From ad5a424c0397a546ec3f7d7af4893f053e99dc9b Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 9 Jun 2023 18:32:50 +0000 Subject: [PATCH 01/24] Update templates for integrations --- salt/elasticsearch/defaults.yaml | 135 ++++++++++++++++++++++++++++--- 1 file changed, 122 insertions(+), 13 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 10cc347d1..50e06c340 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -111,11 +111,120 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-osquery-manager: + so-logs-system.application: index_sorting: False index_template: index_patterns: - - ".logs-osquery*" + - "logs-system.application*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-system.application@package" + - "logs-system.application@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.security: + index_sorting: False + index_template: + index_patterns: + - "logs-system.security*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-system.security@package" + - "logs-system.security@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.forwarded: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.forwarded*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.forwarded@package" + - "logs-windows.forwarded@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell@package" + - "logs-windows.powershell@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell_operational@package" + - "logs-windows.powershell_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.sysmon_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.sysmon_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.sysmon_operational@package" + - "logs-windows.sysmon_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + + so-logs-osquery-manager: + index_sorting: False + index_template: + index_patterns: + - "logs-osquery*" template: settings: index: @@ -126,7 +235,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.apm_server: + so-logs-elastic_agent.apm_server: index_sorting: False index_template: index_patterns: @@ -180,7 +289,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.auditbeat: + so-logs-elastic_agent.auditbeat: index_sorting: False index_template: index_patterns: @@ -234,7 +343,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.cloudbeat: + so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: index_patterns: @@ -285,7 +394,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.endpoint_security: + so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: index_patterns: @@ -339,7 +448,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.filebeat: + so-logs-elastic_agent.filebeat: index_sorting: False index_template: index_patterns: @@ -393,7 +502,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.fleet_server: + so-logs-elastic_agent.fleet_server: index_sorting: False index_template: index_patterns: @@ -447,7 +556,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.heartbeat: + so-logs-elastic_agent.heartbeat: index_sorting: False index_template: index_patterns: @@ -498,7 +607,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent: + so-logs-elastic_agent: index_sorting: False index_template: index_patterns: @@ -552,7 +661,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.metricbeat: + so-logs-elastic_agent.metricbeat: index_sorting: False index_template: index_patterns: @@ -606,7 +715,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.osquerybeat: + so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: index_patterns: @@ -660,7 +769,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.packetbeat: + so-logs-elastic_agent.packetbeat: index_sorting: False index_template: index_patterns: From 998c85e3f8cdaa818e66c6d4420fffd82cda9615 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Jun 2023 09:31:19 -0400 Subject: [PATCH 02/24] Update defaults.yaml --- salt/elasticfleet/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e14a7aa5b..8c858c711 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -11,6 +11,7 @@ elasticfleet: excluded: - broker - capture_loss + - cluster - ecat_arp_info - known_hosts - known_services From 42f5ad993963609c56bf7f31de2c8161126399cd Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 12 Jun 2023 14:23:24 +0000 Subject: [PATCH 03/24] Add templates for system.auth and systen.syslog --- salt/elasticsearch/defaults.yaml | 37 +++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 50e06c340..880289541 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -111,6 +111,42 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true + so-logs-system.auth: + index_sorting: False + index_template: + index_patterns: + - "logs-system.auth*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-system.auth@package" + - "logs-system.auth@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.syslog: + index_sorting: False + index_template: + index_patterns: + - "logs-system.syslog*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-system.syslog@package" + - "logs-system.syslog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-system.application: index_sorting: False index_template: @@ -219,7 +255,6 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-osquery-manager: index_sorting: False index_template: From 120891589689edf726d47251f8c4decb48e9a364 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 12 Jun 2023 14:24:59 +0000 Subject: [PATCH 04/24] Remove Elastic Agent package templates --- ...logs-elastic_agent.apm_server@package.json | 505 ----------------- .../logs-elastic_agent.auditbeat@package.json | 505 ----------------- .../logs-elastic_agent.cloudbeat@package.json | 510 ------------------ ...astic_agent.endpoint_security@package.json | 505 ----------------- .../logs-elastic_agent.filebeat@package.json | 505 ----------------- ...gs-elastic_agent.fleet_server@package.json | 505 ----------------- .../logs-elastic_agent.heartbeat@package.json | 505 ----------------- ...logs-elastic_agent.metricbeat@package.json | 505 ----------------- ...ogs-elastic_agent.osquerybeat@package.json | 505 ----------------- ...logs-elastic_agent.packetbeat@package.json | 498 ----------------- .../logs-elastic_agent@package.json | 505 ----------------- 11 files changed, 5553 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json deleted file mode 100644 index 9fd8c928f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json deleted file mode 100644 index 9fd8c928f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json deleted file mode 100644 index c4874ed3c..