CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update to merge in 2.4/dev

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2023-11-29 13:41:23 -05:00
parent 86dc7cc804 93fb10de86
commit 8cf29682bb
196 changed files with 13941 additions and 21237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/pythontest.yml vendored
View File

@@ -4,9 +4,11 @@ on:
push: push:
paths: paths:
- "salt/sensoroni/files/analyzers/**" - "salt/sensoroni/files/analyzers/**"
- "salt/manager/tools/sbin"
pull_request: pull_request:
paths: paths:
- "salt/sensoroni/files/analyzers/**" - "salt/sensoroni/files/analyzers/**"
- "salt/manager/tools/sbin"
jobs: jobs:
build: build:
@@ -16,7 +18,7 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
python-version: ["3.10"] python-version: ["3.10"]
python-code-path: ["salt/sensoroni/files/analyzers"] python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
@@ -34,4 +36,4 @@ jobs:
flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12 --doctests --max-line-length=200 --statistics flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12 --doctests --max-line-length=200 --statistics
- name: Test with pytest - name: Test with pytest
run: | run: |
pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=pytest.ini

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.4.10-20230821 ISO image released on 2023/08/21 ### 2.4.30-20231121 ISO image released on 2023/11/21
### Download and Verify ### Download and Verify
2.4.10-20230821 ISO image: 2.4.30-20231121 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
MD5: 353EB36F807DC947F08F79B3DCFA420E MD5: 09DB0A6B3A75435C855E777272FC03F8
SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56 SHA1: A68868E67A3F86B77E01F54067950757EFD3BA72
SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC SHA256: B3880C0302D9CDED7C974585B14355544FC9C3279F952EC79FC2BA9AEC7CB749
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.30-20231121.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.4.30-20231121.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso gpg --verify securityonion-2.4.30-20231121.iso.sig securityonion-2.4.30-20231121.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013 gpg: Signature made Tue 21 Nov 2023 01:21:38 PM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

1
HOTFIX
View File

@@ -1 +0,0 @@

2
VERSION
View File

@@ -1 +1 @@
2.4.20 2.4.40

1
files/firewall/assigned_hostgroups.local.map.yaml
View File

@@ -12,7 +12,6 @@ role:
eval: eval:
fleet: fleet:
heavynode: heavynode:
helixsensor:
idh: idh:
import: import:
manager: manager:

20
pillar/logstash/nodes.sls
View File

@@ -7,19 +7,23 @@
tgt_type='compound') | dictsort() tgt_type='compound') | dictsort()
%} %}
{% set hostname = cached_grains[minionid]['host'] %} # only add a node to the pillar if it returned an ip from the mine
{% set node_type = minionid.split('_')[1] %} {% if ip | length > 0%}
{% if node_type not in node_types.keys() %} {% set hostname = cached_grains[minionid]['host'] %}
{% do node_types.update({node_type: {hostname: ip[0]}}) %} {% set node_type = minionid.split('_')[1] %}
{% else %} {% if node_type not in node_types.keys() %}
{% if hostname not in node_types[node_type] %} {% do node_types.update({node_type: {hostname: ip[0]}}) %}
{% do node_types[node_type].update({hostname: ip[0]}) %}
{% else %} {% else %}
{% do node_types[node_type][hostname].update(ip[0]) %} {% if hostname not in node_types[node_type] %}
{% do node_types[node_type].update({hostname: ip[0]}) %}
{% else %}
{% do node_types[node_type][hostname].update(ip[0]) %}
{% endif %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
logstash: logstash:
nodes: nodes:
{% for node_type, values in node_types.items() %} {% for node_type, values in node_types.items() %}

24
pillar/node_data/ips.sls
View File

@@ -4,18 +4,22 @@
{% set hostname = minionid.split('_')[0] %} {% set hostname = minionid.split('_')[0] %}
{% set node_type = minionid.split('_')[1] %} {% set node_type = minionid.split('_')[1] %}
{% set is_alive = False %} {% set is_alive = False %}
{% if minionid in manage_alived.keys() %}
{% if ip[0] == manage_alived[minionid] %} # only add a node to the pillar if it returned an ip from the mine
{% set is_alive = True %} {% if ip | length > 0%}
{% if minionid in manage_alived.keys() %}
{% if ip[0] == manage_alived[minionid] %}
{% set is_alive = True %}
{% endif %}
{% endif %} {% endif %}
{% endif %} {% if node_type not in node_types.keys() %}
{% if node_type not in node_types.keys() %} {% do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
{% do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
{% else %}
{% if hostname not in node_types[node_type] %}
{% do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
{% else %} {% else %}
{% do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %} {% if hostname not in node_types[node_type] %}
{% do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
{% else %}
{% do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
{% endif %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}

44
pillar/thresholding/pillar.example
View File

@@ -1,44 +0,0 @@
thresholding:
sids:
8675309:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
11223344:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

20
pillar/thresholding/pillar.usage
View File

@@ -1,20 +0,0 @@
thresholding:
sids:
<signature id>:
- threshold:
gen_id: <generator id>
type: <threshold | limit | both>
track: <by_src | by_dst>
count: <count>
seconds: <seconds>
- rate_filter:
gen_id: <generator id>
track: <by_src | by_dst | by_rule | by_both>
count: <count>
seconds: <seconds>
new_action: <alert | pass>
timeout: <seconds>
- suppress:
gen_id: <generator id>
track: <by_src | by_dst | by_either>
ip: <ip | subnet>

12
pillar/top.sls
View File

@@ -4,14 +4,9 @@ base:
- global.adv_global - global.adv_global
- docker.soc_docker - docker.soc_docker
- docker.adv_docker - docker.adv_docker
- firewall.soc_firewall
- firewall.adv_firewall
- influxdb.token - influxdb.token
- logrotate.soc_logrotate - logrotate.soc_logrotate
- logrotate.adv_logrotate - logrotate.adv_logrotate
- nginx.soc_nginx
- nginx.adv_nginx
- node_data.ips
- ntp.soc_ntp - ntp.soc_ntp
- ntp.adv_ntp - ntp.adv_ntp
- patch.needs_restarting - patch.needs_restarting
@@ -22,6 +17,13 @@ base:
- telegraf.soc_telegraf - telegraf.soc_telegraf
- telegraf.adv_telegraf - telegraf.adv_telegraf
'* and not *_desktop':
- firewall.soc_firewall
- firewall.adv_firewall
- nginx.soc_nginx
- nginx.adv_nginx
- node_data.ips
'*_manager or *_managersearch': '*_manager or *_managersearch':
- match: compound - match: compound
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}

26
pyci.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
if [[ $# -ne 1 ]]; then
echo "Usage: $0 <python_script_dir>"
echo "Runs tests on all *_test.py files in the given directory."
exit 1
fi
HOME_DIR=$(dirname "$0")
TARGET_DIR=${1:-.}
PATH=$PATH:/usr/local/bin
if ! which pytest &> /dev/null || ! which flake8 &> /dev/null ; then
echo "Missing dependencies. Consider running the following command:"
echo " python -m pip install flake8 pytest pytest-cov"
exit 1
fi
pip install pytest pytest-cov
flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini"
python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100 "$TARGET_DIR"

0
salt/sensoroni/files/analyzers/pytest.ini → pytest.ini
View File

3
salt/allowed_states.map.jinja
View File

@@ -197,6 +197,9 @@
'docker_clean' 'docker_clean'
], ],
'so-desktop': [ 'so-desktop': [
'ssl',
'docker_clean',
'telegraf'
], ],
}, grain='role') %} }, grain='role') %}

10
salt/bpf/macros.jinja Normal file
View File

@@ -0,0 +1,10 @@
{% macro remove_comments(bpfmerged, app) %}
{# remove comments from the bpf #}
{% for bpf in bpfmerged[app] %}
{% if bpf.strip().startswith('#') %}
{% do bpfmerged[app].pop(loop.index0) %}
{% endif %}
{% endfor %}
{% endmacro %}

3
salt/bpf/pcap.map.jinja
View File

@@ -1,4 +1,7 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'pcap') }}
{% set PCAPBPF = BPFMERGED.pcap %} {% set PCAPBPF = BPFMERGED.pcap %}

3
salt/bpf/suricata.map.jinja
View File

@@ -1,4 +1,7 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'suricata') }}
{% set SURICATABPF = BPFMERGED.suricata %} {% set SURICATABPF = BPFMERGED.suricata %}

3
salt/bpf/zeek.map.jinja
View File

@@ -1,4 +1,7 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% import 'bpf/macros.jinja' as MACROS %}
{{ MACROS.remove_comments(BPFMERGED, 'zeek') }}
{% set ZEEKBPF = BPFMERGED.zeek %} {% set ZEEKBPF = BPFMERGED.zeek %}

2
salt/ca/files/signing_policies.conf
View File

@@ -37,7 +37,7 @@ x509_signing_policies:
- ST: Utah - ST: Utah
- L: Salt Lake City - L: Salt Lake City
- basicConstraints: "critical CA:false" - basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment" - keyUsage: "critical keyEncipherment digitalSignature"
- subjectKeyIdentifier: hash - subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always - authorityKeyIdentifier: keyid,issuer:always
- extendedKeyUsage: serverAuth - extendedKeyUsage: serverAuth

6
salt/ca/init.sls
View File

@@ -50,6 +50,12 @@ pki_public_ca_crt:
attempts: 5 attempts: 5
interval: 30 interval: 30
mine_update_ca_crt:
module.run:
- mine.update: []
- onchanges:
- x509: pki_public_ca_crt
cakeyperms: cakeyperms:
file.managed: file.managed:
- replace: False - replace: False

1
salt/common/init.sls
View File

@@ -8,6 +8,7 @@ include:
- common.packages - common.packages
{% if GLOBALS.role in GLOBALS.manager_roles %} {% if GLOBALS.role in GLOBALS.manager_roles %}
- manager.elasticsearch # needed for elastic_curl_config state - manager.elasticsearch # needed for elastic_curl_config state
- manager.kibana
{% endif %} {% endif %}
net.core.wmem_default: net.core.wmem_default:

12
salt/common/packages.sls
View File

@@ -21,7 +21,6 @@ commonpkgs:
- python3-dateutil - python3-dateutil
- python3-docker - python3-docker
- python3-packaging - python3-packaging
- python3-watchdog
- python3-lxml - python3-lxml
- git - git
- rsync - rsync
@@ -47,10 +46,16 @@ python-rich:
{% endif %} {% endif %}
{% if GLOBALS.os_family == 'RedHat' %} {% if GLOBALS.os_family == 'RedHat' %}
remove_mariadb:
pkg.removed:
- name: mariadb-devel
commonpkgs: commonpkgs:
pkg.installed: pkg.installed:
- skip_suggestions: True - skip_suggestions: True
- pkgs: - pkgs:
- python3-dnf-plugin-versionlock
- curl - curl
- device-mapper-persistent-data - device-mapper-persistent-data
- fuse - fuse
@@ -63,22 +68,19 @@ commonpkgs:
- httpd-tools - httpd-tools
- jq - jq
- lvm2 - lvm2
- mariadb-devel
- net-tools - net-tools
- nmap-ncat - nmap-ncat
- openssl
- procps-ng - procps-ng
- python3-dnf-plugin-versionlock
- python3-docker - python3-docker
- python3-m2crypto - python3-m2crypto
- python3-packaging - python3-packaging
- python3-pyyaml - python3-pyyaml
- python3-rich - python3-rich
- python3-watchdog
- rsync - rsync
- sqlite - sqlite
- tcpdump - tcpdump
- unzip - unzip
- wget - wget
- yum-utils - yum-utils
{% endif %} {% endif %}

3
salt/common/soup_scripts.sls
View File

@@ -19,4 +19,5 @@ soup_manager_scripts:
- source: salt://manager/tools/sbin - source: salt://manager/tools/sbin
- include_pat: - include_pat:
- so-firewall - so-firewall
- soup - so-repo-sync
- soup

115
salt/common/tools/sbin/so-common
View File

@@ -8,7 +8,7 @@
# Elastic agent is not managed by salt. Because of this we must store this base information in a # Elastic agent is not managed by salt. Because of this we must store this base information in a
# script that accompanies the soup system. Since so-common is one of those special soup files, # script that accompanies the soup system. Since so-common is one of those special soup files,
# and since this same logic is required during installation, it's included in this file. # and since this same logic is required during installation, it's included in this file.
ELASTIC_AGENT_TARBALL_VERSION="8.8.2" ELASTIC_AGENT_TARBALL_VERSION="8.10.4"
ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
@@ -133,34 +133,47 @@ check_elastic_license() {
} }
check_salt_master_status() { check_salt_master_status() {
local timeout=$1 local count=0
echo "Checking if we can talk to the salt master" local attempts="${1:- 10}"
salt-call state.show_top concurrent=true current_time="$(date '+%b %d %H:%M:%S')"
echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
return while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
current_time="$(date '+%b %d %H:%M:%S')"
echo "Can't access salt master or it is not ready at: ${current_time}"
((count+=1))
if [[ $count -eq $attempts ]]; then
# 10 attempts takes about 5.5 minutes
echo "Gave up trying to access salt-master"
return 1
fi
done
current_time="$(date '+%b %d %H:%M:%S')"
echo "Successfully accessed and salt master ready at: ${current_time}"
return 0
} }
# this is only intended to be used to check the status of the minion from a salt master
check_salt_minion_status() { check_salt_minion_status() {
local timeout=$1 local minion="$1"
echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 local timeout="${2:-5}"
salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local logfile="${3:-'/dev/stdout'}"
echo "Checking if the salt minion: $minion will respond to jobs" >> "$logfile" 2>&1
salt "$minion" test.ping -t $timeout > /dev/null 2>&1
local status=$? local status=$?
if [ $status -gt 0 ]; then if [ $status -gt 0 ]; then
echo " Minion did not respond" >> "$setup_log" 2>&1 echo " Minion did not respond" >> "$logfile" 2>&1
else else
echo " Received job response from salt minion" >> "$setup_log" 2>&1 echo " Received job response from salt minion" >> "$logfile" 2>&1
fi fi
return $status return $status
} }
copy_new_files() { copy_new_files() {
# Copy new files over to the salt dir # Copy new files over to the salt dir
cd $UPDATE_DIR cd $UPDATE_DIR
rsync -a salt $DEFAULT_SALT_DIR/ rsync -a salt $DEFAULT_SALT_DIR/ --delete
rsync -a pillar $DEFAULT_SALT_DIR/ rsync -a pillar $DEFAULT_SALT_DIR/ --delete
chown -R socore:socore $DEFAULT_SALT_DIR/ chown -R socore:socore $DEFAULT_SALT_DIR/
chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
cd /tmp cd /tmp
@@ -242,7 +255,7 @@ gpg_rpm_import() {
else else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys" local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi fi
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY') RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY" echo "Imported $RPMKEY"
@@ -384,6 +397,10 @@ retry() {
echo "<Start of output>" echo "<Start of output>"
echo "$output" echo "$output"
echo "<End of output>" echo "<End of output>"
if [[ $exitcode -eq 0 ]]; then
echo "Forcing exit code to 1"
exitcode=1
fi
fi fi
elif [ -n "$failedOutput" ]; then elif [ -n "$failedOutput" ]; then
if [[ "$output" =~ "$failedOutput" ]]; then if [[ "$output" =~ "$failedOutput" ]]; then
@@ -392,7 +409,7 @@ retry() {
echo "$output" echo "$output"
echo "<End of output>" echo "<End of output>"
if [[ $exitcode -eq 0 ]]; then if [[ $exitcode -eq 0 ]]; then
echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output." echo "Forcing exit code to 1"
exitcode=1 exitcode=1
fi fi
else else
@@ -430,6 +447,24 @@ run_check_net_err() {
fi fi
} }
wait_for_salt_minion() {
local minion="$1"
local timeout="${2:-5}"
local logfile="${3:-'/dev/stdout'}"
retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
local attempt=0
# each attempts would take about 15 seconds
local maxAttempts=20
until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
attempt=$((attempt+1))
if [[ $attempt -eq $maxAttempts ]]; then
return 1
fi
sleep 10
done
return 0
}
salt_minion_count() { salt_minion_count() {
local MINIONDIR="/opt/so/saltstack/local/pillar/minions" local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l) MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)
@@ -442,15 +477,51 @@ set_os() {
OS=rocky OS=rocky
OSVER=9 OSVER=9
is_rocky=true is_rocky=true
is_rpm=true
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos OS=centos
OSVER=9 OSVER=9
is_centos=true is_centos=true
is_rpm=true
elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
OS=alma
OSVER=9
is_alma=true
is_rpm=true
elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
if [ -f /etc/oracle-release ]; then
OS=oracle
OSVER=9
is_oracle=true
is_rpm=true
else
OS=rhel
OSVER=9
is_rhel=true
is_rpm=true
fi
fi fi
cron_service_name="crond" cron_service_name="crond"
else elif [ -f /etc/os-release ]; then
OS=ubuntu if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
is_ubuntu=true OSVER=focal
UBVER=20.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
OSVER=jammy
UBVER=22.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
OSVER=bookworm
DEBVER=12
is_debian=true
OS=debian
is_deb=true
fi
cron_service_name="cron" cron_service_name="cron"
fi fi
} }
@@ -484,6 +555,10 @@ set_version() {
fi fi
} }
status () {
printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
}
systemctl_func() { systemctl_func() {
local action=$1 local action=$1
local echo_action=$1 local echo_action=$1

2
salt/common/tools/sbin/so-image-common
View File

@@ -137,7 +137,7 @@ update_docker_containers() {
for i in "${TRUSTED_CONTAINERS[@]}" for i in "${TRUSTED_CONTAINERS[@]}"
do do
if [ -z "$PROGRESS_CALLBACK" ]; then if [ -z "$PROGRESS_CALLBACK" ]; then
echo "Downloading $i" >> "$LOG_FILE" 2>&1 echo "Downloading $i" >> "$LOG_FILE" 2>&1
else else
$PROGRESS_CALLBACK $i $PROGRESS_CALLBACK $i
fi fi

244
salt/common/tools/sbin/so-log-check Executable file
View File

@@ -0,0 +1,244 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
RECENT_LOG_LINES=200
EXCLUDE_STARTUP_ERRORS=N
EXCLUDE_FALSE_POSITIVE_ERRORS=N
EXCLUDE_KNOWN_ERRORS=N
while [[ $# -gt 0 ]]; do
case $1 in
--exclude-connection-errors)
EXCLUDE_STARTUP_ERRORS=Y
;;
--exclude-false-positives)
EXCLUDE_FALSE_POSITIVE_ERRORS=Y
;;
--exclude-known-errors)
EXCLUDE_KNOWN_ERRORS=Y
;;
--unknown)
EXCLUDE_STARTUP_ERRORS=Y
EXCLUDE_FALSE_POSITIVE_ERRORS=Y
EXCLUDE_KNOWN_ERRORS=Y
;;
--recent-log-lines)
shift
RECENT_LOG_LINES=$1
;;
*)
echo "Usage: $0 [options]"
echo ""
echo "where options are:"
echo " --recent-log-lines N looks at the most recent N log lines per file or container; defaults to 200"
echo " --exclude-connection-errors exclude errors caused by a recent server or container restart"
echo " --exclude-false-positives exclude logs that are known false positives"
echo " --exclude-known-errors exclude errors that are known and non-critical issues"
echo " --unknown exclude everything mentioned above; only show unknown errors"
echo ""
echo "A non-zero return value indicates errors were found"
exit 1
;;
esac
shift
done
echo "Security Onion Log Check - $(date)"
echo "-------------------------------------------"
echo ""
echo "- RECENT_LOG_LINES: $RECENT_LOG_LINES"
echo "- EXCLUDE_STARTUP_ERRORS: $EXCLUDE_STARTUP_ERRORS"
echo "- EXCLUDE_FALSE_POSITIVE_ERRORS: $EXCLUDE_FALSE_POSITIVE_ERRORS"
echo "- EXCLUDE_KNOWN_ERRORS: $EXCLUDE_KNOWN_ERRORS"
echo ""
function status() {
header "$1"
}
function exclude_container() {
name=$1
exclude_id=$(docker ps | grep "$name" | awk '{print $1}')
if [[ -n "$exclude_id" ]]; then
CONTAINER_IDS=$(echo $CONTAINER_IDS | sed -e "s/$exclude_id//g")
return $?
fi
return $?
}
function exclude_log() {
name=$1
cat /tmp/log_check_files | grep -v $name > /tmp/log_check_files.new
mv /tmp/log_check_files.new /tmp/log_check_files
}
function check_for_errors() {
if cat /tmp/log_check | grep -i error | grep -vEi "$EXCLUDED_ERRORS"; then
RESULT=1
fi
}
EXCLUDED_ERRORS="__LOG_CHECK_PLACEHOLDER_EXCLUSION__"
if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|database is locked" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|econnreset" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unreachable" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request.py" # server not yet ready (python stack output)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|httperror" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|servfail" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connect" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing shards" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to send metrics" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|broken pipe" # server not yet ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status: 502" # server not yet ready (nginx waiting on upstream)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded" # server not yet ready (telegraf waiting on elasticsearch)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes" # server not yet ready (telegraf waiting on influx)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at" # server not yet ready (telegraf waiting on health data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connection timed out" # server not yet ready (telegraf plugin unable to connect)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key" # server not yet ready (salt minion waiting on key acceptance)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes" # server not yet ready (logstash waiting on elastic)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll" # server not yet ready (sensoroni waiting on soc)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non" # server not yet ready (salt waiting on minions)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term" # server not yet ready (influxdb not yet setup)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|search_phase_execution_exception" # server not yet ready (elastalert running searches before ES is ready)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving docker" # Telegraf unable to reach Docker engine, rare
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating" # Elasticsearch MS -> HN "sensor" temporarily unavailable
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error" # Docker registry container when new node comes onlines
fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_status_error" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|elastalert_error" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error: '0'" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|errors_index" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noerror" # false positive
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|outofmemoryerror" # false positive (elastic command line)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding component template" # false positive (elastic security)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index template" # false positive (elastic security)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fs_errors" # false positive (suricata stats)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error-template" # false positive (elastic templates)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|deprecated" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|windows" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|could cause errors" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_error.yml" # false positive (playbook)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|id.orig_h" # false positive (zeek test data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|emerging-all.rules" # false positive (error in rulename)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input" # false positive (Invalid user input in hunt query)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example" # false positive (example test data)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200" # false positive (request successful, contained error string in content)
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error" # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal" # false positive (Open Canary logging out blank IP addresses)
fi
if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|eof"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|raise" # redis/python generic stack line, rely on other lines for actual error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)" # redis/python generic stack line, rely on other lines for actual error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror" # idstools connection timeout
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror" # idstools connection timeout
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden" # playbook
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml" # Elastic ML errors
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled" # elastic agent during shutdown
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128" # soctopus errors during forced restart by highstate
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update" # airgap can't update GeoIP DB
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror" # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check" # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord" # playbook expected error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics" # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf" # known issue with reposync on pre-2.4.20
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record" # stenographer corrupt index
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field." # known ingest type collisions issue with earlier versions of SO
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature" # Malformed Suricata rule, from upstream provider
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats" # Elastic transform temporary error
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|bookkeeper"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|noindices"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to start transient scope"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so-user.lock exists"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|systemd-run"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|retcode: 1"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|telemetry-task"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|redisqueue"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fleet_detail_query"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|num errors=0"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/alerting"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisioning/notifiers"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|provisoning/plugins"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|active-responses.log"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|scanentropy"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integration policy"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|blob unknown"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|token required"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|zeekcaptureloss"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unable to create detection"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error installing new prebuilt rules"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parent.error"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip" # known issue in GH
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail" # zeek
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
fi
RESULT=0
# Check Security Onion container stdout/stderr logs
CONTAINER_IDS=$(docker ps -q)
exclude_container so-kibana # kibana error logs are too verbose with large varieties of errors most of which are temporary
exclude_container so-idstools # ignore due to known issues and noisy logging
exclude_container so-playbook # ignore due to several playbook known issues
for container_id in $CONTAINER_IDS; do
container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
status "Checking container $container_name"
docker logs -n $RECENT_LOG_LINES $container_id > /tmp/log_check 2>&1
check_for_errors
done
# Check Security Onion related log files
find /opt/so/log/ /nsm -name \*.log > /tmp/log_check_files
if [[ -f /var/log/cron ]]; then
echo "/var/log/cron" >> /tmp/log_check_files
fi
exclude_log "kibana.log" # kibana error logs are too verbose with large varieties of errors most of which are temporary
exclude_log "spool" # disregard zeek analyze logs as this is data specific
exclude_log "import" # disregard imported test data the contains error strings
exclude_log "update.log" # ignore playbook updates due to several known issues
exclude_log "playbook.log" # ignore due to several playbook known issues
for log_file in $(cat /tmp/log_check_files); do
status "Checking log file $log_file"
tail -n $RECENT_LOG_LINES $log_file > /tmp/log_check
check_for_errors
done
# Cleanup temp files
rm -f /tmp/log_check_files
rm -f /tmp/log_check
if [[ $RESULT -eq 0 ]]; then
echo -e "\nResult: No errors found"
else
echo -e "\nResult: One or more errors found"
fi
exit $RESULT

10
salt/common/tools/sbin/so-test
View File

@@ -5,4 +5,14 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common
set -e
# Playback live sample data onto monitor interface
so-tcpreplay /opt/samples/* 2> /dev/null so-tcpreplay /opt/samples/* 2> /dev/null
# Ingest sample pfsense log entry
if is_sensor_node; then
echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 127.0.0.1 514 > /dev/null 2>&1
fi

67
salt/common/tools/sbin/so-zeek-logs
View File

@@ -1,67 +0,0 @@
#!/bin/bash
local_salt_dir=/opt/so/saltstack/local
zeek_logs_enabled() {
echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
echo " enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
for BLOG in "${BLOGS[@]}"; do
echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
done
}
whiptail_manager_adv_service_zeeklogs() {
BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
"conn" "Connection Logging" ON \
"dce_rpc" "RPC Logs" ON \
"dhcp" "DHCP Logs" ON \
"dnp3" "DNP3 Logs" ON \
"dns" "DNS Logs" ON \
"dpd" "DPD Logs" ON \
"files" "Files Logs" ON \
"ftp" "FTP Logs" ON \
"http" "HTTP Logs" ON \
"intel" "Intel Hits Logs" ON \
"irc" "IRC Chat Logs" ON \
"kerberos" "Kerberos Logs" ON \
"modbus" "MODBUS Logs" ON \
"notice" "Zeek Notice Logs" ON \
"ntlm" "NTLM Logs" ON \
"pe" "PE Logs" ON \
"radius" "Radius Logs" ON \
"rfb" "RFB Logs" ON \
"rdp" "RDP Logs" ON \
"sip" "SIP Logs" ON \
"smb_files" "SMB Files Logs" ON \
"smb_mapping" "SMB Mapping Logs" ON \
"smtp" "SMTP Logs" ON \
"snmp" "SNMP Logs" ON \
"ssh" "SSH Logs" ON \
"ssl" "SSL Logs" ON \
"syslog" "Syslog Logs" ON \
"tunnel" "Tunnel Logs" ON \
"weird" "Zeek Weird Logs" ON \
"mysql" "MySQL Logs" ON \
"socks" "SOCKS Logs" ON \
"x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
local exitstatus=$?
IFS=' ' read -ra BLOGS <<< "$BLOGS"
return $exitstatus
}
whiptail_manager_adv_service_zeeklogs
return_code=$?
case $return_code in
1)
whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
;;
255)
whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
;;
*)
zeek_logs_enabled
;;
esac

60
salt/common/tools/sbin_jinja/so-import-evtx
View File

@@ -80,8 +80,8 @@ function evtx2es() {
-e "SHIFTTS=$SHIFTDATE" \ -e "SHIFTTS=$SHIFTDATE" \
-v "$EVTX:/tmp/data.evtx" \ -v "$EVTX:/tmp/data.evtx" \
-v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/$HASH/evtx-end_newest:/tmp/newest" \
-v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ -v "/nsm/import/$HASH/evtx-start_oldest:/tmp/oldest" \
--entrypoint "/evtx_calc_timestamps.sh" \ --entrypoint "/evtx_calc_timestamps.sh" \
{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1
} }
@@ -111,12 +111,6 @@ INVALID_EVTXS_COUNT=0
VALID_EVTXS_COUNT=0 VALID_EVTXS_COUNT=0
SKIPPED_EVTXS_COUNT=0 SKIPPED_EVTXS_COUNT=0
touch /nsm/import/evtx-start_oldest
touch /nsm/import/evtx-end_newest
echo $START_OLDEST > /nsm/import/evtx-start_oldest
echo $END_NEWEST > /nsm/import/evtx-end_newest
# paths must be quoted in case they include spaces # paths must be quoted in case they include spaces
for EVTX in $INPUT_FILES; do for EVTX in $INPUT_FILES; do
EVTX=$(/usr/bin/realpath "$EVTX") EVTX=$(/usr/bin/realpath "$EVTX")
@@ -141,8 +135,15 @@ for EVTX in $INPUT_FILES; do
status "- this EVTX has already been imported; skipping" status "- this EVTX has already been imported; skipping"
SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
else else
# create EVTX directory
EVTX_DIR=$HASH_DIR/evtx EVTX_DIR=$HASH_DIR/evtx
mkdir -p $EVTX_DIR mkdir -p $EVTX_DIR
# create import timestamp files
for i in evtx-start_oldest evtx-end_newest; do
if ! [ -f "$i" ]; then
touch /nsm/import/$HASH/$i
fi
done
# import evtx and write them to import ingest pipeline # import evtx and write them to import ingest pipeline
status "- importing logs to Elasticsearch..." status "- importing logs to Elasticsearch..."
@@ -154,28 +155,37 @@ for EVTX in $INPUT_FILES; do
VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
fi fi
# compare $START to $START_OLDEST
START=$(cat /nsm/import/evtx-start_oldest)
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
END=$(cat /nsm/import/evtx-end_newest)
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx cp -f "${EVTX}" "${EVTX_DIR}"/data.evtx
chmod 644 "${EVTX_DIR}"/data.evtx chmod 644 "${EVTX_DIR}"/data.evtx
fi # end of valid evtx fi # end of valid evtx
# determine start and end and make sure they aren't reversed
START=$(cat /nsm/import/$HASH/evtx-start_oldest)
END=$(cat /nsm/import/$HASH/evtx-end_newest)
START_EPOCH=`date -d "$START" +"%s"`
END_EPOCH=`date -d "$END" +"%s"`
if [ "$START_EPOCH" -gt "$END_EPOCH" ]; then
TEMP=$START
START=$END
END=$TEMP
fi
# compare $START to $START_OLDEST
START_COMPARE=$(date -d $START +%s)
START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s)
if [ $START_COMPARE -lt $START_OLDEST_COMPARE ]; then
START_OLDEST=$START
fi
# compare $ENDNEXT to $END_NEWEST
ENDNEXT=`date +%Y-%m-%d --date="$END 1 day"`
ENDNEXT_COMPARE=$(date -d $ENDNEXT +%s)
END_NEWEST_COMPARE=$(date -d $END_NEWEST +%s)
if [ $ENDNEXT_COMPARE -gt $END_NEWEST_COMPARE ]; then
END_NEWEST=$ENDNEXT
fi
status status
done # end of for-loop processing evtx files done # end of for-loop processing evtx files

0
salt/common/tools/sbin/so-salt-minion-check → salt/common/tools/sbin_jinja/so-salt-minion-check
View File

9
salt/desktop/packages.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %} {% if grains.os == 'OEL' %}
desktop_packages: desktop_packages:
pkg.installed: pkg.installed:
@@ -348,7 +346,6 @@ desktop_packages:
- snappy - snappy
- sound-theme-freedesktop - sound-theme-freedesktop
- soundtouch - soundtouch
- securityonion-networkminer
- speech-dispatcher - speech-dispatcher
- speech-dispatcher-espeak-ng - speech-dispatcher-espeak-ng
- speex - speex
@@ -435,6 +432,10 @@ desktop_packages:
- xorg-x11-xinit-session - xorg-x11-xinit-session
- zip - zip
install_networkminer:
pkg.latest:
- name: securityonion-networkminer
{% else %} {% else %}
desktop_packages_os_fail: desktop_packages_os_fail:

4
salt/desktop/remove_gui.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %} {% if grains.os == 'OEL' %}
remove_graphical_target: remove_graphical_target:
file.symlink: file.symlink:

4
salt/desktop/scripts/convert-gnome-classic.sh
View File

@@ -1,4 +0,0 @@
#!/bin/bash
echo "Setting default session to gnome-classic"
cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard

9
salt/desktop/xwindows.sls
View File

@@ -1,7 +1,5 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %} {% if grains.os == 'OEL' %}
include: include:
- desktop.packages - desktop.packages
@@ -14,10 +12,7 @@ graphical_target:
- require: - require:
- desktop_packages - desktop_packages
convert_gnome_classic: {# set users to use gnome-classic #}
cmd.script:
- name: salt://desktop/scripts/convert-gnome-classic.sh
{% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %} {% for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
{% set username = username.split('/')[2] %} {% set username = username.split('/')[2] %}
{% if username != 'zeek' %} {% if username != 'zeek' %}

