoft_defender_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_dhcp_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_dhcp.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_dhcp.log@package" + - "logs-microsoft_dhcp.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-netflow_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-netflow.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-netflow.log@package" + - "logs-netflow.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-o365_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-o365.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-o365.audit@package" + - "logs-o365.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-okta_x_system: + index_sorting: False + index_template: + index_patterns: + - "logs-okta.system-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-okta.system@package" + - "logs-okta.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-panw_x_panos: + index_sorting: False + index_template: + index_patterns: + - "logs-panw.panos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-panw.panos@package" + - "logs-panw.panos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-pfsense_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-pfsense.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-pfsense.log@package" + - "logs-pfsense.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.activity@package" + - "logs-sentinel_one.activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.agent-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.agent@package" + - "logs-sentinel_one.agent@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.alert@package" + - "logs-sentinel_one.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_group: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.group-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.group@package" + - "logs-sentinel_one.group@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.threat@package" + - "logs-sentinel_one.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sonicwall_firewall_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-sonicwall_firewall.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sonicwall_firewall.log@package" + - "logs-sonicwall_firewall.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-symantec_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-symantec_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-symantec_endpoint.log@package" + - "logs-symantec_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malware: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malware-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malware@package" + - "logs-ti_abusech.malware@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malwarebazaar: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malwarebazaar-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malwarebazaar@package" + - "logs-ti_abusech.malwarebazaar@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_threatfox: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.threatfox-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.threatfox@package" + - "logs-ti_abusech.threatfox@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_url: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.url-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.url@package" + - "logs-ti_abusech.url@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat@package" + - "logs-ti_misp.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat_attributes: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat_attributes-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat_attributes@package" + - "logs-ti_misp.threat_attributes@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_otx_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_otx.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_otx.threat@package" + - "logs-ti_otx.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_latest_ioc-template: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.latest_ioc-template-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.latest_ioc-template@package" + - "logs-ti_recordedfuture.latest_ioc-template@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.threat@package" + - "logs-ti_recordedfuture.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_alerts: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.alerts-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.alerts@package" + - "logs-zscaler_zia.alerts@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.dns@package" + - "logs-zscaler_zia.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.firewall@package" + - "logs-zscaler_zia.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_tunnel: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.tunnel-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.tunnel@package" + - "logs-zscaler_zia.tunnel@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_web: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.web-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.web@package" + - "logs-zscaler_zia.web@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_app_connector_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.app_connector_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.app_connector_status@package" + - "logs-zscaler_zpa.app_connector_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.audit@package" + - "logs-zscaler_zpa.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_browser_access: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.browser_access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.browser_access@package" + - "logs-zscaler_zpa.browser_access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_activity@package" + - "logs-zscaler_zpa.user_activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_status@package" + - "logs-zscaler_zpa.user_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-1password_x_item_usages: index_sorting: False index_template: index_patterns: @@ -1054,7 +2266,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-1password.signin_attempts: + so-logs-1password_x_signin_attempts: index_sorting: False index_template: index_patterns: @@ -1089,7 +2301,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-osquery-manager-action.responses: + so-logs-osquery-manager-action_x_responses: index_sorting: False index_template: index_patterns: @@ -1106,7 +2318,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.apm_server: + so-logs-elastic_agent_x_apm_server: index_sorting: False index_template: index_patterns: @@ -1160,7 +2372,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.auditbeat: + so-logs-elastic_agent_x_auditbeat: index_sorting: False index_template: index_patterns: @@ -1214,7 +2426,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.cloudbeat: + so-logs-elastic_agent_x_cloudbeat: index_sorting: False index_template: index_patterns: @@ -1265,7 +2477,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.endpoint_security: + so-logs-elastic_agent_x_endpoint_security: index_sorting: False index_template: index_patterns: @@ -1314,7 +2526,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.alerts: + so-logs-endpoint_x_alerts: index_sorting: False index_template: index_patterns: @@ -1363,7 +2575,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.api: + so-logs-endpoint_x_events_x_api: index_sorting: False index_template: index_patterns: @@ -1412,7 +2624,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.file: + so-logs-endpoint_x_events_x_file: index_sorting: False index_template: index_patterns: @@ -1461,7 +2673,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.library: + so-logs-endpoint_x_events_x_library: index_sorting: False index_template: index_patterns: @@ -1510,7 +2722,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.network: + so-logs-endpoint_x_events_x_network: index_sorting: False index_template: index_patterns: @@ -1559,7 +2771,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.process: + so-logs-endpoint_x_events_x_process: index_sorting: False index_template: index_patterns: @@ -1608,7 +2820,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.registry: + so-logs-endpoint_x_events_x_registry: index_sorting: False index_template: index_patterns: @@ -1657,7 +2869,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-endpoint.events.security: + so-logs-endpoint_x_events_x_security: index_sorting: False index_template: index_patterns: @@ -1706,7 +2918,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.filebeat: + so-logs-elastic_agent_x_filebeat: index_sorting: False index_template: index_patterns: @@ -1755,7 +2967,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.fleet_server: + so-logs-elastic_agent_x_fleet_server: index_sorting: False index_template: index_patterns: @@ -1801,7 +3013,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.heartbeat: + so-logs-elastic_agent_x_heartbeat: index_sorting: False index_template: index_patterns: @@ -1907,7 +3119,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.metricbeat: + so-logs-elastic_agent_x_metricbeat: index_sorting: False index_template: index_patterns: @@ -1956,7 +3168,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.osquerybeat: + so-logs-elastic_agent_x_osquerybeat: index_sorting: False index_template: index_patterns: @@ -2005,7 +3217,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.packetbeat: + so-logs-elastic_agent_x_packetbeat: index_sorting: False index_template: index_patterns: @@ -2477,6 +3689,7 @@ elasticsearch: refresh_interval: 30s number_of_shards: 1 number_of_replicas: 0 + final_pipeline: ".fleet_final_pipeline-1" composed_of: - agent-mappings - dtc-agent-mappings @@ -2975,6 +4188,7 @@ elasticsearch: so-syslog: index_sorting: False index_template: + data_stream: {} index_patterns: - logs-syslog-so* template: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index e28ca5fdf..fa0f824b4 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -59,7 +59,7 @@ so-elasticsearch: {% if GLOBALS.is_manager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% endif %} - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro @@ -108,6 +108,7 @@ escomponenttemplates: - source: salt://elasticsearch/templates/component - user: 930 - group: 939 + - clean: True - onchanges_in: - cmd: so-elasticsearch-templates diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 0c317ae48..52b6bae7a 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -78,6 +78,10 @@ { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, + { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, + { "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } }, + { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ diff --git a/salt/elasticsearch/files/ingest/filterlog b/salt/elasticsearch/files/ingest/filterlog index fb197c706..52d83dd0a 100644 --- a/salt/elasticsearch/files/ingest/filterlog +++ b/salt/elasticsearch/files/ingest/filterlog @@ -49,11 +49,10 @@ "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] } }, - { "set": { "field": "_index", "value": "so-firewall", "override": true } }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, { "community_id": {} }, - { "set": { "field": "module", "value": "pfsense", "override": true } }, - { "set": { "field": "dataset", "value": "firewall", "override": true } }, + { "set": { "field": "event.module", "value": "pfsense", "override": true } }, + { "set": { "field": "event.dataset", "value": "firewall", "override": true } }, { "set": { "field": "category", "value": "network", "override": true } }, { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } ] diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index 741e20aa1..a74a7c622 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -63,8 +63,8 @@ { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } }, - { "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } }, - { "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } }, + { "set": { "if": "ctx.scan?.entropy?.entropy == '0'", "field": "scan.entropy.entropy", "value": "0.0", "override": true } }, + { "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }}, { "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } }, diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index da22268f6..e4de29e00 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -46,28 +46,37 @@ elasticsearch: description: Max number of boolean clauses per query. global: True helpLink: elasticsearch.html - index_settings: - so-elasticsearch: &indexSettings - warm: - description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. - global: True - helpLink: elasticsearch.html - close: - description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. - global: True - helpLink: elasticsearch.html - delete: - description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. - global: True - helpLink: elasticsearch.html + index_settings: + global_overrides: + index_template: + template: + settings: + index: + number_of_replicas: + description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices. + forcedType: int + global: True + helpLink: elasticsearch.html + so-logs: &indexSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True helpLink: elasticsearch.html index_template: + index_patterns: + description: Patterns for matching multiple indices or tables. + forceType: "[]string" + multiline: True + global: True + helpLink: elasticsearch.html template: settings: index: + number_of_replicas: + description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. + forcedType: int + global: True + helpLink: elasticsearch.html mapping: total_fields: limit: @@ -75,17 +84,59 @@ elasticsearch: global: True helpLink: elasticsearch.html refresh_interval: - description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. - global: True - helpLink: elasticsearch.html + description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. + global: True + helpLink: elasticsearch.html number_of_shards: - description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + global: True + helpLink: elasticsearch.html + sort: + field: + description: The field to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html - number_of_replicas: - description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. + order: + description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html + mappings: + _meta: + package: + name: + description: Meta settings for the mapping. + global: True + helpLink: elasticsearch.html + managed_by: + description: Meta settings for the mapping. + global: True + helpLink: elasticsearch.html + managed: + description: Meta settings for the mapping. + forcedType: bool + global: True + helpLink: elasticsearch.html + composed_of: + description: The index template is composed of these component templates. + forcedType: "[]string" + global: True + helpLink: elasticsearch.html + priority: + description: The priority of the index template. + forcedType: int + global: True + helpLink: elasticsearch.html + data_stream: + hidden: + description: Hide the data stream. + forcedType: bool + global: True + helpLink: elasticsearch.html + allow_custom_routing: + description: Allow custom routing for the data stream. + forcedType: bool + global: True + helpLink: elasticsearch.html policy: phases: hot: @@ -97,6 +148,7 @@ elasticsearch: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int global: True helpLink: elasticsearch.html rollover: @@ -117,19 +169,178 @@ elasticsearch: set_priority: priority: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int global: True helpLink: elasticsearch.html delete: min_age: description: Minimum age of index. This determines when the index should be deleted. global: True - helpLink: elastic + helpLink: elasticsearch.html + _meta: + package: + name: + description: Meta settings for the mapping. + global: True + helpLink: elasticsearch.html + managed_by: + description: Meta settings for the mapping. + global: True + helpLink: elasticsearch.html + managed: + description: Meta settings for the mapping. + forcedType: bool + global: True + helpLink: elasticsearch.html + so-logs-system_x_auth: *indexSettings + so-logs-system_x_syslog: *indexSettings + so-logs-system_x_system: *indexSettings + so-logs-system_x_application: *indexSettings + so-logs-system_x_security: *indexSettings + so-logs-windows_x_forwarded: *indexSettings + so-logs-windows_x_powershell: *indexSettings + so-logs-windows_x_powershell_operational: *indexSettings + so-logs-windows_x_sysmon_operational: *indexSettings + so-logs-apache_x_access: *indexSettings + so-logs-apache_x_error: *indexSettings + so-logs-auditd_x_log: *indexSettings + so-logs-aws_x_cloudtrail: *indexSettings + so-logs-aws_x_cloudwatch_logs: *indexSettings + so-logs-aws_x_ec2_logs: *indexSettings + so-logs-aws_x_elb_logs: *indexSettings + so-logs-aws_x_firewall_logs: *indexSettings + so-logs-aws_x_route53_public_logs: *indexSettings + so-logs-aws_x_route53_resolver_logs: *indexSettings + so-logs-aws_x_s3access: *indexSettings + so-logs-aws_x_vpcflow: *indexSettings + so-logs-aws_x_waf: *indexSettings + so-logs-azure_x_activitylogs: *indexSettings + so-logs-azure_x_application_gateway: *indexSettings + so-logs-azure_x_auditlogs: *indexSettings + so-logs-azure_x_eventhub: *indexSettings + so-logs-azure_x_firewall_logs: *indexSettings + so-logs-azure_x_identity_protection: *indexSettings + so-logs-azure_x_platformlogs: *indexSettings + so-logs-azure_x_provisioning: *indexSettings + so-logs-azure_x_signinlogs: *indexSettings + so-logs-azure_x_springcloudlogs: *indexSettings + so-logs-barracuda_x_waf: *indexSettings + so-logs-cisco_asa_x_log: *indexSettings + so-logs-cloudflare_x_audit: *indexSettings + so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_falcon: *indexSettings + so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-darktrace_x_ai_analyst_alert: *indexSettings + so-logs-darktrace_x_model_breach_alert: *indexSettings + so-logs-darktrace_x_system_status_alert: *indexSettings + so-logs-f5_bigip_x_log: *indexSettings + so-logs-fim_x_event: *indexSettings + so-logs-fortinet_x_clientendpoint: *indexSettings + so-logs-fortinet_x_firewall: *indexSettings + so-logs-fortinet_x_fortimail: *indexSettings + so-logs-fortinet_x_fortimanager: *indexSettings + so-logs-fortinet_x_fortigate: *indexSettings + so-logs-gcp_x_audit: *indexSettings + so-logs-gcp_x_dns: *indexSettings + so-logs-gcp_x_firewall: *indexSettings + so-logs-gcp_x_loadbalancing_logs: *indexSettings + so-logs-gcp_x_vpcflow: *indexSettings + so-logs-github_x_audit: *indexSettings + so-logs-github_x_code_scanning: *indexSettings + so-logs-github_x_dependabot: *indexSettings + so-logs-github_x_issues: *indexSettings + so-logs-github_x_secret_scanning: *indexSettings + so-logs-google_workspace_x_access_transparency: *indexSettings + so-logs-google_workspace_x_admin: *indexSettings + so-logs-google_workspace_x_alert: *indexSettings + so-logs-google_workspace_x_context_aware_access: *indexSettings + so-logs-google_workspace_x_device: *indexSettings + so-logs-google_workspace_x_drive: *indexSettings + so-logs-google_workspace_x_gcp: *indexSettings + so-logs-google_workspace_x_group_enterprise: *indexSettings + so-logs-google_workspace_x_groups: *indexSettings + so-logs-google_workspace_x_login: *indexSettings + so-logs-google_workspace_x_rules: *indexSettings + so-logs-google_workspace_x_saml: *indexSettings + so-logs-google_workspace_x_token: *indexSettings + so-logs-google_workspace_x_user_accounts: *indexSettings + so-logs-http_endpoint_x_generic: *indexSettings + so-logs-httpjson_x_generic: *indexSettings + so-logs-juniper_x_junos: *indexSettings + so-logs-juniper_x_netscreen: *indexSettings + so-logs-juniper_x_srx: *indexSettings + so-logs-juniper_srx_x_log: *indexSettings + so-logs-kafka_log_x_generic: *indexSettings + so-logs-lastpass_x_detailed_shared_folder: *indexSettings + so-logs-lastpass_x_event_report: *indexSettings + so-logs-lastpass_x_user: *indexSettings + so-logs-m365_defender_x_event: *indexSettings + so-logs-m365_defender_x_incident: *indexSettings + so-logs-m365_defender_x_log: *indexSettings + so-logs-microsoft_defender_endpoint_x_log: *indexSettings + so-logs-microsoft_dhcp_x_log: *indexSettings + so-logs-netflow_x_log: *indexSettings + so-logs-o365_x_audit: *indexSettings + so-logs-okta_x_system: *indexSettings + so-logs-panw_x_panos: *indexSettings + so-logs-pfsense_x_log: *indexSettings + so-logs-sentinel_one_x_activity: *indexSettings + so-logs-sentinel_one_x_agent: *indexSettings + so-logs-sentinel_one_x_alert: *indexSettings + so-logs-sentinel_one_x_group: *indexSettings + so-logs-sentinel_one_x_threat: *indexSettings + so-logs-sonicwall_firewall_x_log: *indexSettings + so-logs-symantec_endpoint_x_log: *indexSettings + so-logs-ti_abusech_x_malware: *indexSettings + so-logs-ti_abusech_x_malwarebazaar: *indexSettings + so-logs-ti_abusech_x_threatfox: *indexSettings + so-logs-ti_abusech_x_url: *indexSettings + so-logs-ti_misp_x_threat: *indexSettings + so-logs-ti_misp_x_threat_attributes: *indexSettings + so-logs-ti_otx_x_threat: *indexSettings + so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings + so-logs-ti_recordedfuture_x_threat: *indexSettings + so-logs-zscaler_zia_x_alerts: *indexSettings + so-logs-zscaler_zia_x_dns: *indexSettings + so-logs-zscaler_zia_x_firewall: *indexSettings + so-logs-zscaler_zia_x_tunnel: *indexSettings + so-logs-zscaler_zia_x_web: *indexSettings + so-logs-zscaler_zpa_x_app_connector_status: *indexSettings + so-logs-zscaler_zpa_x_audit: *indexSettings + so-logs-zscaler_zpa_x_browser_access: *indexSettings + so-logs-zscaler_zpa_x_user_activity: *indexSettings + so-logs-zscaler_zpa_x_user_status: *indexSettings + so-logs-1password_x_item_usages: *indexSettings + so-logs-1password_x_signin_attempts: *indexSettings + so-logs-osquery-manager-actions: *indexSettings + so-logs-osquery-manager-action_x_responses: *indexSettings + so-logs-elastic_agent_x_apm_server: *indexSettings + so-logs-elastic_agent_x_auditbeat: *indexSettings + so-logs-elastic_agent_x_cloudbeat: *indexSettings + so-logs-elastic_agent_x_endpoint_security: *indexSettings + so-logs-endpoint_x_alerts: *indexSettings + so-logs-endpoint_x_events_x_api: *indexSettings + so-logs-endpoint_x_events_x_file: *indexSettings + so-logs-endpoint_x_events_x_library: *indexSettings + so-logs-endpoint_x_events_x_network: *indexSettings + so-logs-endpoint_x_events_x_process: *indexSettings + so-logs-endpoint_x_events_x_registry: *indexSettings + so-logs-endpoint_x_events_x_security: *indexSettings + so-logs-elastic_agent_x_filebeat: *indexSettings + so-logs-elastic_agent_x_fleet_server: *indexSettings + so-logs-elastic_agent_x_heartbeat: *indexSettings + so-logs-elastic_agent: *indexSettings + so-logs-elastic_agent_x_metricbeat: *indexSettings + so-logs-elastic_agent_x_osquerybeat: *indexSettings + so-logs-elastic_agent_x_packetbeat: *indexSettings + so-case: *indexSettings + so-common: *indexSettings so-endgame: *indexSettings - so-firewall: *indexSettings + so-idh: *indexSettings + so-suricata: *indexSettings so-import: *indexSettings - so-kibana: *indexSettings + so-kratos: *indexSettings so-logstash: *indexSettings - so-osquery: *indexSettings so-redis: *indexSettings so-strelka: *indexSettings so-syslog: *indexSettings diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index 49d86d187..f5a124a9a 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -1,9 +1,28 @@ -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %} -{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %} -{% for index, settings in ES_INDEX_SETTINGS.items() %} - {% if settings.index_template is defined %} - {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %} - {% do settings.index_template.template.settings.index.pop('sort') %} - {% endif %} - {% endif %} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} +{% set DEFAULT_GLOBAL_OVERRIDES = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings.pop('global_overrides') %} + +{% set PILLAR_GLOBAL_OVERRIDES = {} %} +{% if salt['pillar.get']('elasticsearch:index_settings') is defined %} +{% set ES_INDEX_PILLAR = salt['pillar.get']('elasticsearch:index_settings') %} +{% if ES_INDEX_PILLAR.global_overrides is defined %} +{% set PILLAR_GLOBAL_OVERRIDES = ES_INDEX_PILLAR.pop('global_overrides') %} +{% endif %} +{% endif %} + +{% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} + +{% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %} +{% for index in ES_INDEX_SETTINGS_ORIG.keys() %} +{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %} +{% endfor %} + +{% set ES_INDEX_SETTINGS = {} %} +{% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %} +{% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %} +{% if settings.index_template is defined %} +{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %} +{% do settings.index_template.template.settings.index.pop('sort') %} +{% endif %} +{% endif %} +{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index]}) %} {% endfor %} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json deleted file mode 100644 index 919763caa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json deleted file mode 100644 index 175ad4431..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json deleted file mode 100644 index a96480471..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ /dev/null @@ -1,339 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "decision_id", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "match_only_text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "result": { - "type": "object" - }, - "input": { - "type": "object" - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "decision_id": { - "type": "text" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json deleted file mode 100644 index 5f16d18de..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json deleted file mode 100644 index f5b1ab12a..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json deleted file mode 100644 index a61d9f7a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json deleted file mode 100644 index d7e244dc2..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json deleted file mode 100644 index 7b0c81283..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json deleted file mode 100644 index 2a6780e69..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json deleted file mode 100644 index 973427be1..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ /dev/null @@ -1,322 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json deleted file mode 100644 index 05741a4f0..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json +++ /dev/null @@ -1,952 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.application-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.code", - "event.original", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.application" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json deleted file mode 100644 index 51e707850..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json +++ /dev/null @@ -1,530 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.auth-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "error.message", - "group.id", - "group.name", - "message", - "process.name", - "related.hosts", - "related.user", - "source.as.organization.name", - "source.geo.city_name", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.region_iso_code", - "source.geo.region_name", - "user.effective.name", - "user.id", - "user.name", - "system.auth.ssh.method", - "system.auth.ssh.signature", - "system.auth.ssh.event", - "system.auth.sudo.error", - "system.auth.sudo.tty", - "system.auth.sudo.pwd", - "system.auth.sudo.user", - "system.auth.sudo.command", - "system.auth.useradd.home", - "system.auth.useradd.shell", - "version" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "geo": { - "properties": { - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "port": { - "type": "long" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "@timestamp": { - "type": "date" - }, - "system": { - "properties": { - "auth": { - "properties": { - "ssh": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_ip": { - "type": "ip" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sudo": { - "properties": { - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "useradd": { - "properties": { - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "home": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.auth" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json deleted file mode 100644 index a74cd4a70..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json +++ /dev/null @@ -1,1840 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.security-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "ecs.version", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.parent.executable", - "process.parent.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.effective.domain", - "user.effective.id", - "user.effective.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "user.target.domain", - "user.target.id", - "user.changes.name", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.channel", - "winlog.computer_name", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessList", - "winlog.event_data.AccessListDescription", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.ResourceAttributes", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.level", - "winlog.outcome", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.time_created", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ResourceAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessListDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessList": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.security" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "changes": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json deleted file mode 100644 index 30576a635..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json +++ /dev/null @@ -1,327 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.syslog-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "message", - "process.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.syslog" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json deleted file mode 100644 index 068e6846b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json +++ /dev/null @@ -1,986 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.system-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.original", - "event.outcome", - "event.provider", - "event.type", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.system" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json deleted file mode 100644 index 967641107..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json +++ /dev/null @@ -1,2544 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.forwarded-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.hash.md5", - "process.parent.hash.sha1", - "process.parent.hash.sha256", - "process.parent.hash.sha512", - "process.parent.name", - "process.parent.pe.architecture", - "process.parent.pe.company", - "process.parent.pe.description", - "process.parent.pe.file_version", - "process.parent.pe.imphash", - "process.parent.pe.original_file_name", - "process.parent.pe.product", - "process.parent.title", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.level", - "winlog.outcome", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientInfo", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.ComputerAccountChange", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DnsHostName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.EventType", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.Session", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServicePrincipalNames", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.forwarded" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "start": { - "type": "date" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DnsHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ComputerAccountChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServicePrincipalNames": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "type": "date" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json deleted file mode 100644 index ad0ff857e..