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ /dev/null @@ -1,510 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json deleted file mode 100644 index f353ac542..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json deleted file mode 100644 index 9e593d3f8..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ /dev/null @@ -1,498 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json deleted file mode 100644 index 7df3309b1..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} From 57268ba93408e57b2f6b22cd54b19bc74b252a71 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 12 Jun 2023 14:29:45 +0000 Subject: [PATCH 05/24] Change priority of templates --- salt/elasticsearch/defaults.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 880289541..588bf7cf2 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -509,7 +509,7 @@ elasticsearch: - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -563,7 +563,7 @@ elasticsearch: - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -776,7 +776,7 @@ elasticsearch: - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -830,7 +830,7 @@ elasticsearch: - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false From d0a6881c2cce16de27ad5c1912ea1519ee32b46a Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 13:35:46 +0000 Subject: [PATCH 06/24] Add event mappings and remove meta information for now --- salt/elasticsearch/defaults.yaml | 46 +++++++++----------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 588bf7cf2..4f4f5a295 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -296,7 +296,7 @@ elasticsearch: - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -350,7 +350,7 @@ elasticsearch: - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -404,7 +404,7 @@ elasticsearch: - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -455,7 +455,7 @@ elasticsearch: - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -498,13 +498,8 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.filebeat@package" - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" @@ -546,19 +541,11 @@ elasticsearch: settings: index: number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.fleet_server@package" - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" @@ -617,7 +604,7 @@ elasticsearch: - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -664,11 +651,12 @@ elasticsearch: managed_by: security_onion managed: true composed_of: + - "event-mappings" - "logs-elastic_agent@package" - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -711,18 +699,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.metricbeat@package" - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -765,13 +748,8 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.osquerybeat@package" - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" From 38ab426470ad5bd316df3d93b62d62fd7ae7ed0b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 13:36:26 +0000 Subject: [PATCH 07/24] Add final Fleet pipeline --- .../files/ingest/.fleet_final_pipeline-1 | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 new file mode 100644 index 000000000..cf36bc798 --- /dev/null +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -0,0 +1,94 @@ +{ + "version": 3, + "_meta": { + "managed_by": "fleet", + "managed": true + }, + "description": "Final pipeline for processing all incoming Fleet Agent documents. \n", + "processors": [ + { + "date": { + "description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)", + "tag": "truncate-subseconds-event-ingested", + "field": "_ingest.timestamp", + "target_field": "event.ingested", + "formats": [ + "ISO8601" + ], + "output_format": "date_time_no_millis", + "ignore_failure": true + } + }, + { + "remove": { + "description": "Remove any pre-existing untrusted values.", + "field": [ + "event.agent_id_status", + "_security" + ], + "ignore_missing": true + } + }, + { + "set_security_user": { + "field": "_security", + "properties": [ + "authentication_type", + "username", + "realm", + "api_key" + ] + } + }, + { + "script": { + "description": "Add event.agent_id_status based on the API key metadata and the agent.id contained in the event.\n", + "tag": "agent-id-status", + "source": "boolean is_user_trusted(def ctx, def users) {\n if (ctx?._security?.username == null) {\n return false;\n }\n\n def user = null;\n for (def item : users) {\n if (item?.username == ctx._security.username) {\n user = item;\n break;\n }\n }\n\n if (user == null || user?.realm == null || ctx?._security?.realm?.name == null) {\n return false;\n }\n\n if (ctx._security.realm.name != user.realm) {\n return false;\n }\n\n return true;\n}\n\nString verified(def ctx, def params) {\n // No agent.id field to validate.\n if (ctx?.agent?.id == null) {\n return \"missing\";\n }\n\n // Check auth metadata from API key.\n if (ctx?._security?.authentication_type == null\n // Agents only use API keys.\n || ctx._security.authentication_type != 'API_KEY'\n // Verify the API key owner before trusting any metadata it contains.\n || !is_user_trusted(ctx, params.trusted_users)\n // Verify the API key has metadata indicating the assigned agent ID.\n || ctx?._security?.api_key?.metadata?.agent_id == null) {\n return \"auth_metadata_missing\";\n }\n\n // The API key can only be used represent the agent.id it was issued to.\n if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {\n // Potential masquerade attempt.\n return \"mismatch\";\n }\n\n return \"verified\";\n}\n\nif (ctx?.event == null) {\n ctx.event = [:];\n}\n\nctx.event.agent_id_status = verified(ctx, params);", + "params": { + "trusted_users": [ + { + "username": "elastic/fleet-server", + "realm": "_service_account" + }, + { + "username": "cloud-internal-agent-server", + "realm": "found" + }, + { + "username": "elastic", + "realm": "reserved" + } + ] + } + } + }, + { + "remove": { + "field": "_security", + "ignore_missing": true + } + }, + { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }}, + { "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + ], + "on_failure": [ + { + "remove": { + "field": "_security", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "append": { + "field": "error.message", + "value": [ + "failed in Fleet agent final_pipeline: {{ _ingest.on_failure_message }}" + ] + } + } + ] +} From 73812b11a321c808bbfa13e1ad7ec37e236dce3b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 13:37:56 +0000 Subject: [PATCH 08/24] Allow ingest node pipelines that start with a period --- salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 7fdc6ff7b..350ac97c5 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -42,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." - for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done + for i in .[a-z]* *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null From 2aa954cb0a5397c30702a0d0d157d2755b6a3a6b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 15:25:23 +0000 Subject: [PATCH 09/24] Add component templates --- ...logs-elastic_agent.apm_server@package.json | 337 +++++++++++++++ .../logs-elastic_agent.auditbeat@package.json | 337 +++++++++++++++ .../logs-elastic_agent.cloudbeat@package.json | 347 ++++++++++++++++ ...astic_agent.endpoint_security@package.json | 337 +++++++++++++++ .../logs-elastic_agent.filebeat@package.json | 337 +++++++++++++++ ...gs-elastic_agent.fleet_server@package.json | 337 +++++++++++++++ .../logs-elastic_agent.heartbeat@package.json | 337 +++++++++++++++ ...logs-elastic_agent.metricbeat@package.json | 337 +++++++++++++++ ...ogs-elastic_agent.osquerybeat@package.json | 337 +++++++++++++++ ...logs-elastic_agent.packetbeat@package.json | 330 +++++++++++++++ .../logs-elastic_agent@package.json | 390 ++++++++++++++++++ 11 files changed, 3763 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..b26b7fcd4 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.apm_server@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..2bb67d287 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.auditbeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..10ac8dfef --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,347 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.cloudbeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "decision_id", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "match_only_text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "result": { + "type": "object" + }, + "input": { + "type": "object" + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decision_id": { + "type": "text" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..fee2bb3ab --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.endpoint_security@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..c03976ec2 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.filebeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..378225a50 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.fleet_server@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..523305d3e --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.heartbeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..65ab6d0ff --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.metricbeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..6c59b3b53 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,337 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.osquerybeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..fe8c6ede4 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,330 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent.packetbeat@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json new file mode 100644 index 000000000..c3eb4bc18 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -0,0 +1,390 @@ +{ + "component_templates": [ + { + "name": "logs-elastic_agent@package", + "component_template": { + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version", + "component.id", + "component.type", + "component.binary", + "component.state", + "component.old_state", + "unit.id", + "unit.type", + "unit.state", + "unit.old_state" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "component": { + "properties": { + "binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "unit": { + "properties": { + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } + } + } + ] +} From a265c06e31015bba689fc324273152a402566f17 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 15:47:25 +0000 Subject: [PATCH 10/24] Add other component templates --- ...gs-elastic_agent.system.application@package.json | 13 +++++++++++++ .../logs-elastic_agent.system.security@package.json | 13 +++++++++++++ ...ogs-elastic_agent.windows.forwarded@package.json | 13 +++++++++++++ ...gs-elastic_agent.windows.powershell@package.json | 13 +++++++++++++ ...gent.windows.powershell_operational@package.json | 13 +++++++++++++ ...ic_agent.windows.sysmon_operational@package.json | 13 +++++++++++++ 6 files changed, 78 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json new file mode 100644 index 000000000..e8c05d8f3 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.system.application@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.system.application@package] not found" + }, + "status": 404 +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json new file mode 100644 index 000000000..1387777ff --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.system.security@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.system.security@package] not found" + }, + "status": 404 +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json new file mode 100644 index 000000000..e8503bc11 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.forwarded@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.forwarded@package] not found" + }, + "status": 404 +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json new file mode 100644 index 000000000..8bd354491 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.powershell@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.powershell@package] not found" + }, + "status": 404 +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json new file mode 100644 index 000000000..36fa15103 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.powershell_operational@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.powershell_operational@package] not found" + }, + "status": 404 +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json new file mode 100644 index 000000000..7f7e5e492 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json @@ -0,0 +1,13 @@ +{ + "error": { + "root_cause": [ + { + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.sysmon_operational@package] not found" + } + ], + "type": "resource_not_found_exception", + "reason": "component template matching [logs-elastic_agent.windows.sysmon_operational@package] not found" + }, + "status": 404 +} From e43b7607bbd558478c7823f3259441122731d54a Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 17:04:03 +0000 Subject: [PATCH 11/24] Add more component templates --- ...logs-elastic_agent.apm_server@package.json | 10 +- .../logs-elastic_agent.auditbeat@package.json | 10 +- .../logs-elastic_agent.cloudbeat@package.json | 10 +- ...astic_agent.endpoint_security@package.json | 10 +- .../logs-elastic_agent.filebeat@package.json | 10 +- ...gs-elastic_agent.fleet_server@package.json | 10 +- .../logs-elastic_agent.heartbeat@package.json | 10 +- ...logs-elastic_agent.metricbeat@package.json | 10 +- ...ogs-elastic_agent.osquerybeat@package.json | 10 +- ...logs-elastic_agent.packetbeat@package.json | 10 +- ...stic_agent.system.application@package.json | 13 - ...elastic_agent.system.security@package.json | 13 - ...astic_agent.windows.forwarded@package.json | 13 - ...stic_agent.windows.powershell@package.json | 13 - ...indows.powershell_operational@package.json | 13 - ...nt.windows.sysmon_operational@package.json | 13 - .../logs-elastic_agent@package.json | 10 +- .../logs-system.application@package.json | 952 ++++++ .../logs-system.auth@package.json | 530 ++++ .../logs-system.security@package.json | 1840 ++++++++++++ .../logs-windows.forwarded@package.json | 2544 +++++++++++++++++ .../logs-windows.powershell@package.json | 1335 +++++++++ ...indows.powershell_operational@package.json | 1334 +++++++++ ...gs-windows.sysmon_operational@package.json | 1752 ++++++++++++ 24 files changed, 10298 insertions(+), 177 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json index b26b7fcd4..919763caa 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.apm_server@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json index 2bb67d287..175ad4431 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.auditbeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json index 10ac8dfef..a96480471 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.cloudbeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -342,6 +337,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json index fee2bb3ab..5f16d18de 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.endpoint_security@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json index c03976ec2..f5b1ab12a 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.filebeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json index 378225a50..a61d9f7a9 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.fleet_server@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json index 523305d3e..d7e244dc2 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.heartbeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json index 65ab6d0ff..7b0c81283 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.metricbeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json index 6c59b3b53..2a6780e69 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.osquerybeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -332,6 +327,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json index fe8c6ede4..973427be1 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent.packetbeat@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -325,6 +320,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json deleted file mode 100644 index e8c05d8f3..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.application@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.system.application@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.system.application@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json deleted file mode 100644 index 1387777ff..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.system.security@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.system.security@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.system.security@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json deleted file mode 100644 index e8503bc11..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.forwarded@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.forwarded@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.forwarded@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json deleted file mode 100644 index 8bd354491..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.powershell@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.powershell@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json deleted file mode 100644 index 36fa15103..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.powershell_operational@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.powershell_operational@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.powershell_operational@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json deleted file mode 100644 index 7f7e5e492..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.windows.sysmon_operational@package.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "error": { - "root_cause": [ - { - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.sysmon_operational@package] not found" - } - ], - "type": "resource_not_found_exception", - "reason": "component template matching [logs-elastic_agent.windows.sysmon_operational@package] not found" - }, - "status": 404 -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json index c3eb4bc18..57dc73c66 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -1,9 +1,4 @@ -{ - "component_templates": [ - { - "name": "logs-elastic_agent@package", - "component_template": { - "template": { + {"template": { "settings": { "index": { "lifecycle": { @@ -385,6 +380,3 @@ "managed": true } } - } - ] -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json new file mode 100644 index 000000000..05741a4f0 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json @@ -0,0 +1,952 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.application-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.code", + "event.original", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.application" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json new file mode 100644 index 000000000..51e707850 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json @@ -0,0 +1,530 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.auth-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "error.message", + "group.id", + "group.name", + "message", + "process.name", + "related.hosts", + "related.user", + "source.as.organization.name", + "source.geo.city_name", + "source.geo.continent_name", + "source.geo.country_iso_code", + "source.geo.country_name", + "source.geo.region_iso_code", + "source.geo.region_name", + "user.effective.name", + "user.id", + "user.name", + "system.auth.ssh.method", + "system.auth.ssh.signature", + "system.auth.ssh.event", + "system.auth.sudo.error", + "system.auth.sudo.tty", + "system.auth.sudo.pwd", + "system.auth.sudo.user", + "system.auth.sudo.command", + "system.auth.useradd.home", + "system.auth.useradd.shell", + "version" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "geo": { + "properties": { + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "port": { + "type": "long" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "system": { + "properties": { + "auth": { + "properties": { + "ssh": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_ip": { + "type": "ip" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "shell": { + "ignore_above": 1024, + "type": "keyword" + }, + "home": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.auth" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json new file mode 100644 index 000000000..a74cd4a70 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json @@ -0,0 +1,1840 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.security-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "ecs.version", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.parent.executable", + "process.parent.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.effective.domain", + "user.effective.id", + "user.effective.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "user.target.domain", + "user.target.id", + "user.changes.name", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.channel", + "winlog.computer_name", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessList", + "winlog.event_data.AccessListDescription", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.ResourceAttributes", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.level", + "winlog.outcome", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.time_created", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResourceAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessListDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessList": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.security" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "changes": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json new file mode 100644 index 000000000..967641107 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json @@ -0,0 +1,2544 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.forwarded-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.hash.md5", + "process.parent.hash.sha1", + "process.parent.hash.sha256", + "process.parent.hash.sha512", + "process.parent.name", + "process.parent.pe.architecture", + "process.parent.pe.company", + "process.parent.pe.description", + "process.parent.pe.file_version", + "process.parent.pe.imphash", + "process.parent.pe.original_file_name", + "process.parent.pe.product", + "process.parent.title", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.level", + "winlog.outcome", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientInfo", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.ComputerAccountChange", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DnsHostName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.EventType", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.Session", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServicePrincipalNames", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.forwarded" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "start": { + "type": "date" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DnsHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ComputerAccountChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServicePrincipalNames": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json new file mode 100644 index 000000000..ad0ff857e --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json @@ -0,0 +1,1335 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json new file mode 100644 index 000000000..b5cc588c9 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json @@ -0,0 +1,1334 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json new file mode 100644 index 000000000..451eaf7aa --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json @@ -0,0 +1,1752 