diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 523a1b230..f25bdb431 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,6 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +ELASTIC_AGENT_TARBALL_VERSION="8.7.1" DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index 8e2bc523d..b8a90421f 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -194,7 +194,6 @@ for PCAP in $INPUT_FILES; do status "- analyzing traffic with Zeek" zeek "${PCAP}" $HASH {% endif %} - status "- saving PCAP data spanning dates $START through $END" fi if [[ "$HASH_FILTERS" == "" ]]; then @@ -207,6 +206,7 @@ for PCAP in $INPUT_FILES; do START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + status "- found PCAP data spanning dates $START through $END" # compare $START to $START_OLDEST START_COMPARE=$(date -d $START +%s) @@ -286,4 +286,4 @@ if [[ $json -eq 1 ]]; then }''' fi -exit $RESULT \ No newline at end of file +exit $RESULT diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e14a7aa5b..8c858c711 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -11,6 +11,7 @@ elasticfleet: excluded: - broker - capture_loss + - cluster - ecat_arp_info - known_hosts - known_services diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 4910ceda1..704f1537a 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -8,15 +8,21 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} +. /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common for i in {1..30} do ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') -if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi +if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]] && [[ $ELASTICVERSION ]]; then break; else sleep 10; fi done -if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi + +if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then + printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..." + printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n" + exit +fi OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" ) @@ -25,7 +31,7 @@ rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 10cc347d1..d27f291eb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -111,22 +111,208 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-osquery-manager: + so-logs-system.auth: index_sorting: False index_template: index_patterns: - - ".logs-osquery*" + - "logs-system.auth*" template: settings: index: number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.auth@package" + - "logs-system.auth@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.syslog: + index_sorting: False + index_template: + index_patterns: + - "logs-system.syslog*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.syslog@package" + - "logs-system.syslog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.system: + index_sorting: False + index_template: + index_patterns: + - "logs-system.system*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.system@package" + - "logs-system.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.application: + index_sorting: False + index_template: + index_patterns: + - "logs-system.application*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.application@package" + - "logs-system.application@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.security: + index_sorting: False + index_template: + index_patterns: + - "logs-system.security*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.security@package" + - "logs-system.security@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.forwarded: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.forwarded*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.forwarded@package" + - "logs-windows.forwarded@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell@package" + - "logs-windows.powershell@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell_operational@package" + - "logs-windows.powershell_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.sysmon_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.sysmon_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.sysmon_operational@package" + - "logs-windows.sysmon_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-osquery-manager-actions: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.actions*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.actions" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.apm_server: + so-logs-osquery-manager-action.responses: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.action.responses*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.action.responses" + priority: 501 + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-elastic_agent.apm_server: index_sorting: False index_template: index_patterns: @@ -152,7 +338,7 @@ elasticsearch: - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -180,7 +366,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.auditbeat: + so-logs-elastic_agent.auditbeat: index_sorting: False index_template: index_patterns: @@ -206,7 +392,7 @@ elasticsearch: - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -234,7 +420,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.cloudbeat: + so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: index_patterns: @@ -260,7 +446,7 @@ elasticsearch: - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -285,7 +471,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.endpoint_security: + so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: index_patterns: @@ -300,18 +486,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.endpoint_security@package" - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -339,7 +520,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.filebeat: + so-logs-elastic_agent.filebeat: index_sorting: False index_template: index_patterns: @@ -354,18 +535,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.filebeat@package" - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -393,7 +569,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.fleet_server: + so-logs-elastic_agent.fleet_server: index_sorting: False index_template: index_patterns: @@ -402,24 +578,16 @@ elasticsearch: settings: index: number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.fleet_server@package" - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -447,7 +615,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.heartbeat: + so-logs-elastic_agent.heartbeat: index_sorting: False index_template: index_patterns: @@ -473,7 +641,7 @@ elasticsearch: - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -498,7 +666,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent: + so-logs-elastic_agent: index_sorting: False index_template: index_patterns: @@ -520,11 +688,12 @@ elasticsearch: managed_by: security_onion managed: true composed_of: + - "event-mappings" - "logs-elastic_agent@package" - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -552,7 +721,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.metricbeat: + so-logs-elastic_agent.metricbeat: index_sorting: False index_template: index_patterns: @@ -567,18 +736,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.metricbeat@package" - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -606,7 +770,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.osquerybeat: + so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: index_patterns: @@ -621,18 +785,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.osquerybeat@package" - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -660,7 +819,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.packetbeat: + so-logs-elastic_agent.packetbeat: index_sorting: False index_template: index_patterns: @@ -686,7 +845,7 @@ elasticsearch: - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 new file mode 100644 index 000000000..cf36bc798 --- /dev/null +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -0,0 +1,94 @@ +{ + "version": 3, + "_meta": { + "managed_by": "fleet", + "managed": true + }, + "description": "Final pipeline for processing all incoming Fleet Agent documents. \n", + "processors": [ + { + "date": { + "description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)", + "tag": "truncate-subseconds-event-ingested", + "field": "_ingest.timestamp", + "target_field": "event.ingested", + "formats": [ + "ISO8601" + ], + "output_format": "date_time_no_millis", + "ignore_failure": true + } + }, + { + "remove": { + "description": "Remove any pre-existing untrusted values.", + "field": [ + "event.agent_id_status", + "_security" + ], + "ignore_missing": true + } + }, + { + "set_security_user": { + "field": "_security", + "properties": [ + "authentication_type", + "username", + "realm", + "api_key" + ] + } + }, + { + "script": { + "description": "Add event.agent_id_status based on the API key metadata and the agent.id contained in the event.\n", + "tag": "agent-id-status", + "source": "boolean is_user_trusted(def ctx, def users) {\n if (ctx?._security?.username == null) {\n return false;\n }\n\n def user = null;\n for (def item : users) {\n if (item?.username == ctx._security.username) {\n user = item;\n break;\n }\n }\n\n if (user == null || user?.realm == null || ctx?._security?.realm?.name == null) {\n return false;\n }\n\n if (ctx._security.realm.name != user.realm) {\n return false;\n }\n\n return true;\n}\n\nString verified(def ctx, def params) {\n // No agent.id field to validate.\n if (ctx?.agent?.id == null) {\n return \"missing\";\n }\n\n // Check auth metadata from API key.\n if (ctx?._security?.authentication_type == null\n // Agents only use API keys.\n || ctx._security.authentication_type != 'API_KEY'\n // Verify the API key owner before trusting any metadata it contains.\n || !is_user_trusted(ctx, params.trusted_users)\n // Verify the API key has metadata indicating the assigned agent ID.\n || ctx?._security?.api_key?.metadata?.agent_id == null) {\n return \"auth_metadata_missing\";\n }\n\n // The API key can only be used represent the agent.id it was issued to.\n if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {\n // Potential masquerade attempt.\n return \"mismatch\";\n }\n\n return \"verified\";\n}\n\nif (ctx?.event == null) {\n ctx.event = [:];\n}\n\nctx.event.agent_id_status = verified(ctx, params);", + "params": { + "trusted_users": [ + { + "username": "elastic/fleet-server", + "realm": "_service_account" + }, + { + "username": "cloud-internal-agent-server", + "realm": "found" + }, + { + "username": "elastic", + "realm": "reserved" + } + ] + } + } + }, + { + "remove": { + "field": "_security", + "ignore_missing": true + } + }, + { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }}, + { "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + ], + "on_failure": [ + { + "remove": { + "field": "_security", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "append": { + "field": "error.message", + "value": [ + "failed in Fleet agent final_pipeline: {{ _ingest.on_failure_message }}" + ] + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json index 9fd8c928f..919763caa 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json index 9fd8c928f..175ad4431 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json index c4874ed3c..a96480471 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -1,510 +1,339 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "decision_id", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + }, + "message": { + "type": "match_only_text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "result": { + "type": "object" + }, + "input": { + "type": "object" + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decision_id": { + "type": "text" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json index 36978b0d8..5f16d18de 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json index 36978b0d8..f5b1ab12a 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json index 36978b0d8..a61d9f7a9 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json index f353ac542..d7e244dc2 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json index 36978b0d8..7b0c81283 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json index 36978b0d8..2a6780e69 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json index 9e593d3f8..973427be1 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -1,498 +1,322 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json index 7df3309b1..57dc73c66 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -1,505 +1,382 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version", + "component.id", + "component.type", + "component.binary", + "component.state", + "component.old_state", + "unit.id", + "unit.type", + "unit.state", + "unit.old_state" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + }, + "message": { + "type": "text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "component": { + "properties": { + "binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "unit": { + "properties": { + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json new file mode 100644 index 000000000..05741a4f0 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json @@ -0,0 +1,952 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.application-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.code", + "event.original", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.application" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json new file mode 100644 index 000000000..51e707850 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json @@ -0,0 +1,530 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.auth-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "error.message", + "group.id", + "group.name", + "message", + "process.name", + "related.hosts", + "related.user", + "source.as.organization.name", + "source.geo.city_name", + "source.geo.continent_name", + "source.geo.country_iso_code", + "source.geo.country_name", + "source.geo.region_iso_code", + "source.geo.region_name", + "user.effective.name", + "user.id", + "user.name", + "system.auth.ssh.method", + "system.auth.ssh.signature", + "system.auth.ssh.event", + "system.auth.sudo.error", + "system.auth.sudo.tty", + "system.auth.sudo.pwd", + "system.auth.sudo.user", + "system.auth.sudo.command", + "system.auth.useradd.home", + "system.auth.useradd.shell", + "version" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "geo": { + "properties": { + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "port": { + "type": "long" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "system": { + "properties": { + "auth": { + "properties": { + "ssh": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_ip": { + "type": "ip" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "shell": { + "ignore_above": 1024, + "type": "keyword" + }, + "home": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.auth" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json new file mode 100644 index 000000000..a74cd4a70 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json @@ -0,0 +1,1840 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.security-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "ecs.version", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.parent.executable", + "process.parent.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.effective.domain", + "user.effective.id", + "user.effective.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "user.target.domain", + "user.target.id", + "user.changes.name", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.channel", + "winlog.computer_name", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessList", + "winlog.event_data.AccessListDescription", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.ResourceAttributes", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.level", + "winlog.outcome", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.time_created", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResourceAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessListDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessList": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.security" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "changes": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json new file mode 100644 index 000000000..30576a635 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json @@ -0,0 +1,327 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.syslog-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "message", + "process.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.syslog" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json new file mode 100644 index 000000000..068e6846b --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json @@ -0,0 +1,986 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.system-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.original", + "event.outcome", + "event.provider", + "event.type", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.system" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json new file mode 100644 index 000000000..967641107 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json @@ -0,0 +1,2544 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.forwarded-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.hash.md5", + "process.parent.hash.sha1", + "process.parent.hash.sha256", + "process.parent.hash.sha512", + "process.parent.name", + "process.parent.pe.architecture", + "process.parent.pe.company", + "process.parent.pe.description", + "process.parent.pe.file_version", + "process.parent.pe.imphash", + "process.parent.pe.original_file_name", + "process.parent.pe.product", + "process.parent.title", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.level", + "winlog.outcome", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientInfo", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.ComputerAccountChange", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DnsHostName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.EventType", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.Session", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServicePrincipalNames", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.forwarded" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "start": { + "type": "date" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DnsHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ComputerAccountChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServicePrincipalNames": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json new file mode 100644 index 000000000..ad0ff857e --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json @@ -0,0 +1,1335 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json new file mode 100644 index 000000000..b5cc588c9 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json @@ -0,0 +1,1334 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json new file mode 100644 index 000000000..451eaf7aa --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json @@ -0,0 +1,1752 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.sysmon_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "error.code", + "error.message", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.name", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallTrace", + "winlog.event_data.ClientInfo", + "winlog.event_data.Company", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventType", + "winlog.event_data.EventNamespace", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.GrantedAccess", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.Name", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewThreadId", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.Operation", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Query", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.Session", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartAddress", + "winlog.event_data.StartFunction", + "winlog.event_data.StartModule", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetImage", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetProcessGUID", + "winlog.event_data.TargetProcessId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.Type", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.sysmon_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Query": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallTrace": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "GrantedAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewThreadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "Type": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessGUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartFunction": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetImage": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartModule": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 7fdc6ff7b..350ac97c5 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -42,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." - for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done + for i in .[a-z]* *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null diff --git a/setup/so-functions b/setup/so-functions index a9d5b434e..1b15bb140 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -976,14 +976,14 @@ detect_os() { download_elastic_agent_artifacts() { if [[ $is_iso ]]; then - logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" "" "" - SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }') - HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5) + SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz | awk '{ print $1 }') + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5) if [[ "$HASH" == "$SOURCEHASH" ]]; then info "Elastic Agent source hash is good." @@ -992,7 +992,7 @@ download_elastic_agent_artifacts() { fail_setup fi - logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" fi } diff --git a/setup/so-variables b/setup/so-variables index 2c7cb3dba..7c5e51c6c 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -218,4 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls" export patch_pillar_file adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls" -export adv_patch_pillar_file +export adv_patch_pillar_file \ No newline at end of file