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json +++ /dev/null @@ -1,1335 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json deleted file mode 100644 index b5cc588c9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json +++ /dev/null @@ -1,1334 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json deleted file mode 100644 index 451eaf7aa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json +++ /dev/null @@ -1,1752 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.sysmon_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "error.code", - "error.message", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.name", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallTrace", - "winlog.event_data.ClientInfo", - "winlog.event_data.Company", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventType", - "winlog.event_data.EventNamespace", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.GrantedAccess", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.Name", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewThreadId", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.Operation", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Query", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.Session", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartAddress", - "winlog.event_data.StartFunction", - "winlog.event_data.StartModule", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetImage", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetProcessGUID", - "winlog.event_data.TargetProcessId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.Type", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "type": "match_only_text" - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.sysmon_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Query": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallTrace": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "GrantedAccess": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewThreadId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "Type": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Name": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessGUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartFunction": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetImage": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventNamespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartModule": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json index 60dc5b928..008a6ab10 100644 --- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -20,7 +20,10 @@ "type": "float" } } - } + }, + "image_version": { + "type": "float" + } } }, "elf": { @@ -33,10 +36,17 @@ } } } - } + }, + "entropy": { + "properties": { + "entropy": { + "type": "float" + } + } + } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load index afb8bdc67..b00fcbedf 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load @@ -6,8 +6,7 @@ . /usr/sbin/so-common -{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} -{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %} +{%- from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %} {%- for index, settings in ES_INDEX_SETTINGS.items() %} {%- if settings.policy is defined %} diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 617b4a216..02e8a4644 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -58,6 +58,7 @@ {% set NODE_CONTAINERS = [ 'so-curator', 'so-elasticsearch', + 'so-elastic-agent', 'so-logstash', 'so-nginx', 'so-redis', diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 20b966e48..75df49b25 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -20,12 +20,12 @@ firewall: managersearch: [] receiver: [] searchnode: [] - securityonion_desktop: [] self: [] sensor: [] standalone: [] strelka_frontend: [] syslog: [] + desktop: [] customhostgroup0: [] customhostgroup1: [] customhostgroup2: [] @@ -198,9 +198,6 @@ firewall: portgroups: - redis - elasticsearch_node - self: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -218,9 +215,6 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - syslog: - portgroups: - - syslog analyst: portgroups: - nginx @@ -255,6 +249,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -289,6 +289,11 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + desktop: + portgroups: + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -370,6 +375,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -383,6 +389,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -393,6 +410,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -405,6 +423,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -417,6 +436,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -425,12 +445,10 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: + - sensoroni + analyst: portgroups: - - syslog - syslog: - portgroups: - - syslog + - nginx beats_endpoint: portgroups: - beats_5044 @@ -448,9 +466,15 @@ firewall: endgame: portgroups: - endgame - analyst: + desktop: portgroups: - - nginx + - docker_registry + - influxdb + - sensoroni + - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -482,6 +506,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -497,6 +524,15 @@ firewall: receiver: portgroups: - salt_manager + desktop: + portgroups: + - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -535,6 +571,7 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + - sensoroni fleet: portgroups: - elasticsearch_rest @@ -548,6 +585,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -558,6 +606,7 @@ firewall: - yum - docker_registry - influxdb + - sensoroni searchnode: portgroups: - redis @@ -569,6 +618,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni heavynode: portgroups: - redis @@ -580,6 +630,7 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + - sensoroni receiver: portgroups: - yum @@ -588,9 +639,10 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: + - sensoroni + analyst: portgroups: - - syslog + - nginx beats_endpoint: portgroups: - beats_5044 @@ -608,12 +660,15 @@ firewall: endgame: portgroups: - endgame - syslog: + desktop: portgroups: - - syslog - analyst: - portgroups: - - nginx + - docker_registry + - influxdb + - sensoroni + - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -645,6 +700,9 @@ firewall: fleet: portgroups: - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -660,6 +718,15 @@ firewall: receiver: portgroups: - salt_manager + desktop: + portgroups: + - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -723,6 +790,17 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + idh: + portgroups: + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - docker_registry @@ -760,9 +838,10 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update - self: + - sensoroni + analyst: portgroups: - - syslog + - nginx beats_endpoint: portgroups: - beats_5044 @@ -783,12 +862,15 @@ firewall: strelka_frontend: portgroups: - strelka_frontend - syslog: + desktop: portgroups: - - syslog - analyst: - portgroups: - - nginx + - docker_registry + - influxdb + - sensoroni + - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -819,7 +901,10 @@ firewall: - all fleet: portgroups: - - salt_manager + - salt_manager + idh: + portgroups: + - salt_manager localhost: portgroups: - all @@ -838,6 +923,15 @@ firewall: receiver: portgroups: - salt_manager + desktop: + portgroups: + - salt_manager + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -884,9 +978,6 @@ firewall: searchnode: portgroups: - elasticsearch_node - self: - portgroups: - - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -918,6 +1009,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -942,9 +1039,6 @@ firewall: chain: DOCKER-USER: hostgroups: - self: - portgroups: - - syslog strelka_frontend: portgroups: - strelka_frontend @@ -979,6 +1073,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1030,6 +1130,9 @@ firewall: strelka_frontend: portgroups: - strelka_frontend + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1061,6 +1164,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: @@ -1189,11 +1298,7 @@ firewall: self: portgroups: - redis - - syslog - beats_5644 - syslog: - portgroups: - - syslog beats_endpoint: portgroups: - beats_5044 @@ -1234,6 +1339,12 @@ firewall: localhost: portgroups: - all + self: + portgroups: + - syslog + syslog: + portgroups: + - syslog customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index c15a54e46..074663e15 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -89,7 +89,6 @@ COMMIT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP --A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER @@ -103,6 +102,7 @@ COMMIT -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o lo -j ACCEPT +# block icmp timestamp reply -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP {%- for rule in D2 %} diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index d1db56a0b..209484b6e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -39,12 +39,12 @@ firewall: managersearch: *hostgroupsettings receiver: *hostgroupsettings searchnode: *hostgroupsettings - securityonion_desktop: *hostgroupsettings self: *ROhostgroupsettingsadv sensor: *hostgroupsettings standalone: *hostgroupsettings strelka_frontend: *hostgroupsettings syslog: *hostgroupsettings + desktop: *hostgroupsettings customhostgroup0: &customhostgroupsettings description: List of IP or CIDR blocks to allow to this hostgroup. forcedType: "[]string" @@ -191,6 +191,7 @@ firewall: description: Portgroups to add access to the docker containers for this role. advanced: True multiline: True + forcedType: "[]string" helpLink: firewall.html sensor: portgroups: *portgroupsdocker @@ -214,6 +215,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + desktop: + portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker customhostgroup1: @@ -241,6 +244,7 @@ firewall: description: Portgroups to add access to the host. advanced: True multiline: True + forcedType: "[]string" helpLink: firewall.html dockernet: portgroups: *portgroupshost @@ -336,7 +340,9 @@ firewall: DOCKER-USER: hostgroups: manager: - portgroups: *portgroupsdocker + portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -359,6 +365,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + desktop: + portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker customhostgroup1: @@ -387,12 +395,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + desktop: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -420,6 +432,8 @@ firewall: hostgroups: managersearch: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -442,6 +456,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + desktop: + portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker customhostgroup1: @@ -470,12 +486,16 @@ firewall: portgroups: *portgroupshost localhost: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + desktop: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -507,6 +527,8 @@ firewall: portgroups: *portgroupsdocker fleet: portgroups: *portgroupsdocker + idh: + portgroups: *portgroupsdocker sensor: portgroups: *portgroupsdocker searchnode: @@ -531,6 +553,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + desktop: + portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker customhostgroup1: @@ -563,12 +587,16 @@ firewall: portgroups: *portgroupshost standalone: portgroups: *portgroupshost + idh: + portgroups: *portgroupshost sensor: portgroups: *portgroupshost searchnode: portgroups: *portgroupshost heavynode: portgroups: *portgroupshost + desktop: + portgroups: *portgroupshost customhostgroup0: portgroups: *portgroupshost customhostgroup1: @@ -793,6 +821,8 @@ firewall: portgroups: *portgroupsdocker analyst: portgroups: *portgroupsdocker + desktop: + portgroups: *portgroupsdocker customhostgroup0: portgroups: *portgroupsdocker customhostgroup1: diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index f792812e4..1d6918405 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -23,7 +23,7 @@ idh: class: *loggingOptions filename: *loggingOptions portscan_x_enabled: &serviceOptions - description: To enable this opencanary module, set this value to true. To disable set to false. + description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. helpLink: idh.html portscan_x_logfile: *loggingOptions portscan_x_synrate: diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls index bf5650773..decc5a5b2 100644 --- a/salt/idstools/enabled.sls +++ b/salt/idstools/enabled.sls @@ -26,8 +26,8 @@ so-idstools: - http_proxy={{ proxy }} - https_proxy={{ proxy }} - no_proxy={{ salt['pillar.get']('manager:no_proxy') }} - {% if DOCKER.containers['so-elastalert'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + {% if DOCKER.containers['so-idstools'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-idstools'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -63,12 +63,23 @@ delete_so-idstools_so-status.disabled: so-rule-update: cron.present: - - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 + - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1 - identifier: so-rule-update - user: root - minute: '1' - hour: '7' +# order this last to give so-idstools container time to be ready +run_so-rule-update: + cmd.run: + - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1' + - require: + - docker_container: so-idstools + - onchanges: + - file: idstoolsetcsync + - file: synclocalnidsrules + - order: last + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 8be3aa1ce..d6f3d93d8 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -3,8 +3,8 @@ --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules {%- if GLOBALS.md_engine == "SURICATA" %} ---local=/opt/so/rules/nids/sorules/extraction.rules ---local=/opt/so/rules/nids/sorules/filters.rules +--local=/opt/so/rules/nids/extraction.rules +--local=/opt/so/rules/nids/filters.rules {%- endif %} --url=http://{{ GLOBALS.manager }}:7788/suricata/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf diff --git a/salt/idstools/sorules/extraction.rules b/salt/idstools/sorules/extraction.rules deleted file mode 100644 index bccfc69d6..000000000 --- a/salt/idstools/sorules/extraction.rules +++ /dev/null @@ -1,26 +0,0 @@ -# Extract all PDF mime type -alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;) -alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;) -alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;) -alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;) -# Extract EXE/DLL file types -alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;) -alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;) -alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;) -alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;) -alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;) -alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;) -alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;) -alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;) - -# Extract all Zip files -alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;) -alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;) -alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;) -alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;) - -# Extract Word Docs -alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;) -alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;) -alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;) -alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;) \ No newline at end of file diff --git a/salt/idstools/sorules/filters.rules b/salt/idstools/sorules/filters.rules deleted file mode 100644 index 051d1913f..000000000 --- a/salt/idstools/sorules/filters.rules +++ /dev/null @@ -1,11 +0,0 @@ -# Start the filters at sid 1200000 -# Example of filtering out *google.com from being in the dns log. -#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) -# Example of filtering out *google.com from being in the http log. -#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) -# Example of filtering out someuseragent from being in the http log. -#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) -# Example of filtering out Google's certificate from being in the ssl log. -#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) -# Example of filtering out a md5 of a file from being in the files log. -#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;) diff --git a/salt/idstools/tools/sbin_jinja/so-rule-update b/salt/idstools/tools/sbin_jinja/so-rule-update index 3e4b382e6..db110abc1 100755 --- a/salt/idstools/tools/sbin_jinja/so-rule-update +++ b/salt/idstools/tools/sbin_jinja/so-rule-update @@ -1,32 +1,42 @@ #!/bin/bash -. /usr/sbin/so-common + +# if this script isn't already running +if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then + + . /usr/sbin/so-common {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} -{%- set proxy = salt['pillar.get']('manager:proxy') %} -mkdir -p /nsm/rules/suricata -chown -R socore:socore /nsm/rules/suricata +{%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} + +# Download the rules from the internet +{%- if proxy %} + export http_proxy={{ proxy }} + export https_proxy={{ proxy }} + export no_proxy="{{ noproxy }}" +{%- endif %} + + mkdir -p /nsm/rules/suricata + chown -R socore:socore /nsm/rules/suricata # Download the rules from the internet {%- if GLOBALS.airgap != 'True' %} -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') -{%- endif %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} -docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force + docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} -docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} + docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} {%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} -docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} + docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} {%- endif %} {%- endif %} -argstr="" -for arg in "$@"; do - argstr="${argstr} \"${arg}\"" -done + argstr="" + for arg in "$@"; do + argstr="${argstr} \"${arg}\"" + done -docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}" + docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}" + +fi diff --git a/salt/influxdb/config.sls b/salt/influxdb/config.sls index 54e20b713..66c681a0d 100644 --- a/salt/influxdb/config.sls +++ b/salt/influxdb/config.sls @@ -25,6 +25,14 @@ influxlogdir: - group: 939 - makedirs: True +influxetcdir: + file.directory: + - name: /opt/so/conf/influxdb/etc + - dir_mode: 750 + - user: 939 + - group: 939 + - makedirs: True + influxdbdir: file.directory: - name: /nsm/influxdb diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 70f4c404f..c0733c12c 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -38,6 +38,7 @@ so-influxdb: - binds: - /opt/so/log/influxdb/:/log:rw - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro + - /opt/so/conf/influxdb/etc:/etc/influxdb2:rw - /nsm/influxdb:/var/lib/influxdb2:rw - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 9b69eb781..a2dedd324 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index e65955178..159a69e68 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/logrotate/defaults.yaml b/salt/logrotate/defaults.yaml index 311a344b3..4d6a688e4 100644 --- a/salt/logrotate/defaults.yaml +++ b/salt/logrotate/defaults.yaml @@ -90,6 +90,26 @@ logrotate: - extension .log - dateext - dateyesterday + /opt/so/log/elasticagent/*_x_log: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .log + - dateext + - dateyesterday + /opt/so/log/elasticagent/*_x_ndjson: + - daily + - rotate 14 + - missingok + - copytruncate + - compress + - create + - extension .ndjson + - dateext + - dateyesterday /opt/so/log/elasticfleet/*_x_log: - daily - rotate 14 diff --git a/salt/logrotate/init.sls b/salt/logrotate/init.sls index 1b096f9db..bdfc3b86c 100644 --- a/salt/logrotate/init.sls +++ b/salt/logrotate/init.sls @@ -3,6 +3,7 @@ logrotateconfdir: file.directory: - name: /opt/so/conf/logrotate + - makedirs: True commonlogrotatescript: file.managed: diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index a88e97b19..c76f81d21 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -9,6 +9,11 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import REDIS_NODES %} +{# we append the manager here so that it is added to extra_hosts so the heavynode can resolve it #} +{# we cannont append in the logstash/map.jinja because then it would be added to the 0900_input_redis.conf #} +{% if GLOBALS.role == 'so-heavynode' %} +{% do REDIS_NODES.append({GLOBALS.manager:GLOBALS.manager_ip}) %} +{% endif %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} include: @@ -17,6 +22,7 @@ include: {% endif %} - logstash.config - logstash.sostatus + - ssl so-logstash: docker_container.running: @@ -67,7 +73,7 @@ so-logstash: {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro @@ -85,6 +91,10 @@ so-logstash: {% endfor %} {% endif %} - watch: + {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-fleet', 'so-receiver'] %} + - x509: etc_elasticfleet_logstash_key + - x509: etc_elasticfleet_logstash_crt + {% endif %} - file: lsetcsync {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} - file: ls_pipeline_{{assigned_pipeline}} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index b9d2d3ba9..e808325ef 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -26,6 +26,15 @@ repo_log_dir: - user - group +yara_log_dir: + file.directory: + - name: /opt/so/log/yarasync + - user: socore + - group: socore + - recurse: + - user + - group + repo_conf_dir: file.directory: - name: /opt/so/conf/reposync @@ -52,21 +61,23 @@ manager_sbin: - group: 939 - file_mode: 755 -#manager_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://manager/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja +yara_update_scripts: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore + - file_mode: 755 + - template: jinja + - defaults: + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} so-repo-sync: - {% if MANAGERMERGED.reposync.enabled %} + {% if MANAGERMERGED.reposync.enabled %} cron.present: - {% else %} + {% else %} cron.absent: - {% endif %} + {% endif %} - user: socore - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' - identifier: so-repo-sync @@ -82,7 +93,15 @@ socore_own_saltstack: - user - group -{% if STRELKAMERGED.rules.enabled %} +rules_dir: + file.directory: + - name: /nsm/rules/yara + - user: socore + - group: socore + - makedirs: True + +{% if STRELKAMERGED.rules.enabled %} + strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -91,67 +110,45 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} - makedirs: True -{% endif %} - -yara_update_scripts: - file.recurse: - - name: /usr/sbin/ - - source: salt://manager/tools/sbin_jinja/ - - user: socore - - group: socore - - file_mode: 755 - - template: jinja - - defaults: - EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} - -rules_dir: - file.directory: - - name: /nsm/rules/yara - - user: socore - - group: socore - - makedirs: True - -{% if GLOBALS.airgap %} -remove_strelka-yara-download: - cron.absent: - - user: socore - - identifier: strelka-yara-download strelka-yara-update: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} cron.present: + {% else %} + cron.absent: + {% endif %} - user: socore - - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' + - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' - identifier: strelka-yara-update - hour: '7' - minute: '1' +strelka-yara-download: + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' + - identifier: strelka-yara-download + - hour: '7' + - minute: '1' + +{% if not GLOBALS.airgap %} update_yara_rules: cmd.run: - name: /usr/sbin/so-yara-update - onchanges: - file: yara_update_scripts -{% else %} -remove_strelka-yara-update: - cron.absent: - - user: socore - - identifier: strelka-yara-update - -strelka-yara-download: - cron.present: - - user: socore - - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' - - identifier: strelka-yara-download - - hour: '7' - - minute: '1' download_yara_rules: cmd.run: - name: /usr/sbin/so-yara-download - onchanges: - file: yara_update_scripts -{% endif %} - - +{% endif %} +{% endif %} {% else %} {{sls}}_state_not_allowed: diff --git a/salt/manager/tools/sbin/so-firewall-minion b/salt/manager/tools/sbin/so-firewall-minion index 4834f0e41..66a0afcea 100755 --- a/salt/manager/tools/sbin/so-firewall-minion +++ b/salt/manager/tools/sbin/so-firewall-minion @@ -74,9 +74,12 @@ fi so-firewall includehost heavynode "$IP" --apply ;; 'IDH') - so-firewall includehost sensor "$IP" --apply + so-firewall includehost idh "$IP" --apply ;; 'RECEIVER') so-firewall includehost receiver "$IP" --apply ;; - esac \ No newline at end of file + 'DESKTOP') + so-firewall includehost desktop "$IP" --apply + ;; + esac diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index edc0b1404..64084dbd0 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -187,15 +187,9 @@ function add_logstash_to_minion() { # Security Onion Desktop function add_desktop_to_minion() { printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ "desktop:"\ " gui:"\ - " enabled: true"\ - "sensoroni:"\ - " enabled: True"\ - " config:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE + " enabled: true"\ >> $PILLARFILE } # Add basic host info to the minion file @@ -245,6 +239,10 @@ function add_sensor_to_minion() { echo " threads: '$CORECOUNT'" >> $PILLARFILE echo "pcap:" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE + if [[ $is_pcaplimit ]]; then + echo " config:" >> $PILLARFILE + echo " diskfreepercentage: 60" >> $PILLARFILE + fi echo " " >> $PILLARFILE } @@ -415,6 +413,7 @@ function apply_ES_state() { salt-call state.apply elasticsearch concurrent=True } function createEVAL() { + is_pcaplimit=true add_elasticsearch_to_minion add_sensor_to_minion add_strelka_to_minion @@ -435,6 +434,7 @@ function createEVAL() { } function createSTANDALONE() { + is_pcaplimit=true add_elasticsearch_to_minion add_logstash_to_minion add_sensor_to_minion @@ -526,8 +526,9 @@ function createIDH() { } function createHEAVYNODE() { + is_pcaplimit=true add_elasticsearch_to_minion - add_elastic_agent_to_minion + add_elastic_agent_to_minion add_logstash_to_minion add_sensor_to_minion add_strelka_to_minion @@ -556,6 +557,10 @@ function createRECEIVER() { add_telegraf_to_minion } +function createDESKTOP() { + add_desktop_to_minion + add_telegraf_to_minion +} function testConnection() { retry 15 3 "salt '$MINION_ID' test.ping" True diff --git a/salt/manager/tools/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync index 3e129cd0d..84384fcdf 100644 --- a/salt/manager/tools/sbin/so-repo-sync +++ b/salt/manager/tools/sbin/so-repo-sync @@ -11,6 +11,8 @@ set_version set_os salt_minion_count +set -e + curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ -createrepo /nsm/repo \ No newline at end of file +createrepo /nsm/repo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 31f1d0fea..e4b388e22 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -171,6 +171,13 @@ airgap_update_dockers() { fi } +backup_old_states_pillars() { + + tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/ + tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/ + +} + update_registry() { docker stop so-dockerregistry docker rm so-dockerregistry @@ -179,12 +186,12 @@ update_registry() { check_airgap() { # See if this is an airgap install - AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}') - if [[ "$AIRGAP" == "True" ]]; then + AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]') + if [[ "$AIRGAP" == "true" ]]; then is_airgap=0 UPDATE_DIR=/tmp/soagupdate/SecurityOnion AGDOCKER=/tmp/soagupdate/docker - AGREPO=/tmp/soagupdate/Packages + AGREPO=/tmp/soagupdate/minimal/Packages else is_airgap=1 fi @@ -303,6 +310,7 @@ check_log_size_limit() { check_os_updates() { # Check to see if there are OS updates + echo "Checking for OS updates." NEEDUPDATES="We have detected missing operating system (OS) updates. Do you want to install these OS updates now? This could take a while depending on the size of your grid and how many packages are missing, but it is recommended to keep your system updated." OSUPDATES=$(dnf -q list updates | grep -v docker | grep -v containerd | grep -v salt | grep -v Available | wc -l) if [[ "$OSUPDATES" -gt 0 ]]; then @@ -393,6 +401,8 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4 [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 + [[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10 + [[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20 true } @@ -402,9 +412,9 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 - [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 - - + [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 + [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 + [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 true } @@ -419,10 +429,28 @@ post_to_2.4.4() { } post_to_2.4.5() { - echo "Nothing to apply" + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers POSTVERSION=2.4.5 } +post_to_2.4.10() { + echo "Updating Elastic Fleet ES URLs...." + /sbin/so-elastic-fleet-es-url-update --force + POSTVERSION=2.4.10 +} + +post_to_2.4.20() { + echo "Pruning unused docker volumes on all nodes - This process will run in the background." + salt --async \* cmd.run "docker volume prune -f" + POSTVERSION=2.4.20 +} + +repo_sync() { + echo "Sync the local repo." + su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -436,7 +464,7 @@ stop_salt_master() { echo "" echo "Storing salt-master pid." - MASTERPID=$(pgrep salt-master | head -1) + MASTERPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess') echo "Found salt-master PID $MASTERPID" systemctl_func "stop" "salt-master" timeout 30 tail --pid=$MASTERPID -f /dev/null || echo "salt-master still running at $(date +"%T.%6N") after waiting 30s. We cannot kill due to systemd restart option." @@ -455,7 +483,7 @@ stop_salt_minion() { set -e echo "Storing salt-minion pid." - MINIONPID=$(pgrep salt-minion | head -1) + MINIONPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion' | head -1) echo "Found salt-minion PID $MINIONPID" systemctl_func "stop" "salt-minion" @@ -466,21 +494,46 @@ stop_salt_minion() { up_to_2.4.3() { - echo "Nothing to do for 2.4.3" - ## - INSTALLEDVERSION=2.4.3 + echo "Nothing to do for 2.4.3" + + INSTALLEDVERSION=2.4.3 } up_to_2.4.4() { - echo "Nothing to do for 2.4.4" - ## - INSTALLEDVERSION=2.4.4 + echo "Nothing to do for 2.4.4" + + INSTALLEDVERSION=2.4.4 } up_to_2.4.5() { - echo "Nothing to do for 2.4.5" - ## - INSTALLEDVERSION=2.4.5 + determine_elastic_agent_upgrade + + INSTALLEDVERSION=2.4.5 +} + +up_to_2.4.10() { + echo "Nothing to do for 2.4.10" + + INSTALLEDVERSION=2.4.10 +} + +up_to_2.4.20() { + echo "Nothing to do for 2.4.20" + + INSTALLEDVERSION=2.4.20 +} + +determine_elastic_agent_upgrade() { + if [[ $is_airgap -eq 0 ]]; then + update_elastic_agent_airgap + else + update_elastic_agent + fi +} + +update_elastic_agent_airgap() { + rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ + tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR" } verify_upgradespace() { @@ -520,13 +573,14 @@ update_centos_repo() { echo "Syncing new updates to /nsm/repo" rsync -av $AGREPO/* /nsm/repo/ echo "Creating repo" + dnf -y install yum-utils createrepo createrepo /nsm/repo } update_salt_mine() { echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host." set +e - salt \* cmd.run cmd='MAININT=$(salt-call pillar.get host:mainint --out=newline_values_only) && salt-call mine.send name=network.ip_addrs interface="$MAININT"' + salt \* mine.update -b 50 set -e } @@ -535,13 +589,16 @@ update_version() { echo "Updating the Security Onion version file." echo $NEWVERSION > /etc/soversion echo $HOTFIXVERSION > /etc/sohotfix - sed -i "/ soversion:/c\ soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global/soc_global.sls + sed -i "s/soversion:.*/soversion: $NEWVERSION/" /opt/so/saltstack/local/pillar/global/soc_global.sls } upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) + if [ ! -f /etc/sohotfix ]; then + touch /etc/sohotfix + fi [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" @@ -633,15 +690,15 @@ verify_latest_update_script() { } # Keeping this block in case we need to do a hotfix that requires salt update -#apply_hotfix() { +apply_hotfix() { # if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then # fix_wazuh # elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then # 2_3_10_hotfix_1 # else -# echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" + echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" # fi -#} +} #upgrade salt to 3004.1 @@ -719,9 +776,7 @@ main() { fi echo "Verifying we have the latest soup script." verify_latest_update_script - echo "Checking for OS updates." - check_os_updates - + echo "Let's see if we need to update Security Onion." upgrade_check upgrade_space @@ -733,10 +788,18 @@ main() { if [[ $is_airgap -eq 0 ]]; then yum clean all check_os_updates + elif [[ $OS == 'oel' ]]; then + # sync remote repo down to local if not airgap + repo_sync + check_os_updates fi if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION hotfix" + # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars + if [[ ! "$MINIONID" =~ "_import" ]]; then + backup_old_states_pillars + fi copy_new_files apply_hotfix echo "Hotfix applied" @@ -763,7 +826,7 @@ main() { else update_registry set +e - update_docker_containers "soup" + update_docker_containers "soup" "" "" "$SOUP_LOG" set -e fi @@ -793,6 +856,13 @@ main() { update_centos_repo fi + # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars + if [[ ! "$MINIONID" =~ "_import" ]]; then + echo "" + echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/" + backup_old_states_pillars + fi + echo "" echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." copy_new_files @@ -859,7 +929,7 @@ main() { set +e echo "Checking the number of minions." - NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | grep -v adv_ | wc -l) if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then if [[ $is_airgap -eq 0 ]]; then echo "" @@ -875,9 +945,6 @@ main() { echo "Checking sudoers file." check_sudoers - echo "Checking for necessary user migrations." - so-user migrate - systemctl_func "start" "$cron_service_name" if [[ -n $lsl_msg ]]; then @@ -963,6 +1030,11 @@ while getopts ":b:f:y" opt; do done shift $((OPTIND - 1)) +if [ -f $SOUP_LOG ]; then + CURRENT_TIME=$(date +%Y%m%d.