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.sysmon_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "error.code", + "error.message", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.name", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallTrace", + "winlog.event_data.ClientInfo", + "winlog.event_data.Company", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventType", + "winlog.event_data.EventNamespace", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.GrantedAccess", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.Name", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewThreadId", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.Operation", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Query", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.Session", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartAddress", + "winlog.event_data.StartFunction", + "winlog.event_data.StartModule", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetImage", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetProcessGUID", + "winlog.event_data.TargetProcessId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.Type", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.sysmon_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Query": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallTrace": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "GrantedAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewThreadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "Type": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessGUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartFunction": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetImage": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartModule": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } From fb8ad71b27d0848004c3da96d9f5e602b5e53aa9 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 13 Jun 2023 13:19:18 -0400 Subject: [PATCH 12/24] Set START and END variables earlier in so-import-pcap --- salt/common/tools/sbin_jinja/so-import-pcap | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index 8e2bc523d..4169d8769 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -194,6 +194,9 @@ for PCAP in $INPUT_FILES; do status "- analyzing traffic with Zeek" zeek "${PCAP}" $HASH {% endif %} + + START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') status "- saving PCAP data spanning dates $START through $END" fi @@ -205,9 +208,6 @@ for PCAP in $INPUT_FILES; do HASHES="${HASHES} ${HASH}" fi - START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') - END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') - # compare $START to $START_OLDEST START_COMPARE=$(date -d $START +%s) START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) @@ -286,4 +286,4 @@ if [[ $json -eq 1 ]]; then }''' fi -exit $RESULT \ No newline at end of file +exit $RESULT From 1b90fd8581583ead67c4c8c0fcc64993a64a4409 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 18:21:45 +0000 Subject: [PATCH 13/24] Add custom component templates --- .../logs-system.application@custom.json | 12 ++++++++++++ .../elastic-agent/logs-system.auth@custom.json | 12 ++++++++++++ .../elastic-agent/logs-system.security@custom.json | 12 ++++++++++++ .../elastic-agent/logs-windows.forwarded@custom.json | 12 ++++++++++++ .../logs-windows.powershell@custom.json | 12 ++++++++++++ .../logs-windows.powershell_operational@custom.json | 12 ++++++++++++ .../logs-windows.sysmon_operational@custom.json | 12 ++++++++++++ 7 files changed, 84 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} From 5547a1b7ab54d8ccd068cf7989bef020b58bb365 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 18:23:50 +0000 Subject: [PATCH 14/24] Add event mappings --- salt/elasticsearch/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 4f4f5a295..54cae64a9 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -121,6 +121,7 @@ elasticsearch: index: number_of_replicas: 0 composed_of: + - "event-mappings" - "logs-system.auth@package" - "logs-system.auth@custom" - "so-fleet_globals-1" @@ -139,6 +140,7 @@ elasticsearch: index: number_of_replicas: 0 composed_of: + - "event-mappings" - "logs-system.syslog@package" - "logs-system.syslog@custom" - "so-fleet_globals-1" @@ -157,6 +159,7 @@ elasticsearch: index: number_of_replicas: 0 composed_of: + - "event-mappings" - "logs-system.application@package" - "logs-system.application@custom" - "so-fleet_globals-1" @@ -175,6 +178,7 @@ elasticsearch: index: number_of_replicas: 0 composed_of: + - "event-mappings" - "logs-system.security@package" - "logs-system.security@custom" - "so-fleet_globals-1" From 90b740a997313656c3ce9db5d5d743d05423e400 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Jun 2023 15:11:13 -0400 Subject: [PATCH 15/24] ensure status line shows dates for new and existing imports --- salt/common/tools/sbin_jinja/so-import-pcap | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index 4169d8769..b8a90421f 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -194,10 +194,6 @@ for PCAP in $INPUT_FILES; do status "- analyzing traffic with Zeek" zeek "${PCAP}" $HASH {% endif %} - - START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') - END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') - status "- saving PCAP data spanning dates $START through $END" fi if [[ "$HASH_FILTERS" == "" ]]; then @@ -208,6 +204,10 @@ for PCAP in $INPUT_FILES; do HASHES="${HASHES} ${HASH}" fi + START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') + END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') + status "- found PCAP data spanning dates $START through $END" + # compare $START to $START_OLDEST START_COMPARE=$(date -d $START +%s) START_OLDEST_COMPARE=$(date -d $START_OLDEST +%s) From bd7644a5571384b4261914d1b01dcee3825a1719 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 19:13:20 +0000 Subject: [PATCH 16/24] Add another template --- .../logs-system.syslog@custom.json | 12 + .../logs-system.syslog@package.json | 327 ++++++++++++++++++ 2 files changed, 339 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json new file mode 100644 index 000000000..30576a635 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json @@ -0,0 +1,327 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.syslog-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "message", + "process.