CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-12 03:03:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into 2.4/heavynode

Browse Source
This commit is contained in:
m0duspwnens
2023-06-14 10:40:22 -04:00
parent 2c4eccd7e0 fa57494694
commit 8f6226b531
40 changed files with 15797 additions and 5505 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/common/tools/sbin/so-common
View File

@@ -5,6 +5,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
DEFAULT_SALT_DIR=/opt/so/saltstack/default
DOC_BASE_URL="https://docs.securityonion.net/en/2.4"

4
salt/common/tools/sbin_jinja/so-import-pcap
View File

@@ -194,7 +194,6 @@ for PCAP in $INPUT_FILES; do
status "- analyzing traffic with Zeek"
zeek "${PCAP}" $HASH
{% endif %}
status "- saving PCAP data spanning dates $START through $END"
fi
if [[ "$HASH_FILTERS" == "" ]]; then
@@ -207,6 +206,7 @@ for PCAP in $INPUT_FILES; do
START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
status "- found PCAP data spanning dates $START through $END"
# compare $START to $START_OLDEST
START_COMPARE=$(date -d $START +%s)
@@ -286,4 +286,4 @@ if [[ $json -eq 1 ]]; then
}'''
fi
exit $RESULT
exit $RESULT

1
salt/elasticfleet/defaults.yaml
View File

@@ -11,6 +11,7 @@ elasticfleet:
excluded:
- broker
- capture_loss
- cluster
- ecat_arp_info
- known_hosts
- known_services

12
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -8,15 +8,21 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common
. /usr/sbin/so-elastic-fleet-common
for i in {1..30}
do
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',')
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]] && [[ $ELASTICVERSION ]]; then break; else sleep 10; fi
done
if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi
if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then
printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..."
printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n"
exit
fi
OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" )
@@ -25,7 +31,7 @@ rm -rf /nsm/elastic-agent-workspace
mkdir -p /nsm/elastic-agent-workspace
printf "\n### Extracting outer tarball and then each individual tarball/zip\n"
tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/
tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/
unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/
for archive in /nsm/elastic-agent-workspace/*.tar.gz
do

273
salt/elasticsearch/defaults.yaml
View File

@@ -111,22 +111,208 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-osquery-manager:
so-logs-system.auth:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery*"
- "logs-system.auth*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.auth@package"
- "logs-system.auth@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.syslog:
index_sorting: False
index_template:
index_patterns:
- "logs-system.syslog*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.syslog@package"
- "logs-system.syslog@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.system:
index_sorting: False
index_template:
index_patterns:
- "logs-system.system*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.system@package"
- "logs-system.system@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.application:
index_sorting: False
index_template:
index_patterns:
- "logs-system.application*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.application@package"
- "logs-system.application@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.security:
index_sorting: False
index_template:
index_patterns:
- "logs-system.security*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.security@package"
- "logs-system.security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.forwarded:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.forwarded*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.forwarded@package"
- "logs-windows.forwarded@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell@package"
- "logs-windows.powershell@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell_operational@package"
- "logs-windows.powershell_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.sysmon_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.sysmon_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.sysmon_operational@package"
- "logs-windows.sysmon_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-osquery-manager-actions:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.actions*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.actions"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.apm_server:
so-logs-osquery-manager-action.responses:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.action.responses*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.action.responses"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.apm_server:
index_sorting: False
index_template:
index_patterns:
@@ -152,7 +338,7 @@ elasticsearch:
- "logs-elastic_agent.apm_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -180,7 +366,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.auditbeat:
so-logs-elastic_agent.auditbeat:
index_sorting: False
index_template:
index_patterns:
@@ -206,7 +392,7 @@ elasticsearch:
- "logs-elastic_agent.auditbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -234,7 +420,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.cloudbeat:
so-logs-elastic_agent.cloudbeat:
index_sorting: False
index_template:
index_patterns:
@@ -260,7 +446,7 @@ elasticsearch:
- "logs-elastic_agent.cloudbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
policy:
phases:
hot:
@@ -285,7 +471,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.endpoint_security:
so-logs-elastic_agent.endpoint_security:
index_sorting: False
index_template:
index_patterns:
@@ -300,18 +486,13 @@ elasticsearch:
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent.endpoint_security@package"
- "logs-elastic_agent.endpoint_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -339,7 +520,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.filebeat:
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:
index_patterns:
@@ -354,18 +535,13 @@ elasticsearch:
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent.filebeat@package"
- "logs-elastic_agent.filebeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -393,7 +569,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.fleet_server:
so-logs-elastic_agent.fleet_server:
index_sorting: False
index_template:
index_patterns:
@@ -402,24 +578,16 @@ elasticsearch:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent.fleet_server@package"
- "logs-elastic_agent.fleet_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -447,7 +615,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.heartbeat:
so-logs-elastic_agent.heartbeat:
index_sorting: False
index_template:
index_patterns:
@@ -473,7 +641,7 @@ elasticsearch:
- "logs-elastic_agent.heartbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
policy:
phases:
hot:
@@ -498,7 +666,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent:
so-logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
@@ -520,11 +688,12 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent@package"
- "logs-elastic_agent@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -552,7 +721,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.metricbeat:
so-logs-elastic_agent.metricbeat:
index_sorting: False
index_template:
index_patterns:
@@ -567,18 +736,13 @@ elasticsearch:
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent.metricbeat@package"
- "logs-elastic_agent.metricbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -606,7 +770,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.osquerybeat:
so-logs-elastic_agent.osquerybeat:
index_sorting: False
index_template:
index_patterns:
@@ -621,18 +785,13 @@ elasticsearch:
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent.osquerybeat@package"
- "logs-elastic_agent.osquerybeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
@@ -660,7 +819,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.packetbeat:
so-logs-elastic_agent.packetbeat:
index_sorting: False
index_template:
index_patterns:
@@ -686,7 +845,7 @@ elasticsearch:
- "logs-elastic_agent.packetbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
priority: 501
data_stream:
hidden: false
allow_custom_routing: false

94
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 Normal file
View File

@@ -0,0 +1,94 @@
{
"version": 3,
"_meta": {
"managed_by": "fleet",
"managed": true
},
"description": "Final pipeline for processing all incoming Fleet Agent documents. \n",
"processors": [
{
"date": {
"description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)",
"tag": "truncate-subseconds-event-ingested",
"field": "_ingest.timestamp",
"target_field": "event.ingested",
"formats": [
"ISO8601"
],
"output_format": "date_time_no_millis",
"ignore_failure": true
}
},
{
"remove": {
"description": "Remove any pre-existing untrusted values.",
"field": [
"event.agent_id_status",
"_security"
],
"ignore_missing": true
}
},
{
"set_security_user": {
"field": "_security",
"properties": [
"authentication_type",
"username",
"realm",
"api_key"
]
}
},
{
"script": {
"description": "Add event.agent_id_status based on the API key metadata and the agent.id contained in the event.\n",
"tag": "agent-id-status",
"source": "boolean is_user_trusted(def ctx, def users) {\n if (ctx?._security?.username == null) {\n return false;\n }\n\n def user = null;\n for (def item : users) {\n if (item?.username == ctx._security.username) {\n user = item;\n break;\n }\n }\n\n if (user == null || user?.realm == null || ctx?._security?.realm?.name == null) {\n return false;\n }\n\n if (ctx._security.realm.name != user.realm) {\n return false;\n }\n\n return true;\n}\n\nString verified(def ctx, def params) {\n // No agent.id field to validate.\n if (ctx?.agent?.id == null) {\n return \"missing\";\n }\n\n // Check auth metadata from API key.\n if (ctx?._security?.authentication_type == null\n // Agents only use API keys.\n || ctx._security.authentication_type != 'API_KEY'\n // Verify the API key owner before trusting any metadata it contains.\n || !is_user_trusted(ctx, params.trusted_users)\n // Verify the API key has metadata indicating the assigned agent ID.\n || ctx?._security?.api_key?.metadata?.agent_id == null) {\n return \"auth_metadata_missing\";\n }\n\n // The API key can only be used represent the agent.id it was issued to.\n if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {\n // Potential masquerade attempt.\n return \"mismatch\";\n }\n\n return \"verified\";\n}\n\nif (ctx?.event == null) {\n ctx.event = [:];\n}\n\nctx.event.agent_id_status = verified(ctx, params);",
"params": {
"trusted_users": [
{
"username": "elastic/fleet-server",
"realm": "_service_account"
},
{
"username": "cloud-internal-agent-server",
"realm": "found"
},
{
"username": "elastic",
"realm": "reserved"
}
]
}
}
},
{
"remove": {
"field": "_security",
"ignore_missing": true
}
},
{ "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }},
{ "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
],
"on_failure": [
{
"remove": {
"field": "_security",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"append": {
"field": "error.message",
"value": [
"failed in Fleet agent final_pipeline: {{ _ingest.on_failure_message }}"
]
}
}
]
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

821
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json
View File

@@ -1,510 +1,339 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"decision_id",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
},
"message": {
"type": "match_only_text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"result": {
"type": "object"
},
"input": {
"type": "object"
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"decision_id": {
"type": "text"
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

814
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json
View File

@@ -1,505 +1,329 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

800
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json
View File

@@ -1,498 +1,322 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

859
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json
View File

@@ -1,505 +1,382 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-elastic_agent-1.7.0",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"ecs.version",
"agent.build.original",
"agent.ephemeral_id",
"agent.id",
"agent.name",
"agent.type",
"agent.version",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version",
"component.id",
"component.type",
"component.binary",
"component.state",
"component.old_state",
"unit.id",
"unit.type",
"unit.state",
"unit.old_state"
]
}
}
},
"mappings": {
"dynamic": false,
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"snapshot": {
"type": "boolean"
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
},
"message": {
"type": "text"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
},
"component": {
"properties": {
"binary": {
"ignore_above": 1024,
"type": "keyword"
},
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"unit": {
"properties": {
"old_state": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "wildcard"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

91
salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json Normal file
View File

@@ -0,0 +1,91 @@
{"template": {
"mappings": {
"properties": {
"completed_at": {
"type": "date"
},
"action_response": {
"properties": {
"osquery": {
"properties": {
"count": {
"type": "long"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"agent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"count": {
"type": "long"
},
"started_at": {
"type": "date"
},
"action_input_type": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
},
"action_data": {
"properties": {
"saved_query_id": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"ecs_mapping": {
"type": "object",
"enabled": false
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

110
salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json Normal file
View File

@@ -0,0 +1,110 @@
{"template": {
"mappings": {
"properties": {
"pack_name": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"type": "object",
"enabled": false
},
"data": {
"properties": {
"query": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pack_id": {
"ignore_above": 1024,
"type": "keyword"
},
"input_type": {
"ignore_above": 1024,
"type": "keyword"
},
"pack_prebuilt": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"queries": {
"properties": {
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_query_id": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_query_prebuilt": {
"type": "boolean"
},
"query": {
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"ecs_mapping": {
"type": "object",
"enabled": false
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"agents": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agents": {
"ignore_above": 1024,
"type": "keyword"
},
"@timestamp": {
"type": "date"
},
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"expiration": {
"type": "date"
},
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
},
"agent_ids": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

952
salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json Normal file
View File

@@ -0,0 +1,952 @@
{"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.application-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.code",
"event.original",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"dataset": {
"type": "constant_keyword",
"value": "system.application"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

530
salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json Normal file
View File

@@ -0,0 +1,530 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.auth-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"error.message",
"group.id",
"group.name",
"message",
"process.name",
"related.hosts",
"related.user",
"source.as.organization.name",
"source.geo.city_name",
"source.geo.continent_name",
"source.geo.country_iso_code",
"source.geo.country_name",
"source.geo.region_iso_code",
"source.geo.region_name",
"user.effective.name",
"user.id",
"user.name",
"system.auth.ssh.method",
"system.auth.ssh.signature",
"system.auth.ssh.event",
"system.auth.sudo.error",
"system.auth.sudo.tty",
"system.auth.sudo.pwd",
"system.auth.sudo.user",
"system.auth.sudo.command",
"system.auth.useradd.home",
"system.auth.useradd.shell",
"version"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"source": {
"properties": {
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"system": {
"properties": {
"auth": {
"properties": {
"ssh": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"dropped_ip": {
"type": "ip"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"event": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sudo": {
"properties": {
"tty": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"ignore_above": 1024,
"type": "keyword"
},
"pwd": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"useradd": {
"properties": {
"shell": {
"ignore_above": 1024,
"type": "keyword"
},
"home": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"properties": {
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.auth"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"effective": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1840
salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json Normal file
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

327
salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json Normal file
View File

@@ -0,0 +1,327 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.syslog-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.os.full",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.outcome",
"event.provider",
"event.type",
"ecs.version",
"message",
"process.name"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"pid": {
"type": "long"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword",
"value": "logs"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.syslog"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

986
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json Normal file
View File

@@ -0,0 +1,986 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.system-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.original",
"event.outcome",
"event.provider",
"event.type",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.system"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

2544
salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json Normal file
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1335
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json Normal file
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1334
salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json Normal file
View File

File diff suppressed because it is too large Load Diff

12
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

1752
salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json Normal file
View File

File diff suppressed because it is too large Load Diff

2
salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines
View File

@@ -42,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then
cd ${ELASTICSEARCH_INGEST_PIPELINES}
echo "Loading pipelines..."
for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
for i in .[a-z]* *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done
echo
cd - >/dev/null

12
setup/so-functions
View File

@@ -976,14 +976,14 @@ detect_os() {
download_elastic_agent_artifacts() {
if [[ $is_iso ]]; then
logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
else
logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" ""
retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" ""
retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" "" ""
retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" "" ""
SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }')
HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5)
SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz | awk '{ print $1 }')
HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5)
if [[ "$HASH" == "$SOURCEHASH" ]]; then
info "Elastic Agent source hash is good."
@@ -992,7 +992,7 @@ download_elastic_agent_artifacts() {
fail_setup
fi
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
fi
}

2
setup/so-variables
View File

@@ -218,4 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls"
export patch_pillar_file
adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls"
export adv_patch_pillar_file
export adv_patch_pillar_file