Merge pull request #14271 from Security-Onion-Solutions/reyesj2-patch-1

add back settings previously defined when overwritting logs-elastic_a…
2026-01-23 16:33:29 +01:00 · 2025-02-20 15:26:12 -06:00
parent cee9f66689 df350b5a56
commit 637ed59567
2 changed files with 68 additions and 2 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -1,6 +1,6 @@
 elasticsearch:
  enabled: false
-  version: 8.17.1
+  version: 8.17.2
  index_clean: true
  config:
    action:
@@ -1146,15 +1146,65 @@ elasticsearch:
                name: elastic_agent
          settings:
            index:
+              codec: best_compression
              lifecycle:
                name: so-logs-elastic_agent-logs
              mapping:
                total_fields:
                  limit: 5000
+                ignore_malformed: true
              number_of_replicas: 0
              sort:
                field: '@timestamp'
                order: desc
+              query:
+                default_field:
+                  - cloud.account.id
+                  - cloud.availability_zone
+                  - cloud.instance.id
+                  - cloud.instance.name
+                  - cloud.machine.type
+                  - cloud.provider
+                  - cloud.region
+                  - cloud.project.id
+                  - cloud.image.id
+                  - container.id
+                  - container.image.name
+                  - container.name
+                  - host.architecture
+                  - host.hostname
+                  - host.id
+                  - host.mac
+                  - host.name
+                  - host.os.family
+                  - host.os.kernel
+                  - host.os.name
+                  - host.os.platform
+                  - host.os.version
+                  - host.os.build
+                  - host.os.codename
+                  - host.type
+                  - ecs.version
+                  - agent.build.original
+                  - agent.ephemeral_id
+                  - agent.id
+                  - agent.name
+                  - agent.type
+                  - agent.version
+                  - log.level
+                  - message
+                  - elastic_agent.id
+                  - elastic_agent.process
+                  - elastic_agent.version
+                  - component.id
+                  - component.type
+                  - component.binary
+                  - component.state
+                  - component.old_state
+                  - unit.id
+                  - unit.type
+                  - unit.state
+                  - unit.old_state
      policy:
        _meta:
          managed: true
@@ -1988,15 +2038,31 @@ elasticsearch:
        template:
          settings:
            index:
+              codec: best_compression
              lifecycle:
                name: so-logs-endpoint.diagnostic.collection-logs
              mapping:
                total_fields:
                  limit: 5000
+                ignore_malformed: true
              number_of_replicas: 0
              sort:
                field: '@timestamp'
                order: desc
+              query:
+                default_field:
+                  - ecs.version
+                  - event.action
+                  - event.category
+                  - event.code
+                  - event.dataset
+                  - event.hash
+                  - event.id
+                  - event.kind
+                  - event.module
+                  - event.outcome
+                  - event.provider
+                  - event.type
      policy:
        _meta:
          managed: true
--- a/salt/kibana/defaults.yaml
+++ b/salt/kibana/defaults.yaml
@@ -22,7 +22,7 @@ kibana:
          - default
          - file
    migrations:
-      discardCorruptObjects: "8.17.1"
+      discardCorruptObjects: "8.17.2"
    telemetry:
      enabled: False
    security: