Merge pull request #13117 from Security-Onion-Solutions/fix/items_and_lists

Add templates for .items and .lists indices

salt/elasticsearch/defaults.yaml

@@ -170,6 +170,78 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-items:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - so-items-mappings
+        index_patterns:
+        - .items-default-**
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+          settings:
+            index:
+              lifecycle:
+                name: so-items-logs
+                rollover_alias: ".items-default"
+              routing:
+                allocation:
+                  include:
+                    _tier_preference: "data_content"
+              mapping:
+                total_fields:
+                  limit: 10000
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions:
+              rollover:
+                max_size: 50gb
+            min_age: 0ms
+    so-lists:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - so-lists-mappings
+        index_patterns:
+        - .lists-default-**
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+          settings:
+            index:
+              lifecycle:
+                name: so-lists-logs
+                rollover_alias: ".lists-default"
+              routing:
+                allocation:
+                  include:
+                    _tier_preference: "data_content"
+              mapping:
+                total_fields:
+                  limit: 10000
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions:
+              rollover:
+                max_size: 50gb
+            min_age: 0ms
     so-case:
       index_sorting: false
       index_template:

salt/elasticsearch/templates/component/elastic-agent/so-items-mappings.json

@@ -0,0 +1,112 @@
+{
+  "template": {
+    "mappings": {
+      "dynamic": "strict",
+      "properties": {
+        "binary": {
+          "type": "binary"
+        },
+        "boolean": {
+          "type": "boolean"
+        },
+        "byte": {
+          "type": "byte"
+        },
+        "created_at": {
+          "type": "date"
+        },
+        "created_by": {
+          "type": "keyword"
+        },
+        "date": {
+          "type": "date"
+        },
+        "date_nanos": {
+          "type": "date_nanos"
+        },
+        "date_range": {
+          "type": "date_range"
+        },
+        "deserializer": {
+          "type": "keyword"
+        },
+        "double": {
+          "type": "double"
+        },
+        "double_range": {
+          "type": "double_range"
+        },
+        "float": {
+          "type": "float"
+        },
+        "float_range": {
+          "type": "float_range"
+        },
+        "geo_point": {
+          "type": "geo_point"
+        },
+        "geo_shape": {
+          "type": "geo_shape"
+        },
+        "half_float": {
+          "type": "half_float"
+        },
+        "integer": {
+          "type": "integer"
+        },
+        "integer_range": {
+          "type": "integer_range"
+        },
+        "ip": {
+          "type": "ip"
+        },
+        "ip_range": {
+          "type": "ip_range"
+        },
+        "keyword": {
+          "type": "keyword"
+        },
+        "list_id": {
+          "type": "keyword"
+        },
+        "long": {
+          "type": "long"
+        },
+        "long_range": {
+          "type": "long_range"
+        },
+        "meta": {
+          "type": "object",
+          "enabled": false
+        },
+        "serializer": {
+          "type": "keyword"
+        },
+        "shape": {
+          "type": "shape"
+        },
+        "short": {
+          "type": "short"
+        },
+        "text": {
+          "type": "text"
+        },
+        "tie_breaker_id": {
+          "type": "keyword"
+        },
+        "updated_at": {
+          "type": "date"
+        },
+        "updated_by": {
+          "type": "keyword"
+        }
+      }
+    },
+    "aliases": {}
+  },
+  "version": 2,
+    "_meta": {
+      "managed": true,
+      "description": "default mappings for the .items index template installed by Kibana/Security"
+    }
+}

salt/elasticsearch/templates/component/elastic-agent/so-lists-mappings.json

@@ -0,0 +1,55 @@
+{
+  "template": {
+  "mappings": {
+    "dynamic": "strict",
+    "properties": {
+      "created_at": {
+        "type": "date"
+      },
+      "created_by": {
+        "type": "keyword"
+      },
+      "description": {
+        "type": "keyword"
+      },
+      "deserializer": {
+        "type": "keyword"
+      },
+      "immutable": {
+        "type": "boolean"
+      },
+      "meta": {
+        "type": "object",
+        "enabled": false
+      },
+      "name": {
+        "type": "keyword"
+      },
+      "serializer": {
+        "type": "keyword"
+      },
+      "tie_breaker_id": {
+        "type": "keyword"
+      },
+      "type": {
+        "type": "keyword"
+      },
+      "updated_at": {
+        "type": "date"
+      },
+      "updated_by": {
+        "type": "keyword"
+      },
+      "version": {
+        "type": "keyword"
+      }
+    }
+  },
+    "aliases": {}
+  },
+  "version": 2,
+    "_meta": {
+      "managed": true,
+      "description": "default mappings for the .lists index template installed by Kibana/Security"
+    }
+}