From 48331ce35b69dec0ec4213886c485e53d990a8b6 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 14 Jun 2023 13:29:11 +0000 Subject: [PATCH] Add system.system component templates --- .../logs-system.system@custom.json | 12 + .../logs-system.system@package.json | 986 ++++++++++++++++++ 2 files changed, 998 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json new file mode 100644 index 000000000..068e6846b --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json @@ -0,0 +1,986 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.system-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.original", + "event.outcome", + "event.provider", + "event.type", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.system" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +}