diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 02e2f7ccb..7b38ed0bb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2742,7 +2742,7 @@ elasticsearch: - logs-osquery_manager.actions ignore_missing_component_templates: [] index_patterns: - - .logs-osquery_manager.actions* + - .logs-osquery_manager.actions-* priority: 501 template: settings: diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json new file mode 100644 index 000000000..83a68c814 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json @@ -0,0 +1,49 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "action_data.ecs_mapping": { + "path_match": "action_data.ecs_mapping.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "action_data": { + "dynamic": true, + "type": "object", + "properties": { + "ecs_mapping": { + "dynamic": true, + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file