%H%M%S) + mv $SOUP_LOG $SOUP_LOG.$INSTALLEDVERSION.$CURRENT_TIME +fi + if [[ -z $UNATTENDED ]]; then cat << EOF diff --git a/salt/manager/tools/sbin_jinja/so-yara-download b/salt/manager/tools/sbin_jinja/so-yara-download index e9b991b6c..aa9576253 100644 --- a/salt/manager/tools/sbin_jinja/so-yara-download +++ b/salt/manager/tools/sbin_jinja/so-yara-download @@ -3,12 +3,13 @@ NOROOT=1 . /usr/sbin/so-common {%- set proxy = salt['pillar.get']('manager:proxy') %} +{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %} # Download the rules from the internet {%- if proxy %} export http_proxy={{ proxy }} export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') +export no_proxy="{{ noproxy }}" {%- endif %} repos="/opt/so/conf/strelka/repos.txt" diff --git a/salt/mysql/config.sls b/salt/mysql/config.sls index 5f9010011..274f25d76 100644 --- a/salt/mysql/config.sls +++ b/salt/mysql/config.sls @@ -9,7 +9,7 @@ # MySQL Setup mysqlpkgs: - pkg.installed: + pkg.removed: - skip_suggestions: False - pkgs: {% if grains['os_family'] != 'RedHat' %} diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index bdcbdeacc..d5981be77 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -8,6 +8,7 @@ worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; +user nobody; include /usr/share/nginx/modules/*.conf; @@ -230,7 +231,20 @@ http { proxy_cookie_path /api/ /influxdb/api/; } - location /kibana/ { + location /app/dashboards/ { + auth_request /auth/sessions/whoami; + rewrite /app/dashboards/(.*) /app/dashboards/$1 break; + proxy_pass http://{{ GLOBALS.manager }}:5601/app/; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:5601/; diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 0f4b7e1e4..32204a23a 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,35 +1,35 @@ pcap: enabled: description: You can enable or disable Stenographer on all sensors or a single sensor. - helpLink: pcap.html + helpLink: stenographer.html config: maxdirectoryfiles: description: The maximum number of packet/index files to create before deleting old files. - helpLink: pcap.html + helpLink: stenographer.html diskfreepercentage: description: The disk space percent to always keep free for PCAP - helpLink: pcap.html + helpLink: stenographer.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True - helpLink: pcap.html + helpLink: stenographer.html preallocate_file_mb: description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. advanced: True - helpLink: pcap.html + helpLink: stenographer.html aiops: description: The max number of async writes to allow at once. advanced: True - helpLink: pcap.html + helpLink: stenographer.html pin_to_cpu: description: Enable CPU pinning for PCAP. advanced: True - helpLink: pcap.html + helpLink: stenographer.html cpus_to_pin_to: description: CPU to pin PCAP to. Currently only a single CPU is supported. advanced: True - helpLink: pcap.html + helpLink: stenographer.html disks: description: List of disks to use for PCAP. This is currently not used. advanced: True - helpLink: pcap.html + helpLink: stenographer.html diff --git a/salt/playbook/config.sls b/salt/playbook/config.sls index 7d37f8873..f4c2cf137 100644 --- a/salt/playbook/config.sls +++ b/salt/playbook/config.sls @@ -91,6 +91,14 @@ playbooklogdir: - group: 939 - makedirs: True +playbookfilesdir: + file.directory: + - name: /opt/so/conf/playbook/redmine-files + - dir_mode: 775 + - user: 939 + - group: 939 + - makedirs: True + {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} idh-plays: file.recurse: diff --git a/salt/playbook/enabled.sls b/salt/playbook/enabled.sls index 434cb18e4..e70fec693 100644 --- a/salt/playbook/enabled.sls +++ b/salt/playbook/enabled.sls @@ -33,6 +33,7 @@ so-playbook: - sobridge: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: + - /opt/so/conf/playbook/redmine-files:/usr/src/redmine/files:rw - /opt/so/log/playbook:/playbook/log:rw {% if DOCKER.containers['so-playbook'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-playbook'].custom_bind_mounts %} diff --git a/salt/redis/config.sls b/salt/redis/config.sls index d698040f8..053d46707 100644 --- a/salt/redis/config.sls +++ b/salt/redis/config.sls @@ -25,6 +25,13 @@ redisworkdir: - group: 939 - makedirs: True +redisdatadir: + file.directory: + - name: /nsm/redis/data + - user: 939 + - group: 939 + - makedirs: True + redislogdir: file.directory: - name: /opt/so/log/redis diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 2a4f5a179..fc206e3cb 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -28,12 +28,13 @@ so-redis: - /opt/so/log/redis:/var/log/redis:rw - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/working:/redis:rw + - /nsm/redis/data:/data:rw - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/certs/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro {% endif %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py deleted file mode 100644 index 5cc0a5ad3..000000000 --- a/salt/salt/engines/checkmine.py +++ /dev/null @@ -1,28 +0,0 @@ -# -*- coding: utf-8 -*- - -import logging -from time import sleep -from os import remove - -log = logging.getLogger(__name__) - -def start(interval=30): - log.info("checkmine engine started") - minionid = __grains__['id'] - while True: - try: - ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt'] - log.info('Successfully queried Salt mine for the CA.') - except: - log.error('Could not pull CA from the Salt mine.') - log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid) - try: - remove('/var/cache/salt/master/minions/%s/mine.p' % minionid) - log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid) - except FileNotFoundError: - log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid) - - __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt') - log.warning('Salt mine repopulated with /etc/pki/ca.crt') - - sleep(interval) \ No newline at end of file diff --git a/salt/salt/etc/minion.d/mine_functions.conf.jinja b/salt/salt/etc/minion.d/mine_functions.conf.jinja index 378d2c435..3851238fd 100644 --- a/salt/salt/etc/minion.d/mine_functions.conf.jinja +++ b/salt/salt/etc/minion.d/mine_functions.conf.jinja @@ -1,4 +1,8 @@ -mine_interval: 35 +mine_interval: 25 mine_functions: network.ip_addrs: - - interface: {{ GLOBALS.main_interface }} + - interface: {{ pillar.host.mainint }} +{% if grains.role in ['so-eval','so-import','so-manager','so-managersearch','so-standalone'] -%} + x509.get_pem_entries: + - glob_path: '/etc/pki/ca.crt' +{% endif -%} diff --git a/salt/salt/files/engines.conf b/salt/salt/files/engines.conf deleted file mode 100644 index c9e20adf3..000000000 --- a/salt/salt/files/engines.conf +++ /dev/null @@ -1,6 +0,0 @@ -engines_dirs: - - /etc/salt/engines - -engines: - - checkmine: - interval: 30 \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 8b2b6c7d0..b10a4df0f 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -18,17 +18,14 @@ salt_master_service: - enable: True checkmine_engine: - file.managed: + file.absent: - name: /etc/salt/engines/checkmine.py - - source: salt://salt/engines/checkmine.py - - makedirs: True - watch_in: - service: salt_minion_service engines_config: - file.managed: + file.absent: - name: /etc/salt/minion.d/engines.conf - - source: salt://salt/files/engines.conf - watch_in: - service: salt_minion_service @@ -38,4 +35,4 @@ engines_config: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls new file mode 100644 index 000000000..49a47e524 --- /dev/null +++ b/salt/salt/mine_functions.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# this state was seperated from salt.minion state since it is called during setup +# GLOBALS are imported in the salt.minion state and that is not available at that point in setup +# this state is included in the salt.minion state +mine_functions: + file.managed: + - name: /etc/salt/minion.d/mine_functions.conf + - source: salt://salt/etc/minion.d/mine_functions.conf.jinja + - template: jinja diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 5e06a361f..865bd367f 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -12,6 +12,7 @@ include: - salt - systemd.reload - repo.client + - salt.mine_functions {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %} @@ -47,24 +48,24 @@ hold_salt_packages: {% endfor %} {% endif %} -remove_info_log_level_logfile: +remove_error_log_level_logfile: file.line: - name: /etc/salt/minion - - match: "log_level_logfile: info" + - match: "log_level_logfile: error" - mode: delete -remove_info_log_level: +remove_error_log_level: file.line: - name: /etc/salt/minion - - match: "log_level: info" + - match: "log_level: error" - mode: delete set_log_levels: file.append: - name: /etc/salt/minion - text: - - "log_level: error" - - "log_level_logfile: error" + - "log_level: info" + - "log_level_logfile: info" salt_minion_service_unit_file: file.managed: @@ -78,14 +79,6 @@ salt_minion_service_unit_file: {% endif %} -mine_functions: - file.managed: - - name: /etc/salt/minion.d/mine_functions.conf - - source: salt://salt/etc/minion.d/mine_functions.conf.jinja - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} - # this has to be outside the if statement above since there are _in calls to this state salt_minion_service: service.running: diff --git a/salt/salt/service/salt-minion.service.jinja b/salt/salt/service/salt-minion.service.jinja index c7bae0bc2..27c7a15b6 100644 --- a/salt/salt/service/salt-minion.service.jinja +++ b/salt/salt/service/salt-minion.service.jinja @@ -1,6 +1,6 @@ [Unit] Description=The Salt Minion -Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html +Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltproject.io/en/latest/contents.html After=network.target salt-master.service [Service] @@ -12,4 +12,4 @@ ExecStart=/usr/bin/salt-minion ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/salt/sensor/files/99-so-checksum-offload-disable b/salt/sensor/files/99-so-checksum-offload-disable new file mode 100755 index 000000000..72f7838db --- /dev/null +++ b/salt/sensor/files/99-so-checksum-offload-disable @@ -0,0 +1,14 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +{% set MNIC = salt['pillar.get']('sensor:interface') %} + +init_monitor {{ MNIC }} diff --git a/salt/sensor/init.sls b/salt/sensor/init.sls new file mode 100644 index 000000000..53cd808c6 --- /dev/null +++ b/salt/sensor/init.sls @@ -0,0 +1,12 @@ +offload_script: + file.managed: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - source: salt://sensor/files/99-so-checksum-offload-disable + - mode: 755 + - template: jinja + +execute_checksum: + cmd.run: + - name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable + - onchanges: + - file: offload_script \ No newline at end of file diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml index 0774e9bcf..9ab0c236e 100644 --- a/salt/sensor/soc_sensor.yaml +++ b/salt/sensor/soc_sensor.yaml @@ -1,9 +1,9 @@ sensor: interface: description: Main sensor monitoring interface. - helpLink: sensor.html + helpLink: network.html readonly: True mtu: - description: Main IP address of the grid host. - helpLink: host.html + description: Maximum Transmission Unit (MTU) of the sensor monitoring interface. + helpLink: network.html readonly: True diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index 4ccc11ce9..f53646ac2 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -8,3 +8,31 @@ sensoroni: node_checkin_interval_ms: 10000 sensoronikey: soc_host: + analyzers: + emailrep: + base_url: https://emailrep.io/ + api_key: + greynoise: + base_url: https://api.greynoise.io/ + api_key: + api_version: community + localfile: + file_path: [] + otx: + base_url: https://otx.alienvault.com/api/v1/ + api_key: + pulsedive: + base_url: https://pulsedive.com/api/ + api_key: + spamhaus: + lookup_host: zen.spamhaus.org + nameservers: [] + urlscan: + base_url: https://urlscan.io/api/v1/ + api_key: + enabled: False + visibility: public + timeout: 180 + virustotal: + base_url: https://www.virustotal.com/api/v3/search?query= + api_key: diff --git a/salt/sensoroni/files/analyzers/README.md b/salt/sensoroni/files/analyzers/README.md index 8b1f44f29..19335a545 100644 --- a/salt/sensoroni/files/analyzers/README.md +++ b/salt/sensoroni/files/analyzers/README.md @@ -154,6 +154,12 @@ The analyzer itself will only run when a user in SOC enqueues an analyzer job, s python -m urlhaus '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}' ``` +To manually test an analyzer outside of the Sensoroni Docker container, use a command similar to the following: + +```bash +PYTHONPATH=. python urlhaus/urlhaus.py '{"artifactType":"url","value":"https://bigbadbotnet.invalid",...}' +``` + It is up to each analyzer to determine whether the provided input is compatible with that analyzer. This is assisted by the analyzer metadata, as described earlier in this document, with the use of the `supportedTypes` list. Once the analyzer completes its functionality, it must terminate promptly. See the following sections for more details on expected internal behavior of the analyzer. diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 8a35272ea..db51da358 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -2,38 +2,180 @@ sensoroni: enabled: description: Enable or disable Sensoroni. advanced: True - helpLink: sensoroni.html + helpLink: grid.html config: analyze: enabled: description: Enable or disable the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html timeout_ms: description: Timeout period for the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html parallel_limit: description: Parallel limit for the analyzer. advanced: True - helpLink: sensoroni.html + helpLink: cases.html node_checkin_interval_ms: description: Interval in ms to checkin to the soc_host. advanced: True - helpLink: sensoroni.html + helpLink: grid.html node_description: description: Description of the specific node. - helpLink: sensoroni.html + helpLink: grid.html node: True forcedType: string sensoronikey: description: Shared key for sensoroni authentication. - helpLink: sensoroni.html + helpLink: grid.html global: True sensitive: True advanced: True soc_host: description: Host for sensoroni agents to connect to. - helpLink: sensoroni.html + helpLink: grid.html global: True advanced: True + analyzers: + emailrep: + api_key: + description: API key for the EmailRep analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the EmailRep analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + greynoise: + api_key: + description: API key for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + api_version: + description: API version for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + base_url: + description: Base URL for the GreyNoise analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + localfile: + file_path: + description: File path for the LocalFile analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: "[]string" + otx: + api_key: + description: API key for the OTX analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the OTX analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + pulsedive: + api_key: + description: API key for the Pulsedive analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the Pulsedive analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + spamhaus: + lookup_host: + description: Host to use for lookups. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + nameservers: + description: Nameservers used for queries. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedTypes: "[]string" + urlscan: + api_key: + description: API key for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + enabled: + description: Analyzer enabled + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: bool + timeout: + description: Timeout for the Urlscan analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: int + visibility: + description: Type of visibility. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string + virustotal: + api_key: + description: API key for the VirusTotal analyzer. + helpLink: cases.html + global: False + sensitive: True + advanced: True + forcedType: string + base_url: + description: Base URL for the VirusTotal analyzer. + helpLink: cases.html + global: False + sensitive: False + advanced: True + forcedType: string diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 7720e7027..2587051c5 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -16,7 +16,7 @@ {# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} {% for m in minions.keys() %} -{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append(m) %} +{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %} {% endfor %} {% endfor %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 53db2c838..6d8ed5bfd 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -69,7 +69,7 @@ soc: - log.id.uid - network.community_id - event.dataset - ':kratos:kratos.audit': + ':kratos:audit': - soc_timestamp - http_request.headers.x-real-ip - identity_id @@ -474,19 +474,6 @@ soc: - event.dataset - process.executable - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location ':strelka:file': - soc_timestamp - file.name @@ -523,28 +510,6 @@ soc: - message - kibana.log.meta.req.headers.x-real-ip - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module ':syslog:syslog': - soc_timestamp - host.name @@ -570,14 +535,13 @@ soc: - destination.geo.country_iso_code - user.name - source.ip - ':windows.sysmon_operational:': + '::sysmon_operational': - soc_timestamp - event.action - - process.executable + - winlog.computer_name - user.name - - file.target - - dns.question.name - - winlog.event_data.TargetObject + - process.executable + - process.pid '::network_connection': - soc_timestamp - source.ip @@ -1048,6 +1012,8 @@ soc: verifyCert: false salt: queueDir: /opt/sensoroni/queue + timeoutMs: 45000 + longRelayTimeoutMs: 120000 sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 @@ -1140,7 +1106,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1405,7 +1371,7 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' @@ -1622,21 +1588,15 @@ soc: - rule.uuid - rule.category - rule.rev - ':ossec:': + ':playbook:': - soc_timestamp - rule.name - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name + - event_data.event.module + - event_data.event.category + - event_data.process.executable + - event_data.process.pid + - event_data.winlog.computer_name queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged diff --git a/salt/soc/files/soc/motd.md b/salt/soc/files/soc/motd.md index b5a4fac5f..d6b0d3d27 100644 --- a/salt/soc/files/soc/motd.md +++ b/salt/soc/files/soc/motd.md @@ -1,6 +1,6 @@ ## Getting Started -New to Security Onion 2? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheatsheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. +New to Security Onion 2? Click the menu in the upper-right corner and you'll find links for [Help](/docs/) and a [Cheat Sheet](/docs/cheatsheet.pdf) that will help you best utilize Security Onion to hunt for evil! In addition, check out our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website. If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Then go to the [Dashboards](/#/dashboards) interface for a general overview of all logs collected or go to the [Hunt](/#/hunt) interface for more focused threat hunting. Once you've found something of interest, escalate it to [Cases](/#/cases) to then collect evidence and analyze observables as you work towards closing the case. @@ -8,6 +8,10 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link. +## Enterprise Appliances + +Want the best hardware for your enterprise deployment? Check out our [enterprise appliances](https://securityonionsolutions.com/hardware/)! + ## Customize This Space Make this area your own by customizing the content in the [Config](/#/config?s=soc.files.soc.motd__md) interface. diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index dc2f889bb..33c0070ad 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -35,7 +35,18 @@ {% endif %} {% set standard_actions = SOCMERGED.config.pop('actions') %} -{% if pillar.global.endgamehost is defined %} + +{% if pillar.global.endgamehost != '' %} +{# this is added to prevent endgame_dict from being added to standard_actions for each time this file is rendered #} +{# since this map file is rendered 3 times, it causes endgame_dict to appened 3 times if custom actions are defined in the pillar #} +{% set endgame = namespace(add=true) %} +{% for d in standard_actions %} +{% if d.name is defined %} +{% if d.name == 'Endgame' %} +{% set endgame.add = false %} +{% endif %} +{% endif %} +{% endfor %} {% set endgame_dict = { "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", @@ -44,7 +55,9 @@ "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"] } %} -{% do standard_actions.append(endgame_dict) %} +{% if endgame.add %} +{% do standard_actions.append(endgame_dict) %} +{% endif %} {% endif %} {% do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e3d704e80..291f564ed 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -45,9 +45,10 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + forcedType: "[]{}" eventFields: default: - description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset". + description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True server: @@ -110,6 +111,15 @@ soc: description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault). global: True advanced: True + salt: + longRelayTimeoutMs: + description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI. + global: True + advanced: True + relayTimeoutMs: + description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI. + global: True + advanced: True client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. @@ -139,6 +149,7 @@ soc: description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True + forcedType: "[]{}" hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -164,6 +175,12 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True + forcedType: "[]{}" + queryToggleFilters: + description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. + global: True + advanced: True + forcedType: "[]{}" alerts: *appSettings cases: *appSettings dashboards: *appSettings diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 97e971b83..ef93a9072 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -7,7 +7,7 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} @@ -36,14 +36,24 @@ include: {% set ca_server = global_ca_server[0] %} {% endif %} - +cacertdir: + file.directory: + - name: /etc/pki/tls/certs + - makedirs: True # Trust the CA trusttheca: x509.pem_managed: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt - text: {{ trusttheca_text }} +{% if GLOBALS.os_family == 'Debian' %} +symlinkca: + file.symlink: + - target: /etc/pki/tls/certs/intca.crt + - name: /etc/ssl/certs/intca.crt +{% endif %} + # Install packages needed for the sensor m2cryptopkgs: pkg.installed: @@ -153,8 +163,8 @@ etc_elasticfleet_crt: - ca_server: {{ ca_server }} - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-server.key - - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -198,7 +208,7 @@ etc_elasticfleet_logstash_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_logstash_crt {%- endif %} - retry: attempts: 5 @@ -210,8 +220,8 @@ etc_elasticfleet_logstash_crt: - ca_server: {{ ca_server }} - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-logstash.key - - CN: {{ GLOBALS.url_base }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -259,7 +269,7 @@ etc_elasticfleetlumberjack_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleetlumberjack_crt {%- endif %} - retry: attempts: 5 @@ -283,7 +293,7 @@ etc_elasticfleetlumberjack_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleetlumberjack_key eflogstashlumberjackperms: file.managed: @@ -327,7 +337,7 @@ etc_elasticfleet_agent_key: - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%} - prereq: - - x509: etc_elasticfleet_crt + - x509: etc_elasticfleet_agent_crt {%- endif %} - retry: attempts: 5 @@ -350,7 +360,7 @@ etc_elasticfleet_agent_crt: cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt" - onchanges: - - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_agent_key efagentperms: file.managed: diff --git a/salt/ssl/remove.sls b/salt/ssl/remove.sls index 4eb0eb442..43a245288 100644 --- a/salt/ssl/remove.sls +++ b/salt/ssl/remove.sls @@ -1,6 +1,6 @@ trusttheca: file.absent: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt influxdb_key: file.absent: diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls index bf3ac3dca..1d0f75adf 100644 --- a/salt/strelka/config.sls +++ b/salt/strelka/config.sls @@ -43,6 +43,20 @@ strelka_sbin: - group: 939 - file_mode: 755 +strelkagkredisdatadir: + file.directory: + - name: /nsm/strelka/gk-redis-data + - user: 939 + - group: 939 + - makedirs: True + +strelkacoordredisdatadir: + file.directory: + - name: /nsm/strelka/coord-redis-data + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 7a156bc9a..3440cd5a4 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -37,12 +37,13 @@ strelka_coordinator: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - binds: + - /nsm/strelka/coord-redis-data:/data:rw + {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - {{ BIND }} {% endfor %} - {% endif %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index a215967ee..0f9f38914 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -6,6 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import filecheck_runas %} include: @@ -46,6 +47,21 @@ filestream_config: FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} # Filecheck Section +{% if GLOBALS.os_family == 'Debian' %} +install_watchdog: + pkg.installed: + - name: python3-watchdog + +{% elif GLOBALS.os_family == 'RedHat' %} +remove_old_watchdog: + pkg.removed: + - name: python3-watchdog + +install_watchdog: + pkg.installed: + - name: securityonion-python39-watchdog +{% endif %} + filecheck_logdir: file.directory: - name: /opt/so/log/strelka @@ -78,6 +94,56 @@ filecheck_script: - group: 939 - mode: 755 +filecheck.log: + file.managed: + - name: /opt/so/log/strelka/filecheck.log + - user: {{ filecheck_runas }} + - group: {{ filecheck_runas }} + +filecheck_stdout.log: + file.managed: + - name: /opt/so/log/strelka/filecheck_stdout.log + - user: {{ filecheck_runas }} + - group: {{ filecheck_runas }} + +{% if GLOBALS.md_engine == 'ZEEK' %} + +remove_filecheck_run: + cron.absent: + - identifier: filecheck_run + - user: socore + +filecheck_run_socore: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run_socore + - user: socore + +remove_filecheck_run_suricata: + cron.absent: + - identifier: filecheck_run_suricata + - user: suricata + +{% elif GLOBALS.md_engine == 'SURICATA'%} + +remove_filecheck_run: + cron.absent: + - identifier: filecheck_run + - user: suricata + +filecheck_run_suricata: + cron.present: + - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run_suricata + - user: suricata + +remove_filecheck_run_socore: + cron.absent: + - identifier: filecheck_run_socore + - user: socore + +{% endif %} + filecheck_restart: cmd.run: - name: pkill -f "python3 /opt/so/conf/strelka/filecheck" @@ -85,12 +151,8 @@ filecheck_restart: - success_retcodes: [0,1] - onchanges: - file: filecheck_script - -filecheck_run: - cron.present: - - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' - - identifier: filecheck_run - - user: {{ filecheck_runas }} + - file: filecheck_conf + - pkg: install_watchdog filcheck_history_clean: cron.present: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index b309403f4..8d06ddf6a 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -31,12 +31,13 @@ strelka_gatekeeper: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - binds: - {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + - /nsm/strelka/gk-redis-data:/data:rw + {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {{ BIND }} - {% endfor %} - {% endif %} + {% endfor %} + {% endif %} {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %} - environment: {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download deleted file mode 100644 index a8087173c..000000000 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -NOROOT=1 -. /usr/sbin/so-common - -{%- set proxy = salt['pillar.get']('manager:proxy') %} - -# Download the rules from the internet -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') -{%- endif %} - -mkdir -p /tmp/yara -cd /tmp/yara -git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git -mkdir -p /nsm/rules/yara -rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/ -cd /tmp -rm -rf /tmp/yara - diff --git a/salt/suricata/config.sls b/salt/suricata/config.sls index c8666ef2b..9da40660e 100644 --- a/salt/suricata/config.sls +++ b/salt/suricata/config.sls @@ -68,6 +68,14 @@ surilogdir: - user: 940 - group: 939 +surinsmdir: + file.directory: + - name: /nsm/suricata + - user: 940 + - group: 939 + - mode: 755 + - makedirs: True + suridatadir: file.directory: - name: /nsm/suricata/extracted diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 4651b7268..050efa8f8 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -416,7 +416,6 @@ suricata: enabled: "yes" filename: keyword_perf.log append: "yes" - prefilter: enabled: "yes" filename: prefilter_perf.log diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja index 5576117cc..01d019de8 100644 --- a/salt/suricata/map.jinja +++ b/salt/suricata/map.jinja @@ -11,7 +11,7 @@ {# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #} {# we are limited to only one iterface #} {% load_yaml as afpacket %} -- interface: {{ SURICATAMERGED.config['af-packet'].interface }} +- interface: {{ GLOBALS.sensor.interface }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index f13e89618..30f277c0a 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -14,7 +14,9 @@ suricata: config: af-packet: interface: - description: The network interface that Suricata will monitor. + description: The network interface that Suricata will monitor. This is set under sensor > interface. + advanced: True + readonly: True helpLink: suricata.html cluster-id: advanced: True diff --git a/salt/telegraf/config.sls b/salt/telegraf/config.sls index 1cc7ceed0..0711260b5 100644 --- a/salt/telegraf/config.sls +++ b/salt/telegraf/config.sls @@ -32,17 +32,16 @@ tgrafetsdir: - name: /opt/so/conf/telegraf/scripts - makedirs: True -tgrafsyncscripts: - file.recurse: - - name: /opt/so/conf/telegraf/scripts +{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %} +tgraf_sync_script_{{script}}: + file.managed: + - name: /opt/so/conf/telegraf/scripts/{{script}} - user: root - group: 939 - - file_mode: 770 + - mode: 770 - template: jinja - - source: salt://telegraf/scripts - {% if GLOBALS.md_engine == 'SURICATA' %} - - exclude_pat: zeekcaptureloss.sh - {% endif %} + - source: salt://telegraf/scripts/{{script}} +{% endfor %} telegraf_sbin: file.recurse: diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index 63d437763..0b7d532b1 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -9,3 +9,74 @@ telegraf: flush_jitter: '0s' debug: 'false' quiet: 'false' + scripts: + eval: + - checkfiles.sh + - influxdbsize.sh + - oldpcap.sh + - raid.sh + - sostatus.sh + - stenoloss.sh + - suriloss.sh + - zeekcaptureloss.sh + - zeekloss.sh + standalone: + - checkfiles.sh + - eps.sh + - influxdbsize.sh + - oldpcap.sh + - raid.sh + - redis.sh + - sostatus.sh + - stenoloss.sh + - suriloss.sh + - zeekcaptureloss.sh + - zeekloss.sh + manager: + - influxdbsize.sh + - raid.sh + - redis.sh + - sostatus.sh + managersearch: + - eps.sh + - influxdbsize.sh + - raid.sh + - redis.sh + - sostatus.sh + import: + - sostatus.sh + sensor: + - checkfiles.sh + - oldpcap.sh + - raid.sh + - sostatus.sh + - stenoloss.sh + - suriloss.sh + - zeekcaptureloss.sh + - zeekloss.sh + heavynode: + - checkfiles.sh + - eps.sh + - oldpcap.sh + - raid.sh + - redis.sh + - sostatus.sh + - stenoloss.sh + - suriloss.sh + - zeekcaptureloss.sh + - zeekloss.sh + idh: + - sostatus.sh + searchnode: + - eps.sh + - raid.sh + - sostatus.sh + receiver: + - eps.sh + - raid.sh + - redis.sh + - sostatus.sh + fleet: + - sostatus.sh + desktop: + - sostatus.sh diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 209c85fb0..d55e536d6 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -7,6 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'telegraf/map.jinja' import TELEGRAFMERGED %} include: @@ -45,7 +46,7 @@ so-telegraf: {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %} - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro {% endif %} - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro @@ -67,8 +68,10 @@ so-telegraf: {% endif %} - watch: - file: tgrafconf - - file: tgrafsyncscripts - file: node_config + {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %} + - file: tgraf_sync_script_{{script}} + {% endfor %} - require: - file: tgrafconf - file: node_config diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 1a6cdc311..45b1283e0 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -193,7 +193,7 @@ username = "{{ ES_USER }}" password = "{{ ES_PASS }}" insecure_skip_verify = true -{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode'] %} +{%- elif grains['role'] in ['so-searchnode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] cluster_stats = false @@ -244,6 +244,8 @@ {%- endif %} # # Read metrics from one or more commands that can output to stdout +{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %} +{%- do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %} [[inputs.exec]] commands = [ "/scripts/sostatus.sh" @@ -251,122 +253,26 @@ data_format = "influx" timeout = "15s" interval = "60s" +{%- endif %} -# ## Commands array -{% if grains['role'] in ['so-manager'] %} +{%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %} [[inputs.exec]] commands = [ - "/scripts/redis.sh", - "/scripts/influxdbsize.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" +{%- for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %} + "/scripts/{{script}}"{% if not loop.last %},{% endif %} +{%- endfor %} ] data_format = "influx" ## Timeout for each command to complete. timeout = "15s" -{% elif grains['role'] in ['so-managersearch'] %} -[[inputs.exec]] - commands = [ - "/scripts/redis.sh", - "/scripts/influxdbsize.sh", - "/scripts/eps.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" - ] - data_format = "influx" - ## Timeout for each command to complete. - timeout = "15s" -{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %} -[[inputs.exec]] - commands = [ - "/scripts/eps.sh", - "/scripts/raid.sh", - {% if grains.role == 'so-receiver' %} - "/scripts/redis.sh", - {% endif %} - "/scripts/beatseps.sh" - ] - data_format = "influx" - ## Timeout for each command to complete. - timeout = "15s" -{% elif grains['role'] == 'so-sensor' %} -[[inputs.exec]] - commands = [ - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - {%- endif %} - "/scripts/oldpcap.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" - ] - data_format = "influx" - timeout = "15s" -{% elif grains['role'] == 'so-heavynode' %} -[[inputs.exec]] - commands = [ - "/scripts/redis.sh", - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - {%- endif %} - "/scripts/oldpcap.sh", - "/scripts/eps.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" - ] - data_format = "influx" - timeout = "15s" -{% elif grains['role'] == 'so-standalone' %} -[[inputs.exec]] - commands = [ - "/scripts/redis.sh", - "/scripts/influxdbsize.sh", - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - {%- endif %} - "/scripts/oldpcap.sh", - "/scripts/eps.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" - ] - data_format = "influx" - timeout = "15s" -{% elif grains['role'] == 'so-eval' %} -[[inputs.exec]] - commands = [ - "/scripts/redis.sh", - "/scripts/stenoloss.sh", - "/scripts/suriloss.sh", - "/scripts/checkfiles.sh", - {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %} - "/scripts/zeekloss.sh", - "/scripts/zeekcaptureloss.sh", - {%- endif %} - "/scripts/oldpcap.sh", - "/scripts/influxdbsize.sh", - "/scripts/raid.sh", - "/scripts/beatseps.sh" - ] - data_format = "influx" - timeout = "15s" -{% endif %} +{%- endif %} {%- if salt['pillar.get']('healthcheck:enabled', False) %} [[inputs.file]] files = ["/host/nsm/zeek/logs/zeek_restart.log"] data_format = "influx" {%- endif %} + [[inputs.file]] files = ["/etc/telegraf/node_config.json"] name_override = "node_config" diff --git a/salt/telegraf/map.jinja b/salt/telegraf/map.jinja index f1412d3ac..e6d3460d6 100644 --- a/salt/telegraf/map.jinja +++ b/salt/telegraf/map.jinja @@ -2,6 +2,16 @@ or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} - + +{% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %} {% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %} + +{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode'] %} +{% from 'zeek/config.map.jinja' import ZEEKMERGED %} +{# if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #} +{% if GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled %} +{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %} +{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %} +{% endif %} +{% endif %} diff --git a/salt/telegraf/scripts/beatseps.sh b/salt/telegraf/scripts/beatseps.sh deleted file mode 100644 index 5f3db53f8..000000000 --- a/salt/telegraf/scripts/beatseps.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -# -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -# if this script isn't already running -if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - - PREVCOUNTFILE='/tmp/beatseps.txt' - EVENTCOUNTCURRENT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.acked')" - FAILEDEVENTCOUNT="$(curl -s localhost:5066/stats | jq '.libbeat.output.events.failed')" - - if [ ! -z "$EVENTCOUNTCURRENT" ]; then - - if [ -f "$PREVCOUNTFILE" ]; then - EVENTCOUNTPREVIOUS=`cat $PREVCOUNTFILE` - else - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - exit 0 - fi - - echo "${EVENTCOUNTCURRENT}" > $PREVCOUNTFILE - # the division by 30 is because the agent interval is 30 seconds - EVENTS=$(((EVENTCOUNTCURRENT - EVENTCOUNTPREVIOUS)/30)) - if [ "$EVENTS" -lt 0 ]; then - EVENTS=0 - fi - - echo "fbstats eps=${EVENTS%%.*},failed=$FAILEDEVENTCOUNT" - fi - -fi - -exit 0 diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index e0c8758f2..f2c3fcd2d 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -5,16 +5,18 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - - # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp # if this script isn't already running +{%- from 'zeek/config.map.jinja' import ZEEKMERGED %} if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then - WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} +{%- if ZEEKMERGED.config.node.pins %} + WORKERS={{ ZEEKMERGED.config.node.pins | length }} +{%- else %} + WORKERS={{ ZEEKMERGED.config.node.lb_procs }} +{%- endif %} ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then WORKERS=1 diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index a688ea2a3..1550c66cb 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -42,4 +42,21 @@ telegraf: global: True advanced: True helpLink: telegraf.html - \ No newline at end of file + scripts: + eval: &telegrafscripts + description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts. + forcedType: "[]string" + multiline: True + advanced: True + helpLink: telegraf.html + standalone: *telegrafscripts + manager: *telegrafscripts + managersearch: *telegrafscripts + import: *telegrafscripts + sensor: *telegrafscripts + heavynode: *telegrafscripts + idh: *telegrafscripts + searchnode: *telegrafscripts + receiver: *telegrafscripts + fleet: *telegrafscripts + desktop: *telegrafscripts diff --git a/salt/top.sls b/salt/top.sls index e53895324..4f84e17ac 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -28,14 +28,13 @@ base: - motd - salt.minion-check - salt.lasthighstate - - docker - - 'not *_desktop and G@saltversion:{{saltversion}}': - - match: compound - common - + - docker + - docker_clean + '*_sensor and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - telegraf @@ -46,23 +45,23 @@ base: - healthcheck - zeek - strelka - - docker_clean - elasticfleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -80,9 +79,7 @@ base: - utility - soctopus - playbook - - redis - elasticfleet - - docker_clean '*_manager and G@saltversion:{{saltversion}}': - match: compound @@ -90,14 +87,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -113,23 +110,23 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_standalone and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos - firewall + - sensoroni + - telegraf - idstools - suricata.manager - healthcheck @@ -149,19 +146,17 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash - elasticfleet.install_agent_grid - - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': - match: compound @@ -169,14 +164,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -192,14 +187,14 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': - match: compound + - sensor - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash @@ -211,21 +206,21 @@ base: - zeek - elasticfleet.install_agent_grid - elasticagent - - docker_clean '*_import and G@saltversion:{{saltversion}}': - match: compound - salt.master + - sensor - ca - ssl - registry - - sensoroni - manager - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -237,7 +232,6 @@ base: - suricata - zeek - elasticfleet - - docker_clean '*_receiver and G@saltversion:{{saltversion}}': - match: compound @@ -248,7 +242,6 @@ base: - logstash - redis - elasticfleet.install_agent_grid - - docker_clean '*_idh and G@saltversion:{{saltversion}}': - match: compound @@ -257,7 +250,6 @@ base: - telegraf - firewall - elasticfleet.install_agent_grid - - docker_clean - idh '*_fleet and G@saltversion:{{saltversion}}': @@ -270,12 +262,17 @@ base: - elasticfleet - elasticfleet.install_agent_grid - schedule - - docker_clean - 'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': + '*_desktop and G@saltversion:{{saltversion}}': + - ssl + - sensoroni + - telegraf + - elasticfleet.install_agent_grid + + 'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )': - match: compound - desktop - 'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': + 'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )': - match: compound - desktop.remove_gui diff --git a/salt/vars/desktop.map.jinja b/salt/vars/desktop.map.jinja new file mode 100644 index 000000000..964f69663 --- /dev/null +++ b/salt/vars/desktop.map.jinja @@ -0,0 +1 @@ +{% set ROLE_GLOBALS = {} %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 8e6814b2e..4435670a2 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -8,9 +8,9 @@ zeek: buffer: 128*1024*1024 zeekctl: MailTo: root@localhost - MailConnectionSummary: 1 + MailConnectionSummary: 0 MinDiskSpace: 5 - MailHostUpDown: 1 + MailHostUpDown: 0 LogRotationInterval: 3600 LogExpireInterval: 0 StatsLogEnable: 1 @@ -28,7 +28,6 @@ zeek: - misc/loaded-scripts - tuning/defaults - misc/capture-loss - - misc/stats - frameworks/software/vulnerable - frameworks/software/version-changes - protocols/ftp/software diff --git a/setup/so-functions b/setup/so-functions index d46c42e0e..42a4b4ac6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -85,14 +85,18 @@ analyze_system() { desktop_salt_local() { + SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') # Install everything using local salt # Set the repo securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python3-dateutil yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" + salt_install_module_deps + salt_patch_x509_v2 + logCmd "salt-call state.apply desktop --local --file-root=../salt/ -l info" read -r -d '' message <<- EOM Finished Security Onion Desktop installation. @@ -100,8 +104,10 @@ desktop_salt_local() { Press the Enter key to reboot. EOM - whiptail --title "$whiptail_title" --msgbox "$message" 12 75 - reboot + if [[ -z "$TESTING" ]]; then + whiptail --title "$whiptail_title" --msgbox "$message" 12 75 + reboot + fi exit 0 } @@ -116,7 +122,7 @@ desktop_pillar() { " mainint: '$MNIC'"\ "desktop:"\ " gui:"\ - " enabled: true" >> "$pillar_file"\ + " enabled: true"\ "sensoroni:"\ " config:"\ " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file @@ -392,20 +398,22 @@ collect_mngr_hostname() { sed -i "/$MSRV/d" /etc/hosts fi - if ! getent hosts "$MSRV"; then - whiptail_manager_ip + if [[ -z "$MSRVIP" ]]; then + if ! getent hosts "$MSRV"; then + whiptail_manager_ip - while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do - whiptail_invalid_input + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do + whiptail_invalid_input + whiptail_manager_ip "$MSRVIP" + done + else + MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') whiptail_manager_ip "$MSRVIP" - done - else - MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') - whiptail_manager_ip "$MSRVIP" - while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do - whiptail_invalid_input - whiptail_manager_ip "$MSRVIP" - done + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do + whiptail_invalid_input + whiptail_manager_ip "$MSRVIP" + done + fi fi } @@ -641,8 +649,8 @@ configure_minion() { "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" - cp -f ../salt/salt/etc/minion.d/mine_functions.conf.jinja /etc/salt/minion.d/mine_functions.conf - sed -i "s/{{ GLOBALS.main_interface }}/$MNIC/" /etc/salt/minion.d/mine_functions.conf + info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'" + salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}" { logCmd "systemctl enable salt-minion"; @@ -699,8 +707,6 @@ checkin_at_boot() { } check_requirements() { - local standalone_or_dist=$1 - local node_type=$2 # optional local req_mem local req_cores local req_storage @@ -708,27 +714,57 @@ check_requirements() { readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g' | sed -r 's/(.*)(\.[0-9]+)@\1/\1\2/g')" local num_nics=${#nic_list[@]} - if [[ "$standalone_or_dist" == 'standalone' ]]; then + if [[ $is_eval ]]; then req_mem=12 req_cores=4 req_nics=2 - elif [[ "$standalone_or_dist" == 'dist' ]]; then - req_mem=8 + elif [[ $is_standalone ]]; then + req_mem=24 req_cores=4 - if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi - if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi - if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi - elif [[ "$standalone_or_dist" == 'import' ]]; then + req_nics=2 + elif [[ $is_manager ]]; then + req_mem=16 + req_cores=4 + req_nics=1 + elif [[ $is_managersearch ]]; then + req_mem=16 + req_cores=8 + req_nics=1 + elif [[ $is_sensor ]]; then + req_mem=12 + req_cores=4 + req_nics=2 + elif [[ $is_fleet ]]; then req_mem=4 + req_cores=4 + req_nics=1 + elif [[ $is_searchnode ]]; then + req_mem=16 + req_cores=4 + req_nics=1 + elif [[ $is_heavynode ]]; then + req_mem=24 + req_cores=4 + req_nics=2 + elif [[ $is_idh ]]; then + req_mem=1 + req_cores=2 + req_nics=1 + elif [[ $is_import ]]; then + req_mem=4 + req_cores=2 + req_nics=1 + elif [[ $is_receiver ]]; then + req_mem=8 req_cores=2 req_nics=1 fi if [[ $setup_type == 'network' ]] ; then - if [[ -n $nsm_mount ]]; then - if [[ "$standalone_or_dist" == 'import' ]]; then + if [[ -n $nsm_mount ]]; then # does a /nsm mount exist + if [[ $is_import ]]; then req_storage=50 - elif [[ "$node_type" == 'idh' ]]; then + elif [[ $is_idh ]]; then req_storage=12 else req_storage=100 @@ -740,10 +776,10 @@ check_requirements() { whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB" fi else - if [[ "$standalone_or_dist" == 'import' ]]; then + if [[ $is_import ]]; then req_storage=50 - elif [[ "$node_type" == 'idh' ]]; then - req_storage=12 + elif [[ $is_idh ]]; then + req_storage=12 else req_storage=200 fi @@ -1014,25 +1050,9 @@ detect_os() { } download_elastic_agent_artifacts() { - agentArchive=/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz - agentMd5=/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 - beatsDir=/nsm/elastic-fleet/artifacts/beats/elastic-agent - logCmd "mkdir -p $beatsDir" - if [[ ! -f "$agentArchive" ]]; then - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output $agentArchive" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output $agentMd5" "" "" - - SOURCEHASH=$(md5sum $agentArchive | awk '{ print $1 }') - HASH=$(cat $agentMd5) - - if [[ "$HASH" == "$SOURCEHASH" ]]; then - info "Elastic Agent source hash is good." - else - info "Unable to download the Elastic Agent source files." - fail_setup - fi + if ! update_elastic_agent 2>&1 | tee -a "$setup_log"; then + fail_setup fi - logCmd "tar -xf $agentArchive -C $beatsDir" } installer_progress_loop() { @@ -1284,7 +1304,7 @@ get_redirect() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER' | 'DESKTOP') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; esac @@ -1679,9 +1699,7 @@ process_installtype() { elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'DESKTOP' ]; then - if [ "$setup_type" != 'desktop' ]; then - exec bash so-setup desktop - fi + is_desktop=true fi } @@ -1897,8 +1915,10 @@ securityonion_repo() { if [[ $is_oracle ]]; then logCmd "dnf -v clean all" logCmd "mkdir -vp /root/oldrepos" - logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" - if [[ $is_desktop_iso ]]; then + if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then + logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" + fi + if ! $is_desktop_grid; then gpg_rpm_import if [[ ! $is_airgap ]]; then echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /etc/yum/mirror.txt @@ -1943,12 +1963,10 @@ securityonion_repo() { fi if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi if [[ $waitforstate ]]; then - if [[ ! $is_airgap ]]; then - if [[ $is_rpm ]]; then + if [[ $is_rpm ]]; then # Build the repo locally so we can use it echo "Syncing Repos" repo_sync_local - fi fi fi } @@ -1958,7 +1976,7 @@ repo_sync_local() { if [[ $is_supported ]]; then # Sync the repo from the the SO repo locally. # Check for reposync - info "Backing up old repos" + info "Adding Repo Download Configuration" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt @@ -1982,10 +2000,10 @@ repo_sync_local() { if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + # After the download is complete run createrepo + create_repo fi - # After the download is complete run createrepo - create_repo else # Add the proper repos for unsupported stuff echo "Adding Repos" @@ -2070,7 +2088,7 @@ saltify() { if [[ $waitforstate ]]; then retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup - retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 + retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1 else retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup @@ -2088,21 +2106,27 @@ saltify() { fi logCmd "mkdir -p /etc/salt/minion.d" + salt_install_module_deps + salt_patch_x509_v2 + +} + +# Run a salt command to generate the minion key +salt_firstcheckin() { + salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput +} + +salt_install_module_deps() { logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" +} +salt_patch_x509_v2() { # this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved if [ $SALTVERSION == "3006.1" ]; then info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py" \cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py fi - -} - - -# Run a salt command to generate the minion key -salt_firstcheckin() { - salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput } # Create an secrets pillar so that passwords survive re-install @@ -2315,6 +2339,15 @@ set_default_log_size() { log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}') } +set_desktop_background() { + + logCmd "mkdir /usr/local/share/backgrounds" + logCmd "cp ../salt/desktop/files/so-wallpaper.jpg /usr/local/share/backgrounds/so-wallpaper.jpg" + logCmd "cp ../salt/desktop/files/00-background /etc/dconf/db/local.d/00-background" + logCmd "dconf update" + +} + set_hostname() { logCmd "hostnamectl set-hostname --static $HOSTNAME" @@ -2376,6 +2409,13 @@ set_redirect() { ;; esac } + +set_timezone() { + + logCmd "timedatectl set-timezone Etc/UTC" + +} + so_add_user() { local username=$1 local uid=$2 diff --git a/setup/so-setup b/setup/so-setup index ce0aa83f7..e35dde579 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -58,6 +58,7 @@ while [[ $# -gt 0 ]]; do esac done +set_timezone # Preserve old setup/error logs [ -f "$error_log" ] && mv "$error_log" "$error_log.$(date +%Y-%m-%dT%H:%M:%S)" [ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(date +%Y-%m-%dT%H:%M:%S)" @@ -68,7 +69,7 @@ detect_os # Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 -if [[ $not_supported ]]; then +if [[ $not_supported ]] && [ -z "$test_profile" ]; then if [[ "$OSVER" == "focal" ]]; then if (whiptail_focal_warning); then true @@ -103,6 +104,7 @@ if [ "$setup_type" = 'desktop' ]; then # Check to see if this is an ISO. Usually this dir on exists on ISO installs. if [ -d /root/SecurityOnion ]; then is_desktop_iso=true + install_type='DESKTOP' fi fi @@ -181,9 +183,40 @@ if [ -n "$test_profile" ]; then install_type=SEARCHNODE HOSTNAME=search MSRVIP_OFFSET=-1 + elif [[ "$test_profile" =~ "-managersearch" ]]; then + install_type=MANAGERSEARCH + HOSTNAME=manager + elif [[ "$test_profile" =~ "-heavynode" ]]; then + install_type=HEAVYNODE + HOSTNAME=sensor + MSRVIP_OFFSET=-1 + elif [[ "$test_profile" =~ "-desktop" ]]; then + install_type=DESKTOP + MSRVIP_OFFSET=-3 + is_desktop_grid=true + elif [[ "$test_profile" =~ "-idh" ]]; then + install_type=IDH + HOSTNAME=idh + MSRVIP_OFFSET=-4 + elif [[ "$test_profile" =~ "-receiver" ]]; then + install_type=RECEIVER + HOSTNAME=receiver + MSRVIP_OFFSET=-5 + elif [[ "$test_profile" =~ "-fleet" ]]; then + install_type=FLEET + HOSTNAME=fleet + MSRVIP_OFFSET=-6 else HOSTNAME=manager fi + + if [[ "$install_type" =~ "DESKTOP" ]]; then + is_desktop=true + HOSTNAME=desktop + if [[ -z "$is_desktop_grid" ]]; then + is_desktop_grid=false + fi + fi info "Activating test profile; profile=$test_profile; install_type=$install_type" @@ -332,37 +365,41 @@ if [[ $is_desktop ]]; then exit 1 fi -# if ! whiptail_desktop_install; then - if [[ $is_desktop_iso ]]; then - if whiptail_desktop_nongrid_iso; then - # Remove setup from auto launching - parse_install_username - sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 - securityonion_repo - info "Enabling graphical interface and setting it to load at boot" - systemctl set-default graphical.target - echo "Desktop Install Complete!" - echo "" - echo "Please reboot to start graphical interface." - exit 0 + whiptail_desktop_install + if ! $is_desktop_grid; then + if [[ $is_desktop_iso ]]; then + if whiptail_desktop_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 + securityonion_repo + info "Enabling graphical interface and setting it to load at boot" + systemctl set-default graphical.target + info "Setting desktop background" + set_desktop_background + echo "Desktop Install Complete!" + echo "" + echo "Please reboot to start graphical interface." + exit 0 + else + # Abort! + exit 0 + fi else - # Abort! - exit 0 - fi - else - if whiptail_desktop_nongrid_network; then - info "" - info "" - info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection." - info "" - info "" - desktop_salt_local - else - # Abort! - exit 0 + if whiptail_desktop_nongrid_network; then + networking_needful + info "" + info "" + info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection." + info "" + info "" + desktop_salt_local + else + # Abort! + exit 0 + fi fi fi -# fi # If you got this far then you want to join the grid is_minion=true @@ -385,7 +422,7 @@ if ! [[ -f $install_opt_file ]]; then # If it is an install from ISO is this airgap? [[ $is_iso ]] && whiptail_airgap # Make sure minimum requirements are met - check_requirements "manager" + check_requirements # Do networking things networking_needful # Do we need a proxy? @@ -416,7 +453,7 @@ if ! [[ -f $install_opt_file ]]; then monints=true check_elastic_license [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -437,7 +474,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license waitforstate=true [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -457,7 +494,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license waitforstate=true [[ $is_iso ]] && whiptail_airgap - check_requirements "manager" + check_requirements networking_needful [[ ! $is_airgap ]] && collect_net_method collect_dockernet @@ -475,7 +512,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_sensor ]]; then info "Setting up as node type sensor" monints=true - check_requirements "sensor" + check_requirements calculate_useable_cores networking_needful check_network_manager_conf @@ -490,7 +527,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_fleet ]]; then info "Setting up as node type fleet" - check_requirements "fleet" + check_requirements networking_needful check_network_manager_conf set_network_dev_status_list @@ -503,7 +540,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_searchnode ]]; then info "Setting up as node type searchnode" - check_requirements "elasticsearch" + check_requirements networking_needful check_network_manager_conf set_network_dev_status_list @@ -517,7 +554,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_heavynode ]]; then info "Setting up as node type heavynode" monints=true - check_requirements "heavynode" + check_requirements calculate_useable_cores networking_needful check_network_manager_conf @@ -532,7 +569,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_idh ]]; then info "Setting up as node type idh" - check_requirements "idh" + check_requirements networking_needful collect_mngr_hostname add_mngr_ip_to_hosts @@ -546,7 +583,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true [[ $is_iso ]] && whiptail_airgap check_elastic_license - check_requirements "import" + check_requirements networking_needful [[ ! $is_airgap ]] && detect_cloud collect_dockernet @@ -564,17 +601,29 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_receiver ]]; then info "Setting up as node type receiver" - check_requirements "receiver" + check_requirements networking_needful collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection set_minion_info whiptail_end_settings + + # desktop install will only get this far if joining the grid + elif [[ $is_desktop ]]; then + info "Setting up as node type desktop" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + set_minion_info + whiptail_end_settings + fi if [[ $waitforstate ]]; then touch /root/accept_changes + touch /etc/sohotfix make_some_dirs percentage=0 es_heapsize @@ -661,6 +710,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.show_top" sleep 2 # Debug RSA Key format errors logCmd "salt-key -ya $MINION_ID" + logCmd "salt-call saltutil.sync_all" logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" @@ -694,9 +744,11 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-rule-update" title "Downloading YARA rules" logCmd "su socore -c '/usr/sbin/so-yara-download'" - if [[ $monints ]]; then + if [[ $monints || $is_import ]]; then title "Restarting Suricata to pick up the new rules" logCmd "so-suricata-restart" + fi + if [[ $monints ]]; then title "Restarting Strelka to use new rules" logCmd "so-strelka-restart" fi diff --git a/setup/so-variables b/setup/so-variables index 7c5e51c6c..7f6522487 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -5,7 +5,7 @@ mkdir -p /nsm total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//') export total_mem -total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1024/1024); }') +total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1000/1000); }') export total_mem_hr num_cpu_cores=$(nproc) @@ -32,10 +32,10 @@ export filesystem_root filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm -free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }') export free_space_nsm -free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }') export free_space_root readarray -t mountpoints <<< "$(lsblk -nlo MOUNTPOINT)" @@ -218,4 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls" export patch_pillar_file adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls" -export adv_patch_pillar_file \ No newline at end of file +export adv_patch_pillar_file diff --git a/setup/so-verify b/setup/so-verify index 07d24d114..e9a8a375c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -52,6 +52,8 @@ log_has_errors() { grep -vE "/nsm/rules/yara*" | \ grep -vE "Failed to restart snapd" | \ grep -vE "Login Failed Details" | \ + grep -vE "response from daemon: unauthorized" | \ + grep -vE "Reading first line of patchfile" | \ grep -vE "Running scope as unit" &> "$error_log" if [[ $? -eq 0 ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 4e9ccea60..ede138d26 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -58,6 +58,12 @@ whiptail_desktop_install() { whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 --defaultno + if [ $? -eq 0 ]; then + is_desktop_grid=true + else + is_desktop_grid=false + fi + } whiptail_desktop_nongrid_iso() { @@ -226,7 +232,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return - if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then + if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') =~ 'nic' ]]; then whiptail --title "$whiptail_title" \ --msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75 @@ -557,7 +563,7 @@ whiptail_install_type() { "EVAL" "Evaluation mode (not for production) " \ "STANDALONE" "Standalone production install " \ "DISTRIBUTED" "Distributed install submenu " \ - "OTHER" "Other install types" \ + "DESKTOP" "Install Security Onion Desktop" \ 3>&1 1>&2 2>&3 ) elif [[ "$OSVER" == "focal" ]]; then @@ -578,8 +584,6 @@ whiptail_install_type() { else whiptail_install_type_dist_existing fi - elif [[ $install_type == "OTHER" ]]; then - whiptail_install_type_other fi export install_type @@ -678,30 +682,13 @@ whiptail_install_type_dist_existing() { elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'DESKTOP' ]; then - if [ "$setup_type" != 'desktop' ]; then - exec bash so-setup desktop - fi + is_desktop=true fi local exitstatus=$? whiptail_check_exitstatus $exitstatus } - -whiptail_install_type_other() { - - [ -n "$TESTING" ] && return - - install_type=$(whiptail --title "$whiptail_title" --menu \ - "Choose node type:" 10 65 2 \ - "DESKTOP" "Setup will run 'so-setup desktop' " 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export install_type -} - whiptail_invalid_input() { # TODO: This should accept a list of arguments to specify what general pattern the input should follow [ -n "$TESTING" ] && return @@ -1012,9 +999,9 @@ whiptail_manager_unreachable() { local msg read -r -d '' msg <<- EOM - Setup is unable to access the manager at this time. + Setup is unable to access the manager. This most likely means that you need to allow this machine to connect through the manager's firewall. - Run the following on the manager: + You can either go to SOC --> Administration --> Configuration and choose the correct firewall option from the list OR you can run the following command on the manager: sudo so-firewall-minion --role=$install_type --ip=$MAINIP @@ -1197,21 +1184,6 @@ whiptail_reinstall() { whiptail_check_exitstatus $exitstatus } -whiptail_requirements_error() { - - local requirement_needed=$1 - local current_val=$2 - local needed_val=$3 - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_sensor_config() { [ -n "$TESTING" ] && return diff --git a/sigs b/sigs deleted file mode 100644 index 75a14e1a1..000000000 Binary files a/sigs and /dev/null differ diff --git a/sigs/securityonion-2.4.10-20230815.iso.sig b/sigs/securityonion-2.4.10-20230815.iso.sig new file mode 100644 index 000000000..636dfe63b Binary files /dev/null and b/sigs/securityonion-2.4.10-20230815.iso.sig differ diff --git a/sigs/securityonion-2.4.10-20230821.iso.sig b/sigs/securityonion-2.4.10-20230821.iso.sig new file mode 100644 index 000000000..251032166 Binary files /dev/null and b/sigs/securityonion-2.4.10-20230821.iso.sig differ diff --git a/sigs/securityonion-2.4.20-20231006.iso.sig b/sigs/securityonion-2.4.20-20231006.iso.sig new file mode 100644 index 000000000..b253c6734 Binary files /dev/null and b/sigs/securityonion-2.4.20-20231006.iso.sig differ diff --git a/sigs/securityonion-2.4.5-20230807.iso.sig b/sigs/securityonion-2.4.5-20230807.iso.sig new file mode 100644 index 000000000..fdf914164 Binary files /dev/null and b/sigs/securityonion-2.4.5-20230807.iso.sig differ