3
salt/docker/defaults.yaml
View File

@@ -178,6 +178,9 @@ docker:
extra_env: [] extra_env: []
'so-elastic-agent': 'so-elastic-agent':
final_octet: 46 final_octet: 46
port_bindings:
- 0.0.0.0:514:514/tcp
- 0.0.0.0:514:514/udp
custom_bind_mounts: [] custom_bind_mounts: []
extra_hosts: [] extra_hosts: []
extra_env: [] extra_env: []

8
salt/docker/init.sls
View File

@@ -6,6 +6,9 @@
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
# include ssl since docker service requires the intca
include:
- ssl
dockergroup: dockergroup:
group.present: group.present:
@@ -86,6 +89,11 @@ docker_running:
- enable: True - enable: True
- watch: - watch:
- file: docker_daemon - file: docker_daemon
- x509: trusttheca
- require:
- file: docker_daemon
- x509: trusttheca
# Reserve OS ports for Docker proxy in case boot settings are not already applied/present # Reserve OS ports for Docker proxy in case boot settings are not already applied/present
# 57314 = Strelka, 47760-47860 = Zeek # 57314 = Strelka, 47760-47860 = Zeek

1
salt/docker_clean/init.sls
View File

@@ -9,6 +9,7 @@
prune_images: prune_images:
cmd.run: cmd.run:
- name: so-docker-prune - name: so-docker-prune
- order: last
{% else %} {% else %}

4
salt/elasticagent/enabled.sls
View File

@@ -31,6 +31,10 @@ so-elastic-agent:
- {{ XTRAHOST }} - {{ XTRAHOST }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- port_bindings:
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- binds: - binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /opt/so/log/elasticagent:/usr/share/elastic-agent/logs - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs

51
salt/elasticagent/files/elastic-agent.yml.jinja
View File

@@ -430,3 +430,54 @@ inputs:
exclude_files: exclude_files:
- >- - >-
broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$ broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
- id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-udp-514
revision: 3
type: udp
use_output: default
meta:
package:
name: udp
version: 1.10.0
data_stream:
namespace: so
package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
max_message_size: 10KiB
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog
- id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
name: syslog-tcp-514
revision: 3
type: tcp
use_output: default
meta:
package:
name: tcp
version: 1.10.0
data_stream:
namespace: so
package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
streams:
- id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
data_stream:
dataset: syslog
pipeline: syslog
host: '0.0.0.0:514'
processors:
- add_fields:
fields:
module: syslog
target: event
tags:
- syslog

53
salt/elasticfleet/config.sls
View File

@@ -6,6 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% set node_data = salt['pillar.get']('node_data') %}
# Add EA Group # Add EA Group
elasticfleetgroup: elasticfleetgroup:
@@ -37,6 +38,8 @@ elasticfleet_sbin_jinja:
- group: 939 - group: 939
- file_mode: 755 - file_mode: 755
- template: jinja - template: jinja
- exclude_pat:
- so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes
eaconfdir: eaconfdir:
file.directory: file.directory:
@@ -59,6 +62,15 @@ eastatedir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
eapackageupgrade:
file.managed:
- name: /usr/sbin/so-elastic-fleet-package-upgrade
- source: salt://elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
- user: 947
- group: 939
- mode: 755
- template: jinja
{% if GLOBALS.role != "so-fleet" %} {% if GLOBALS.role != "so-fleet" %}
eaintegrationsdir: eaintegrationsdir:
file.directory: file.directory:
@@ -82,12 +94,53 @@ eaintegration:
- user: 947 - user: 947
- group: 939 - group: 939
eaoptionalintegrationsdir:
file.directory:
- name: /opt/so/conf/elastic-fleet/integrations-optional
- user: 947
- group: 939
- makedirs: True
{% for minion in node_data %}
{% set role = node_data[minion]["role"] %}
{% if role in [ "eval","fleet","heavynode","import","manager","managersearch","standalone" ] %}
{% set optional_integrations = salt['pillar.get']('elasticfleet:optional_integrations', {}) %}
{% set integration_keys = salt['pillar.get']('elasticfleet:optional_integrations', {}).keys() %}
fleet_server_integrations_{{ minion }}:
file.directory:
- name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}
- user: 947
- group: 939
- makedirs: True
{% for integration in integration_keys %}
{% if 'enabled_nodes' in optional_integrations[integration]%}
{% set enabled_nodes = optional_integrations[integration]["enabled_nodes"] %}
{% if minion in enabled_nodes %}
optional_integrations_dynamic_{{ minion }}_{{ integration }}:
file.managed:
- name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
- source: salt://elasticfleet/files/integrations-optional/{{ integration }}.json
- user: 947
- group: 939
- template: jinja
- defaults:
NAME: {{ minion }}
{% else %}
optional_integrations_dynamic_{{ minion }}_{{ integration }}_delete:
file.absent:
- name: /opt/so/conf/elastic-fleet/integrations-optional/FleetServer_{{ minion }}/{{ integration }}.json
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
ea-integrations-load: ea-integrations-load:
file.absent: file.absent:
- name: /opt/so/state/eaintegrations.txt - name: /opt/so/state/eaintegrations.txt
- onchanges: - onchanges:
- file: eaintegration - file: eaintegration
- file: eadynamicintegration - file: eadynamicintegration
- file: /opt/so/conf/elastic-fleet/integrations-optional/*
{% endif %} {% endif %}
{% else %} {% else %}

29
salt/elasticfleet/defaults.yaml
View File

@@ -10,11 +10,14 @@ elasticfleet:
logging: logging:
zeek: zeek:
excluded: excluded:
- analyzer
- broker - broker
- capture_loss - capture_loss
- cluster - cluster
- conn-summary
- console - console
- ecat_arp_info - ecat_arp_info
- known_certs
- known_hosts - known_hosts
- known_services - known_services
- loaded_scripts - loaded_scripts
@@ -26,20 +29,30 @@ elasticfleet:
- stderr - stderr
- stdout - stdout
packages: packages:
- apache
- auditd - auditd
- auth0
- aws - aws
- azure - azure
- barracuda - barracuda
- carbonblack_edr
- checkpoint
- cisco_asa - cisco_asa
- cisco_duo
- cisco_meraki
- cisco_umbrella
- cloudflare - cloudflare
- crowdstrike - crowdstrike
- darktrace - darktrace
- elastic_agent
- elasticsearch - elasticsearch
- endpoint - endpoint
- f5_bigip - f5_bigip
- fleet_server
- fim - fim
- fireeye
- fleet_server
- fortinet - fortinet
- fortinet_fortigate
- gcp - gcp
- github - github
- google_workspace - google_workspace
@@ -53,24 +66,38 @@ elasticfleet:
- m365_defender - m365_defender
- microsoft_defender_endpoint - microsoft_defender_endpoint
- microsoft_dhcp - microsoft_dhcp
- mimecast
- netflow - netflow
- o365 - o365
- okta - okta
- osquery_manager - osquery_manager
- panw - panw
- pfsense - pfsense
- pulse_connect_secure
- redis - redis
- sentinel_one - sentinel_one
- snyk
- sonicwall_firewall - sonicwall_firewall
- sophos
- sophos_central
- symantec_endpoint - symantec_endpoint
- system - system
- tcp - tcp
- tenable_sc
- ti_abusech - ti_abusech
- ti_misp - ti_misp
- ti_otx - ti_otx
- ti_recordedfuture - ti_recordedfuture
- udp - udp
- vsphere
- windows - windows
- zscaler_zia - zscaler_zia
- zscaler_zpa - zscaler_zpa
- 1password - 1password
optional_integrations:
sublime_platform:
enabled_nodes: []
api_key:
base_url: https://api.platform.sublimesecurity.com
poll_interval: 5m
limit: 100

11
salt/elasticfleet/enabled.sls
View File

@@ -96,6 +96,17 @@ so-elastic-fleet:
{% endif %} {% endif %}
{% if GLOBALS.role != "so-fleet" %} {% if GLOBALS.role != "so-fleet" %}
so-elastic-fleet-package-statefile:
file.managed:
- name: /opt/so/state/elastic_fleet_packages.txt
- contents: {{ELASTICFLEETMERGED.packages}}
so-elastic-fleet-package-upgrade:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-package-upgrade
- onchanges:
- file: /opt/so/state/elastic_fleet_packages.txt
so-elastic-fleet-integrations: so-elastic-fleet-integrations:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-integration-policy-load - name: /usr/sbin/so-elastic-fleet-integration-policy-load

44
salt/elasticfleet/files/integrations-optional/sublime_platform.json Normal file
View File

@@ -0,0 +1,44 @@
{%- from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED -%}
{%- from 'sensoroni/map.jinja' import SENSORONIMERGED -%}
{%- from 'vars/globals.map.jinja' import GLOBALS -%}
{%- raw -%}
{
"package": {
"name": "httpjson",
"version": ""
},
"name": "sublime-platform",
"namespace": "default",
"description": "",
"policy_id": "FleetServer_{%- endraw -%}{{ NAME }}{%- raw -%}",
"vars": {},
"inputs": {
"generic-httpjson": {
"enabled": true,
"streams": {
"httpjson.generic": {
"enabled": true,
"vars": {
"request_method": "GET",
"processors": "- drop_event:\n when:\n not:\n contains: \n message: \"flagged_rules\"\n- decode_json_fields:\n fields: [\"message\"]\n document_id: id\n target: \"\"",
"enable_request_tracer": false,
"oauth_scopes": [],
"request_transforms": "- set:\n target: header.Authorization\n value: 'Bearer {% endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.api_key }}{%- raw -%}'\n- set:\n target: header.accept\n value: application/json\n- set:\n target: url.params.last_message_created_at[gte]\n value: '[[formatDate (now (parseDuration \"-{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.poll_interval }}{%- raw -%}\")) \"2006-01-02T15:04:05Z\"]]'\n- set:\n target: url.params.reviewed\n value: false\n- set:\n target: url.params.flagged\n value: true\n- set:\n target: url.params.limit\n value: {% endraw %}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.limit }}{%- raw -%}",
"response_transforms": "",
"request_redirect_headers_ban_list": [],
"request_encode_as": "application/x-www-form-urlencoded",
"request_url": "{%- endraw -%}{{ ELASTICFLEETMERGED.optional_integrations.sublime_platform.base_url }}{%- raw -%}/v0/message-groups",
"response_split": "target: body.message_groups\ntype: array\nkeep_parent: false\ntransforms:\n - set:\n target: body.sublime.request_url\n value : '[[ .last_response.url.value ]]'",
"tags": [
"forwarded"
],
"pipeline": "sublime",
"data_stream.dataset": "sublime",
"request_interval": "1m"
}
}
}
}
}
}
{%- endraw -%}

2
salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json → salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json
View File

@@ -5,7 +5,7 @@
"package": { "package": {
"name": "endpoint", "name": "endpoint",
"title": "Elastic Defend", "title": "Elastic Defend",
"version": "8.8.0" "version": "8.10.2"
}, },
"enabled": true, "enabled": true,
"policy_id": "endpoints-initial", "policy_id": "endpoints-initial",

33
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -40,3 +40,36 @@ elasticfleet:
helpLink: elastic-fleet.html helpLink: elastic-fleet.html
sensitive: True sensitive: True
advanced: True advanced: True
optional_integrations:
sublime_platform:
enabled_nodes:
description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
global: True
helpLink: elastic-fleet.html
advanced: True
forcedType: "[]string"
api_key:
description: API key for Sublime Platform.
global: True
helpLink: elastic-fleet.html
advanced: True
forcedType: string
sensitive: True
base_url:
description: Base URL for Sublime Platform.
global: True
helpLink: elastic-fleet.html
advanced: True
forcedType: string
poll_interval:
description: Poll interval for alerts from Sublime Platform.
global: True
helpLink: elastic-fleet.html
advanced: True
forcedType: string
limit:
description: The maximum number of message groups to return from Sublime Platform.
global: True
helpLink: elastic-fleet.html
advanced: True
forcedType: int

31
salt/elasticfleet/tools/sbin/so-elastic-fleet-common Executable file → Normal file
View File

@@ -42,6 +42,23 @@ elastic_fleet_integration_create() {
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
} }
elastic_fleet_integration_remove() {
AGENT_POLICY=$1
NAME=$2
INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id')
JSON_STRING=$( jq -n \
--arg INTEGRATIONID "$INTEGRATION_ID" \
'{"packagePolicyIds":[$INTEGRATIONID]}'
)
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/delete" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
elastic_fleet_integration_update() { elastic_fleet_integration_update() {
UPDATE_ID=$1 UPDATE_ID=$1
@@ -51,6 +68,19 @@ elastic_fleet_integration_update() {
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
} }
elastic_fleet_integration_policy_upgrade() {
INTEGRATION_ID=$1
JSON_STRING=$( jq -n \
--arg INTEGRATIONID "$INTEGRATION_ID" \
'{"packagePolicyIds":[$INTEGRATIONID]}'
)
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies/upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
elastic_fleet_package_version_check() { elastic_fleet_package_version_check() {
PACKAGE=$1 PACKAGE=$1
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version' curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
@@ -98,3 +128,4 @@ elastic_fleet_policy_update() {
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
} }

23
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-elastic-defend Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# Usage: Run with --force to update the Elastic Defend integration policy
. /usr/sbin/so-elastic-fleet-common
# Manage Elastic Defend Integration for Initial Endpoints Policy
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/elastic-defend/*.json
do
printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
if [ -n "$INTEGRATION_ID" ]; then
printf "\n\nIntegration $NAME exists - Upgrading integration policy\n"
elastic_fleet_integration_policy_upgrade "$INTEGRATION_ID"
else
printf "\n\nIntegration does not exist - Creating integration\n"
elastic_fleet_integration_create "@$INTEGRATION"
fi
done

26
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load Executable file → Normal file
View File

@@ -12,6 +12,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
# First, check for any package upgrades # First, check for any package upgrades
/usr/sbin/so-elastic-fleet-package-upgrade /usr/sbin/so-elastic-fleet-package-upgrade
# Second, configure Elastic Defend Integration seperately
/usr/sbin/so-elastic-fleet-integration-policy-elastic-defend
# Initial Endpoints # Initial Endpoints
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
do do
@@ -61,7 +64,28 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
if [[ "$RETURN_CODE" != "1" ]]; then if [[ "$RETURN_CODE" != "1" ]]; then
touch /opt/so/state/eaintegrations.txt touch /opt/so/state/eaintegrations.txt
fi fi
# Fleet Server - Optional integrations
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json
do
if ! [ "$INTEGRATION" == "/opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json" ]; then
FLEET_POLICY=`echo "$INTEGRATION"| cut -d'/' -f7`
printf "\n\nFleet Server Policy - Loading $INTEGRATION\n"
elastic_fleet_integration_check "$FLEET_POLICY" "$INTEGRATION"
if [ -n "$INTEGRATION_ID" ]; then
printf "\n\nIntegration $NAME exists - Updating integration\n"
elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
else
printf "\n\nIntegration does not exist - Creating integration\n"
if [ "$NAME" != "elasticsearch-logs" ]; then
elastic_fleet_integration_create "@$INTEGRATION"
fi
fi
fi
done
if [[ "$RETURN_CODE" != "1" ]]; then
touch /opt/so/state/eaintegrations.txt
fi
else else
exit $RETURN_CODE exit $RETURN_CODE
fi fi

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -46,7 +46,7 @@ do
done done
printf "\n### Stripping out unused components" printf "\n### Stripping out unused components"
find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -regex '.*fleet.*\|.*packet.*\|.*apm*.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete find /nsm/elastic-agent-workspace/elastic-agent-*/data/elastic-agent-*/components -maxdepth 1 -regex '.*fleet.*\|.*packet.*\|.*apm.*\|.*audit.*\|.*heart.*\|.*cloud.*' -delete
printf "\n### Tarring everything up again" printf "\n### Tarring everything up again"
for OS in "${OSARCH[@]}" for OS in "${OSARCH[@]}"

1
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade
View File

@@ -15,3 +15,4 @@ elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
echo echo
{%- endfor %} {%- endfor %}
echo echo
/usr/sbin/so-elasticsearch-templates-load

12
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -8,8 +8,19 @@
INTCA=/etc/pki/tls/certs/intca.crt INTCA=/etc/pki/tls/certs/intca.crt
. /usr/sbin/so-common
. /usr/sbin/so-elastic-fleet-common . /usr/sbin/so-elastic-fleet-common
# Check to make sure that Kibana API is up & ready
RETURN_CODE=0
wait_for_web_response "http://localhost:5601/api/fleet/settings" "fleet" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
RETURN_CODE=$?
if [[ "$RETURN_CODE" != "0" ]]; then
printf "Kibana API not accessible, exiting Elastic Fleet setup..."
exit 1
fi
printf "\n### Create ES Token ###\n" printf "\n### Create ES Token ###\n"
ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value)
@@ -120,3 +131,4 @@ salt-call state.apply elasticfleet queue=True
# Generate installers & install Elastic Agent on the node # Generate installers & install Elastic Agent on the node
so-elastic-agent-gen-installers so-elastic-agent-gen-installers
salt-call state.apply elasticfleet.install_agent_grid queue=True salt-call state.apply elasticfleet.install_agent_grid queue=True
exit 0

10
salt/elasticsearch/config.map.jinja
View File

@@ -20,20 +20,12 @@
{% for NODE in ES_LOGSTASH_NODES %} {% for NODE in ES_LOGSTASH_NODES %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% endfor %} {% endfor %}
{% if grains.id.split('_') | last == 'manager' %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
{% else %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
{% endif %}
{% endif %} {% endif %}
{% elif grains.id.split('_') | last == 'searchnode' %} {% elif grains.id.split('_') | last == 'searchnode' %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
{% if HIGHLANDER %} {% if HIGHLANDER %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
{% endif %} {% endif %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
{% elif grains.id.split('_') | last == 'heavynode' %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client', 'ingest']}) %}
{% endif %} {% endif %}
{% if HIGHLANDER %} {% if HIGHLANDER %}
{% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
@@ -53,3 +45,5 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].config.node.roles}) %}

13250
salt/elasticsearch/defaults.yaml
View File

File diff suppressed because it is too large Load Diff

11
salt/elasticsearch/enabled.sls
View File

@@ -108,8 +108,9 @@ escomponenttemplates:
- source: salt://elasticsearch/templates/component - source: salt://elasticsearch/templates/component
- user: 930 - user: 930
- group: 939 - group: 939
- clean: True
- onchanges_in: - onchanges_in:
- cmd: so-elasticsearch-templates - file: so-elasticsearch-templates-reload
# Auto-generate templates from defaults file # Auto-generate templates from defaults file
{% for index, settings in ES_INDEX_SETTINGS.items() %} {% for index, settings in ES_INDEX_SETTINGS.items() %}
@@ -122,7 +123,7 @@ es_index_template_{{index}}:
TEMPLATE_CONFIG: {{ settings.index_template }} TEMPLATE_CONFIG: {{ settings.index_template }}
- template: jinja - template: jinja
- onchanges_in: - onchanges_in:
- cmd: so-elasticsearch-templates - file: so-elasticsearch-templates-reload
{% endif %} {% endif %}
{% endfor %} {% endfor %}
@@ -141,7 +142,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
- user: 930 - user: 930
- group: 939 - group: 939
- onchanges_in: - onchanges_in:
- cmd: so-elasticsearch-templates - file: so-elasticsearch-templates-reload
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@@ -166,6 +167,10 @@ so-elasticsearch-ilm-policy-load:
- onchanges: - onchanges:
- file: so-elasticsearch-ilm-policy-load-script - file: so-elasticsearch-ilm-policy-load-script
so-elasticsearch-templates-reload:
file.absent:
- name: /opt/so/state/estemplates.txt
so-elasticsearch-templates: so-elasticsearch-templates:
cmd.run: cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load - name: /usr/sbin/so-elasticsearch-templates-load

1
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -80,6 +80,7 @@
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
{ "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } }, { "set": { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
{ "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
{ "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
], ],

24
salt/elasticsearch/files/ingest/common.nids
View File

@@ -1,17 +1,17 @@
{ {
"description" : "common.nids", "description" : "common.nids",
"processors" : [ "processors" : [
{ "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } }, { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } },
{ "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/search?query={{rule.gid}}-{{rule.uuid}}" } }, { "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/rule_docs/{{rule.gid}}-{{rule.uuid}}" } },
{ "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://community.emergingthreats.net" } },
{ "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } },
{ "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } },
{ "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } }, { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } },
{ "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } },
{ "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } },
{ "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } },
{ "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } }, { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }

4
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -63,8 +63,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } }, { "set": { "if": "ctx.scan?.entropy?.entropy == '0'", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } }, { "set": { "if": "ctx.scan?.pe?.image_version == '0'", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }}, { "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } }, { "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },

34
salt/elasticsearch/files/ingest/sublime Normal file
View File

@@ -0,0 +1,34 @@
{
"description" : " Email alerts from Sublime",
"processors" : [
{ "set": { "field": "event.module", "value": "sublime" } },
{ "set": { "field": "event.dataset", "value": "alert" } },
{ "set": { "field": "event.severity", "value": 3, "override": true } },
{ "set": { "field": "rule.name", "value": "Sublime Platform: {{ flagged_rules.0.name }}", "override": true } },
{ "set": { "field": "sublime.message_group_id", "value": "{{ _id }}", "override": true } },
{ "set": { "field": "email.address", "value": "{{ messages.0.recipients.0.email }}", "override": true } },
{ "set": { "field": "email.forwarded_recipents", "value": "{{ messages.0.forwarded_receipients }}", "override": true } },
{ "set": { "field": "email.sender.address", "value": "{{ messages.0.sender.email }}", "override": true } },
{ "set": { "field": "email.subject", "value": "{{ messages.0.subject }}", "override": true } },
{ "set": { "field": "email.forwarded_at", "value": "{{ messages.0.forwarded_at }}", "override": true } },
{ "set": { "field": "email.created_at", "value": "{{ messages.0.created_at }}", "override": true } },
{ "set": { "field": "email.read_at", "value": "{{ messages.0.read_at }}", "override": true } },
{ "set": { "field": "email.replied_at", "value": "{{ messages.0.replied_at }}", "override": true } },
{
"grok": {
"field": "sublime.request_url",
"patterns": ["^https://api.%{DATA:sublime_host}/v0%{GREEDYDATA}$"],
"ignore_failure": true
}
},
{ "rename": { "field": "sublime_host", "target_field": "sublime.url", "ignore_missing": true } },
{ "rename": { "field": "data", "target_field": "sublime", "ignore_missing": true } },
{ "rename": { "field": "flagged_rules", "target_field": "sublime.flagged_rules", "ignore_missing": true } },
{ "rename": { "field": "organization_id", "target_field": "sublime.organization_id", "ignore_missing": true } },
{ "rename": { "field": "review_status", "target_field": "sublime.review_status", "ignore_missing": true } },
{ "rename": { "field": "state", "target_field": "sublime.state", "ignore_missing": true } },
{ "rename": { "field": "user_reports", "target_field": "sublime.user_reports", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

1
salt/elasticsearch/files/ingest/suricata.common
View File

@@ -2,6 +2,7 @@
"description" : "suricata.common", "description" : "suricata.common",
"processors" : [ "processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.pkt_src", "target_field": "network.packet_source","ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } },
{ "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },

54
salt/elasticsearch/files/ingest/zeek.ssl
View File

@@ -1,26 +1,40 @@
{ {
"description" : "zeek.ssl", "description" : "zeek.ssl",
"processors" : [ "processors" : [
{ "set": { "field": "event.dataset", "value": "ssl" } }, { "set": { "field": "event.dataset", "value": "ssl" } },
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } }, { "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } }, { "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } }, { "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } }, { "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } },
{ "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } }, { "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } }, { "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } }, { "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } }, { "rename": { "if": "ctx.message2?.cert_chain_fps != null", "field": "message2.cert_chain_fps", "target_field": "tls.server.hash.sha256", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } }, { "rename": { "field": "message2?.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, { "rename": { "if": "ctx.message2?.client_cert_chain_fps != null", "field": "message2.client_cert_chain_fps", "target_field": "tls.client.hash.sha256", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } }, { "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } }, { "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, { "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, { "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } },
{ "foreach":
{
"if": "ctx?.tls?.client?.hash?.sha256 !=null",
"field": "tls.client.hash.sha256",
"processor": {
"append": {
"field": "hash.sha256",
"value": "{{_ingest._value}}"
}
}
}
},
{ "pipeline": { "name": "zeek.common_ssl" } } { "pipeline": { "name": "zeek.common_ssl" } }
] ]
} }

79
salt/elasticsearch/files/ingest/zeek.x509
View File

@@ -3,44 +3,45 @@
"processors" : [ "processors" : [
{ "set": { "field": "event.dataset", "value": "x509" } }, { "set": { "field": "event.dataset", "value": "x509" } },
{ "remove": { "field": ["host"], "ignore_failure": true } }, { "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } }, { "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } },
{ "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } }, { "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } },
{ "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } }, { "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } },
{ "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } }, { "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } },
{ "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } }, { "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } }, { "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } }, { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } } { "rename": { "field": "message2.fingerprint", "target_field": "hash.sha256", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } }
] ]
} }

269
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -33,7 +33,6 @@ elasticsearch:
flood_stage: flood_stage:
description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events.
helpLink: elasticsearch.html helpLink: elasticsearch.html
script: script:
max_compilations_rate: max_compilations_rate:
description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources.
@@ -57,32 +56,6 @@ elasticsearch:
forcedType: int forcedType: int
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
so-logs: &indexSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
global: True
helpLink: elasticsearch.html
index_template:
index_patterns:
description: Patterns for matching multiple indices or tables.
forceType: "[]string"
multiline: True
global: True
helpLink: elasticsearch.html
template:
settings:
index:
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
forcedType: int
global: True
helpLink: elasticsearch.html
mapping:
total_fields:
limit:
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
global: True
helpLink: elasticsearch.html
refresh_interval: refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True global: True
@@ -100,48 +73,10 @@ elasticsearch:
description: The order to sort by. Must set index_sorting to True. description: The order to sort by. Must set index_sorting to True.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
mappings:
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
helpLink: elasticsearch.html
composed_of:
description: The index template is composed of these component templates.
forcedType: "[]string"
global: True
helpLink: elasticsearch.html
priority:
description: The priority of the index template.
forcedType: int
global: True
helpLink: elasticsearch.html
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
policy:
phases: phases:
hot: hot:
min_age: max_age:
description: Minimum age of index. This determines when the index should be moved to the hot tier. description: Maximum age of index. ex. 7d - This determines when the index should be moved out of the hot tier.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
actions: actions:
@@ -160,10 +95,187 @@ elasticsearch:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
cold:
min_age:
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
global: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
global: True
helpLink: elasticsearch.html
warm:
min_age:
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
regex: ^\[0-9\]{1,5}d$
forcedType: string
global: True
actions:
set_priority:
priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
helpLink: elasticsearch.html
delete:
min_age:
description: Minimum age of index. ex. 90d - This determines when the index should be deleted.
global: True
helpLink: elasticsearch.html
so-logs: &indexSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
global: True
advanced: True
helpLink: elasticsearch.html
index_template:
index_patterns:
description: Patterns for matching multiple indices or tables.
forceType: "[]string"
multiline: True
global: True
advanced: True
helpLink: elasticsearch.html
template:
settings:
index:
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
mapping:
total_fields:
limit:
description: Max number of fields that can exist on a single index. Larger values will consume more resources.
global: True
advanced: True
helpLink: elasticsearch.html
refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True
advanced: True
helpLink: elasticsearch.html
number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
advanced: True
helpLink: elasticsearch.html
sort:
field:
description: The field to sort by. Must set index_sorting to True.
global: True
advanced: True
helpLink: elasticsearch.html
order:
description: The order to sort by. Must set index_sorting to True.
global: True
advanced: True
helpLink: elasticsearch.html
mappings:
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
advanced: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
composed_of:
description: The index template is composed of these component templates.
forcedType: "[]string"
global: True
advanced: True
helpLink: elasticsearch.html
priority:
description: The priority of the index template.
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
global: True
advanced: True
helpLink: elasticsearch.html
policy:
phases:
hot:
min_age:
description: Minimum age of index. This determines when the index should be moved to the hot tier.
global: True
advanced: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
warm:
min_age:
description: Minimum age of index. This determines when the index should be moved to the hot tier.
global: True
advanced: True
helpLink: elasticsearch.html
actions:
set_priority:
priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
advanced: True
helpLink: elasticsearch.html
rollover:
max_age:
description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
max_primary_shard_size:
description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index.
global: True
advanced: True
helpLink: elasticsearch.html
cold: cold:
min_age: min_age:
description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed.
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
@@ -171,26 +283,31 @@ elasticsearch:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int forcedType: int
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
delete: delete:
min_age: min_age:
description: Minimum age of index. This determines when the index should be deleted. description: Minimum age of index. This determines when the index should be deleted.
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
_meta: _meta:
package: package:
name: name:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
managed_by: managed_by:
description: Meta settings for the mapping. description: Meta settings for the mapping.
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
managed: managed:
description: Meta settings for the mapping. description: Meta settings for the mapping.
forcedType: bool forcedType: bool
global: True global: True
advanced: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
so-logs-system_x_auth: *indexSettings so-logs-system_x_auth: *indexSettings
so-logs-system_x_syslog: *indexSettings so-logs-system_x_syslog: *indexSettings
@@ -201,6 +318,8 @@ elasticsearch:
so-logs-windows_x_powershell: *indexSettings so-logs-windows_x_powershell: *indexSettings
so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_powershell_operational: *indexSettings
so-logs-windows_x_sysmon_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings
so-logs-apache_x_access: *indexSettings
so-logs-apache_x_error: *indexSettings
so-logs-auditd_x_log: *indexSettings so-logs-auditd_x_log: *indexSettings
so-logs-aws_x_cloudtrail: *indexSettings so-logs-aws_x_cloudtrail: *indexSettings
so-logs-aws_x_cloudwatch_logs: *indexSettings so-logs-aws_x_cloudwatch_logs: *indexSettings
@@ -343,3 +462,19 @@ elasticsearch:
so-strelka: *indexSettings so-strelka: *indexSettings
so-syslog: *indexSettings so-syslog: *indexSettings
so-zeek: *indexSettings so-zeek: *indexSettings
so_roles:
so-manager: &soroleSettings
config:
node:
roles:
description: List of Elasticsearch roles that the node should have. Blank assumes all roles
forcedType: "[]string"
global: False
advanced: True
helpLink: elasticsearch.html
so-managersearch: *soroleSettings
so-standalone: *soroleSettings
so-searchnode: *soroleSettings
so-heavynode: *soroleSettings
so-eval: *soroleSettings
so-import: *soroleSettings

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

339
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json
View File

@@ -1,339 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"decision_id",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "match_only_text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"result": {
"type": "object"
},
"input": {
"type": "object"
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"decision_id": {
"type": "text"
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

329
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json
View File

@@ -1,329 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

322
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json
View File

@@ -1,322 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

2
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json
View File

@@ -5,7 +5,7 @@
"name": "logs" "name": "logs"
}, },
"codec": "best_compression", "codec": "best_compression",
"default_pipeline": "logs-elastic_agent-1.7.0", "default_pipeline": "logs-elastic_agent-1.13.1",
"mapping": { "mapping": {
"total_fields": { "total_fields": {
"limit": "10000" "limit": "10000"

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

952
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json
View File

@@ -1,952 +0,0 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.application-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.code",
"event.original",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"dataset": {
"type": "constant_keyword",
"value": "system.application"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

530
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json
View File

@@ -1,530 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.auth-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"error.message",
"group.id",
"group.name",
"message",
"process.name",
"related.hosts",
"related.user",
"source.as.organization.name",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_iso_code",
"source.geo.country_name",
"source.geo.region_iso_code",
"source.geo.region_name",
"user.effective.name",
"user.id",
"user.name",
"system.auth.ssh.method",
"system.auth.ssh.signature",
"system.auth.ssh.event",
"system.auth.sudo.error",
"system.auth.sudo.tty",
"system.auth.sudo.pwd",
"system.auth.sudo.user",
"system.auth.sudo.command",
"system.auth.useradd.home",
"system.auth.useradd.shell",
"version"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"source": {
"properties": {
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"system": {
"properties": {
"auth": {
"properties": {
"ssh": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_ip": {
"type": "ip"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"event": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sudo": {
"properties": {
"tty": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"pwd": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"useradd": {
"properties": {
"shell": {
"ignore_above": 1024,
"type": "keyword"
},
"home": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"properties": {
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.auth"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"effective": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1840
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

327
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json
View File

@@ -1,327 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.syslog-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"message",
"process.name"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.syslog"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

986
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json
View File

@@ -1,986 +0,0 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.system-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.original",
"event.outcome",
"event.provider",
"event.type",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.system"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

2544
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1335
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1334
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json
View File

@@ -1,12 +0,0 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1752
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More