Merge pull request #14362 from Security-Onion-Solutions/reyesj2-patch-2

fix osquery action_data mapping conflict
2025-12-06 09:12:45 +01:00 · 2025-03-08 10:18:12 -05:00
parent 4893eda4fe 4dd72ad15c
commit 6081c46d7f
2 changed files with 50 additions and 1 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2742,7 +2742,7 @@ elasticsearch:
        - logs-osquery_manager.actions
        ignore_missing_component_templates: []
        index_patterns:
-        - .logs-osquery_manager.actions*
+        - .logs-osquery_manager.actions-*
        priority: 501
        template:
          settings:
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json
@@ -0,0 +1,49 @@
+{
+  "template": {
+    "mappings": {
+      "dynamic_templates": [
+        {
+          "action_data.ecs_mapping": {
+            "path_match": "action_data.ecs_mapping.*",
+            "mapping": {
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "action_data": {
+          "dynamic": true,
+          "type": "object",
+          "properties": {
+            "ecs_mapping": {
+              "dynamic": true,
+              "type": "object"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "saved_query_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}