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.syslog" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} From 0d4f6b4fe6517006d1cb302f057adb99ccee0f57 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 13 Jun 2023 16:32:19 -0400 Subject: [PATCH 17/24] Change Elastic Fleet Tarball naming --- .../sbin_jinja/so-elastic-agent-gen-installers | 13 ++++++++++--- setup/so-functions | 12 ++++++------ setup/so-variables | 3 +++ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 4910ceda1..703784fce 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -12,11 +12,18 @@ for i in {1..30} do + ELASTICVERSION=$(so-elasticsearch-query / | jq -r .version.number) ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') -if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi +if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]] && [[ $ELASTICVERSION ]]; then break; else sleep 10; fi done -if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi + +if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]] || [[ -z $ELASTICVERSION ]] +then + printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..." + printf "\nFleet Host: $FLEETHOST, Elastic Version: $ELASTICVERSION, Enrollment Token: $ENROLLMENTOKEN\n" + exit +fi OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" ) @@ -25,7 +32,7 @@ rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTICVERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do diff --git a/setup/so-functions b/setup/so-functions index a9d5b434e..a71bb223f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -976,14 +976,14 @@ detect_os() { download_elastic_agent_artifacts() { if [[ $is_iso ]]; then - logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$elastic_agent_tarball_version.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" - SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }') - HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5) + SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz | awk '{ print $1 }') + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.md5) if [[ "$HASH" == "$SOURCEHASH" ]]; then info "Elastic Agent source hash is good." @@ -992,7 +992,7 @@ download_elastic_agent_artifacts() { fail_setup fi - logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" fi } diff --git a/setup/so-variables b/setup/so-variables index 2c7cb3dba..82bef510f 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -219,3 +219,6 @@ export patch_pillar_file adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls" export adv_patch_pillar_file + +elastic_agent_tarball_version="8.7.1" +export elastic_agent_tarball_version \ No newline at end of file From af003cc2a1e6b55489d83c8d1f934d684e4db44b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 20:43:39 +0000 Subject: [PATCH 18/24] Add osquery templates --- salt/elasticsearch/defaults.yaml | 23 +++- ...logs-osquery_manager.action.responses.json | 91 +++++++++++++++ .../logs-osquery_manager.actions.json | 110 ++++++++++++++++++ 3 files changed, 222 insertions(+), 2 deletions(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 54cae64a9..f388b6bd3 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -259,15 +259,34 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-osquery-manager: + so-logs-osquery-manager-actions: index_sorting: False index_template: index_patterns: - - "logs-osquery*" + - ".logs-osquery_manager.actions*" template: settings: index: number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.actions" + priority: 501 + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-osquery-manager-action.responses: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.action.responses*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.action.responses" priority: 501 _meta: package: diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} From 2ac0aba9169249589d086f158c6d82052a8aab7d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 21:32:02 +0000 Subject: [PATCH 19/24] Add osquery files --- ...logs-osquery_manager.action.responses.json | 91 +++++++++++++++ .../logs-osquery_manager.actions.json | 110 ++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} From 8cde05807cf80cfeb7c3018aab9537a220645250 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 21:33:04 +0000 Subject: [PATCH 20/24] Remove elastic-agent dir --- ...logs-osquery_manager.action.responses.json | 91 --------------- .../logs-osquery_manager.actions.json | 110 ------------------ 2 files changed, 201 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json deleted file mode 100644 index afe990c92..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json +++ /dev/null @@ -1,91 +0,0 @@ -{"template": { - "mappings": { - "properties": { - "completed_at": { - "type": "date" - }, - "action_response": { - "properties": { - "osquery": { - "properties": { - "count": { - "type": "long" - } - } - } - } - }, - "@timestamp": { - "type": "date" - }, - "agent_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "action_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "count": { - "type": "long" - }, - "started_at": { - "type": "date" - }, - "action_input_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", - "type": "date" - } - } - }, - "action_data": { - "properties": { - "saved_query_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "ecs_mapping": { - "type": "object", - "enabled": false - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json deleted file mode 100644 index 44296af13..