Merge pull request #14362 from Security-Onion-Solutions/reyesj2-patch-2

fix osquery action_data mapping conflict

salt/elasticsearch/defaults.yaml

@@ -2742,7 +2742,7 @@ elasticsearch:
         - logs-osquery_manager.actions
         ignore_missing_component_templates: []
         index_patterns:
-        - .logs-osquery_manager.actions*
+        - .logs-osquery_manager.actions-*
         priority: 501
         template:
           settings:

salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json

@@ -0,0 +1,49 @@
+{
+  "template": {
+    "mappings": {
+      "dynamic_templates": [
+        {
+          "action_data.ecs_mapping": {
+            "path_match": "action_data.ecs_mapping.*",
+            "mapping": {
+              "type": "keyword"
+            },
+            "match_mapping_type": "string"
+          }
+        }
+      ],
+      "properties": {
+        "action_data": {
+          "dynamic": true,
+          "type": "object",
+          "properties": {
+            "ecs_mapping": {
+              "dynamic": true,
+              "type": "object"
+            },
+            "id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "platform": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "query": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "saved_query_id": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "version": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        }
+      }
+    }
+  }
+}