diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index b3cc886b2..023d270f4 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -162,6 +162,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -316,6 +317,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -427,6 +429,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -534,6 +537,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -697,6 +701,7 @@ elasticsearch: - client-mappings - device-mappings - network-mappings + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -768,6 +773,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -878,6 +884,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -998,6 +1005,7 @@ elasticsearch: index_template: composed_of: - so-data-streams-mappings + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-logs-mappings @@ -2832,6 +2840,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -3062,6 +3071,7 @@ elasticsearch: - event-mappings - logs-system.syslog@package - logs-system.syslog@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -3421,6 +3431,7 @@ elasticsearch: - dtc-http-mappings - log-mappings - logstash-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -3505,6 +3516,7 @@ elasticsearch: composed_of: - metrics-endpoint.metadata@package - metrics-endpoint.metadata@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -3551,6 +3563,7 @@ elasticsearch: composed_of: - metrics-endpoint.metrics@package - metrics-endpoint.metrics@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -3597,6 +3610,7 @@ elasticsearch: composed_of: - metrics-endpoint.policy@package - metrics-endpoint.policy@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -3645,6 +3659,7 @@ elasticsearch: - metrics-fleet_server.agent_status@package - metrics-fleet_server.agent_status@custom - ecs@mappings + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -3668,6 +3683,7 @@ elasticsearch: - metrics-fleet_server.agent_versions@package - metrics-fleet_server.agent_versions@custom - ecs@mappings + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -3715,6 +3731,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -3827,6 +3844,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -3939,6 +3957,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -4051,6 +4070,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -4163,6 +4183,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings @@ -4276,6 +4297,7 @@ elasticsearch: - http-mappings - dtc-http-mappings - log-mappings + - metadata-mappings - network-mappings - dtc-network-mappings - observer-mappings diff --git a/salt/elasticsearch/templates/component/ecs/metadata.json b/salt/elasticsearch/templates/component/ecs/metadata.json new file mode 100644 index 000000000..55da6f07c --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/metadata.json @@ -0,0 +1,26 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [], + "properties": { + "metadata": { + "properties": { + "kafka": { + "properties": { + "timestamp": { + "type": "date" + } + } + } + } + } + } + } + }, + "_meta": { + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.12.2" + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json index 5df7e7fe9..183031d4e 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json @@ -5,6 +5,7 @@ "managed_by": "security_onion", "managed": true }, + "date_detection": false, "dynamic_templates": [ { "strings_as_keyword": { @@ -16,7 +17,19 @@ } } ], - "date_detection": false + "properties": { + "metadata": { + "properties": { + "kafka": { + "properties": { + "timestamp": { + "type": "date" + } + } + } + } + } + } } }, "_meta": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json index 3777e670c..d6f516272 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json @@ -1,37 +1,59 @@ { - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "ip": { + "type": "ip" } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } + } + }, + "related": { + "properties": { + "ip": { + "type": "ip" } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" + } + }, + "destination": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "metadata": { + "properties": { + "input": { + "properties": { + "beats": { + "properties": { + "host": { + "properties": { + "ip": { + "type": "ip" + } + } + } + } + } } } } } } } + }, + "_meta": { + "managed_by": "security_onion", + "managed": true } - \ No newline at end of file +} \ No newline at end of file