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json +++ /dev/null @@ -1,110 +0,0 @@ -{"template": { - "mappings": { - "properties": { - "pack_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "type": "object", - "enabled": false - }, - "data": { - "properties": { - "query": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pack_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "input_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "pack_prebuilt": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "queries": { - "properties": { - "action_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved_query_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved_query_prebuilt": { - "type": "boolean" - }, - "query": { - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "ecs_mapping": { - "type": "object", - "enabled": false - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "agents": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agents": { - "ignore_above": 1024, - "type": "keyword" - }, - "@timestamp": { - "type": "date" - }, - "action_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "expiration": { - "type": "date" - }, - "event": { - "properties": { - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", - "type": "date" - } - } - }, - "agent_ids": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } -} From 9947f9def4e5d220616a48cf0ee6db1e86b096fd Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Jun 2023 07:38:03 -0400 Subject: [PATCH 21/24] Rework tarball naming schema --- salt/common/tools/sbin/so-common | 1 + .../tools/sbin_jinja/so-elastic-agent-gen-installers | 9 ++++----- setup/so-functions | 12 ++++++------ setup/so-variables | 5 +---- 4 files changed, 12 insertions(+), 15 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 523a1b230..f25bdb431 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,6 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +ELASTIC_AGENT_TARBALL_VERSION="8.7.1" DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 703784fce..704f1537a 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -8,20 +8,19 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} +. /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common for i in {1..30} do - ELASTICVERSION=$(so-elasticsearch-query / | jq -r .version.number) ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]] && [[ $ELASTICVERSION ]]; then break; else sleep 10; fi done -if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]] || [[ -z $ELASTICVERSION ]] -then +if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..." - printf "\nFleet Host: $FLEETHOST, Elastic Version: $ELASTICVERSION, Enrollment Token: $ENROLLMENTOKEN\n" + printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n" exit fi @@ -32,7 +31,7 @@ rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTICVERSION.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do diff --git a/setup/so-functions b/setup/so-functions index a71bb223f..ff012b151 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -976,14 +976,14 @@ detect_os() { download_elastic_agent_artifacts() { if [[ $is_iso ]]; then - logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$elastic_agent_tarball_version.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" - SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz | awk '{ print $1 }') - HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.md5) + SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz | awk '{ print $1 }') + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5) if [[ "$HASH" == "$SOURCEHASH" ]]; then info "Elastic Agent source hash is good." @@ -992,7 +992,7 @@ download_elastic_agent_artifacts() { fail_setup fi - logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$elastic_agent_tarball_version.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" fi } diff --git a/setup/so-variables b/setup/so-variables index 82bef510f..7c5e51c6c 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -218,7 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls" export patch_pillar_file adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls" -export adv_patch_pillar_file - -elastic_agent_tarball_version="8.7.1" -export elastic_agent_tarball_version \ No newline at end of file +export adv_patch_pillar_file \ No newline at end of file From fedfbe9fec9299eed18ecda722c127ebc876d282 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Jun 2023 08:52:56 -0400 Subject: [PATCH 22/24] Fix tarball output name --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ff012b151..1b15bb140 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -979,8 +979,8 @@ download_elastic_agent_artifacts() { logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" "" "" SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz | awk '{ print $1 }') HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5) From c2ac60b82e8ace2678ada23b33c1643458ef3b8a Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 14 Jun 2023 13:28:00 +0000 Subject: [PATCH 23/24] Add system.system template and add event-mappings --- salt/elasticsearch/defaults.yaml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f388b6bd3..d27f291eb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -149,6 +149,25 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-system.system: + index_sorting: False + index_template: + index_patterns: + - "logs-system.system*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.system@package" + - "logs-system.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-system.application: index_sorting: False index_template: @@ -467,13 +486,8 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.endpoint_security@package" - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" From 48331ce35b69dec0ec4213886c485e53d990a8b6 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 14 Jun 2023 13:29:11 +0000 Subject: [PATCH 24/24] Add system.system component templates --- .../logs-system.system@custom.json | 12 + .../logs-system.system@package.json | 986 ++++++++++++++++++ 2 files changed, 998 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json new file mode 100644 index 000000000..068e6846b --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json @@ -0,0 +1,986 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.system-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.original", + "event.outcome", + "event.provider", + "event.type", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.system" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +}