Merge pull request #14331 from Security-Onion-Solutions/reyesj2-patch-2

osquery v1.15.0 index templates updates
2025-12-06 09:12:45 +01:00 · 2025-03-04 13:17:28 -06:00
parent 0ff4fc101b 124bf266b5
commit 966503d875
4 changed files with 90 additions and 11 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -2659,7 +2659,7 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
-    so-logs-osquery-manager-action_x_responses:
+    so-logs-osquery_manager_x_action_x_responses:
      index_sorting: false
      index_template:
        _meta:
@@ -2667,17 +2667,51 @@ elasticsearch:
          managed_by: security_onion
          package:
            name: elastic_agent
        data_stream:
          allow_custom_routing: false
          hidden: false
        composed_of:
-        - logs-osquery_manager.action.responses
+        - logs-osquery_manager.action.responses@package
-        ignore_missing_component_templates: []
+        - logs-osquery_manager.action.responses@custom
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        ignore_missing_component_templates:
        - logs-osquery_manager.action.responses@custom
        index_patterns:
-        - .logs-osquery_manager.action.responses*
+        - logs-osquery_manager.action.responses*
        priority: 501
        template:
          settings:
            index:
              lifecycle:
                name: so-logs-osquery_manager.action.responses-logs
              number_of_replicas: 0
-    so-logs-osquery-manager-actions:
+      policy:
        phases:
          cold:
            actions:
              set_priority:
                priority: 0
            min_age: 60d
          delete:
            actions:
              delete: {}
            min_age: 365d
          hot:
            actions:
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
              set_priority:
                priority: 100
            min_age: 0ms
          warm:
            actions:
              set_priority:
                priority: 50
            min_age: 30d
    so-logs-osquery_manager_x_result:
      index_sorting: false
      index_template:
        _meta:
@@ -2685,16 +2719,50 @@ elasticsearch:
          managed_by: security_onion
          package:
            name: elastic_agent
        data_stream:
          allow_custom_routing: false
          hidden: false
        composed_of:
-        - logs-osquery_manager.actions
+        - logs-osquery_manager.result@package
-        ignore_missing_component_templates: []
+        - logs-osquery_manager.result@custom
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
        ignore_missing_component_templates:
        - logs-osquery_manager.result@custom
        index_patterns:
-        - .logs-osquery_manager.actions*
+        - logs-osquery_manager.result*
        priority: 501
        template:
          settings:
            index:
              lifecycle:
                name: so-logs-osquery_manager.result-logs
              number_of_replicas: 0
      policy:
        phases:
          cold:
            actions:
              set_priority:
                priority: 0
            min_age: 60d
          delete:
            actions:
              delete: {}
            min_age: 365d
          hot:
            actions:
              rollover:
                max_age: 30d
                max_primary_shard_size: 50gb
              set_priority:
                priority: 100
            min_age: 0ms
          warm:
            actions:
              set_priority:
                priority: 50
            min_age: 30d
    so-logs-soc:
      close: 30
      delete: 365
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -368,8 +368,8 @@ elasticsearch:
    so-logs-detections_x_alerts: *indexSettings
    so-logs-http_endpoint_x_generic: *indexSettings
    so-logs-httpjson_x_generic: *indexSettings
-    so-logs-osquery-manager-actions: *indexSettings
+    so-logs-osquery_manager_x_action_x_responses: *indexSettings
-    so-logs-osquery-manager-action_x_responses: *indexSettings
+    so-logs-osquery_manager_x_result: *indexSettings
    so-logs-elastic_agent_x_apm_server: *indexSettings
    so-logs-elastic_agent_x_auditbeat: *indexSettings
    so-logs-elastic_agent_x_cloudbeat: *indexSettings
--- a/salt/elasticsearch/templates/component/elastic-agent/logs@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs@custom.json
@@ -0,0 +1,9 @@
 {
  "template": {
    "settings": {
      "index": {
        "number_of_replicas": "0"
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json
@@ -1,7 +1,9 @@
 {
  "template": {
    "settings": {
-      "number_of_replicas": 0
+      "index": {
        "number_of_replicas": "0"
      }
    }
  }
 }