diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md new file mode 100644 index 000000000..e4c0bf2be --- /dev/null +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -0,0 +1,52 @@ +### 2.4.2-20230531 ISO image built on 2023/05/31 + + + +### Download and Verify + +2.4.2-20230531 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso + +MD5: EB861EFB7F7DA6FB418075B4C452E4EB +SHA1: 479A72DBB0633CB23608122F7200A24E2C3C3128 +SHA256: B69C1AE4C576BBBC37F4B87C2A8379903421E65B2C4F24C90FABB0EAD6F0471B + +Signature for ISO image: +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig + +Signing key: +https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS + +For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image. + +Download and import the signing key: +``` +wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS -O - | gpg --import - +``` + +Download the signature file for the ISO: +``` +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig +``` + +Download the ISO image: +``` +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso +``` + +Verify the downloaded ISO image using the signature file: +``` +gpg --verify securityonion-2.4.2-20230531.iso.sig securityonion-2.4.2-20230531.iso +``` + +The output should show "Good signature" and the Primary key fingerprint should match what's shown below: +``` +gpg: Signature made Wed 31 May 2023 05:01:41 PM EDT using RSA key ID FE507013 +gpg: Good signature from "Security Onion Solutions, LLC " +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 +``` + +Once you've verified the ISO image, you're ready to proceed to our Installation guide: +https://docs.securityonion.net/en/2.4/installation.html diff --git a/README.md b/README.md index fc302d2a8..72f2d34fe 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,26 @@ -## Security Onion 2.4 Beta 3 +## Security Onion 2.4 Release Candidate 1 (RC1) -Security Onion 2.4 Beta 3 is here! +Security Onion 2.4 Release Candidate 1 (RC1) is here! ## Screenshots Alerts -![Alerts](./assets/images/screenshots/alerts.png) +![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/39_alerts.png) Dashboards -![Dashboards](./assets/images/screenshots/dashboards.png) +![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/40_dashboards.png) Hunt -![Hunt](./assets/images/screenshots/hunt.png) +![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/41_hunt.png) -Cases -![Cases](./assets/images/screenshots/cases-comments.png) +PCAP +![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/42_pcap.png) + +Grid +![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/46_grid.png) + +Config +![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_config.png) ### Release Notes diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md deleted file mode 100644 index 53a229349..000000000 --- a/VERIFY_ISO.md +++ /dev/null @@ -1 +0,0 @@ -### An ISO will be available starting in RC1. diff --git a/pillar/top.sls b/pillar/top.sls index 7a36dcc53..75117e35f 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -52,6 +52,8 @@ base: - influxdb.adv_influxdb - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet - elastalert.soc_elastalert - elastalert.adv_elastalert - backup.soc_backup @@ -91,6 +93,8 @@ base: - kratos.soc_kratos - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet - elastalert.soc_elastalert - elastalert.adv_elastalert - manager.soc_manager @@ -149,6 +153,8 @@ base: - influxdb.adv_influxdb - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet - elastalert.soc_elastalert - elastalert.adv_elastalert - manager.soc_manager @@ -244,6 +250,8 @@ base: - kratos.soc_kratos - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet - elastalert.soc_elastalert - elastalert.adv_elastalert - manager.soc_manager @@ -283,6 +291,8 @@ base: - logstash.nodes - logstash.soc_logstash - logstash.adv_logstash + - elasticfleet.soc_elasticfleet + - elasticfleet.adv_elasticfleet - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index ddb85f654..f25bdb431 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -5,6 +5,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +ELASTIC_AGENT_TARBALL_VERSION="8.7.1" DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" @@ -160,41 +161,6 @@ disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } -elastic_fleet_integration_create() { - - JSON_STRING=$1 - - curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -} - -elastic_fleet_policy_create() { - - NAME=$1 - DESC=$2 - FLEETSERVER=$3 - TIMEOUT=$4 - - JSON_STRING=$( jq -n \ - --arg NAME "$NAME" \ - --arg DESC "$DESC" \ - --arg TIMEOUT $TIMEOUT \ - --arg FLEETSERVER "$FLEETSERVER" \ - '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}' - ) - # Create Fleet Policy - curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" - -} - -elastic_fleet_policy_update() { - - POLICYID=$1 - JSON_STRING=$2 - - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" -} - - elastic_license() { read -r -d '' message <<- EOM diff --git a/salt/common/tools/sbin_jinja/so-import-evtx b/salt/common/tools/sbin_jinja/so-import-evtx index edb0a08a8..fec7223b8 100755 --- a/salt/common/tools/sbin_jinja/so-import-evtx +++ b/salt/common/tools/sbin_jinja/so-import-evtx @@ -14,19 +14,56 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} INDEX_DATE=$(date +'%Y.%m.%d') -RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) LOG_FILE=/nsm/import/evtx-import.log . /usr/sbin/so-common function usage { cat << EOF -Usage: $0 [evtx-file-2] [evtx-file-*] +Usage: $0 [options] [evtx-file-2] [evtx-file-*] Imports one or more evtx files into Security Onion. The evtx files will be analyzed and made available for review in the Security Onion toolset. + +Options: + --json Outputs summary in JSON format. Implies --quiet. + --quiet Silences progress information to stdout. EOF } +quiet=0 +json=0 +INPUT_FILES= +while [[ $# -gt 0 ]]; do + param=$1 + shift + case "$param" in + --json) + json=1 + quiet=1 + ;; + --quiet) + quiet=1 + ;; + -*) + echo "Encountered unexpected parameter: $param" + usage + exit 1 + ;; + *) + if [[ "$INPUT_FILES" != "" ]]; then + INPUT_FILES="$INPUT_FILES $param" + else + INPUT_FILES="$param" + fi + ;; + esac +done + +function status { + msg=$1 + [[ $quiet -eq 1 ]] && return + echo "$msg" +} function evtx2es() { EVTX=$1 @@ -42,31 +79,30 @@ function evtx2es() { } # if no parameters supplied, display usage -if [ $# -eq 0 ]; then +if [ "$INPUT_FILES" == "" ]; then usage exit 1 fi # ensure this is a Manager node -require_manager +require_manager @> /dev/null # verify that all parameters are files -for i in "$@"; do +for i in $INPUT_FILES; do if ! [ -f "$i" ]; then - usage echo "\"$i\" is not a valid file!" exit 2 fi done -# track if we have any valid or invalid evtx -INVALID_EVTXS="no" -VALID_EVTXS="no" - # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end START_OLDEST="2050-12-31" END_NEWEST="1971-01-01" +INVALID_EVTXS_COUNT=0 +VALID_EVTXS_COUNT=0 +SKIPPED_EVTXS_COUNT=0 + touch /nsm/import/evtx-start_oldest touch /nsm/import/evtx-end_newest @@ -74,27 +110,39 @@ echo $START_OLDEST > /nsm/import/evtx-start_oldest echo $END_NEWEST > /nsm/import/evtx-end_newest # paths must be quoted in case they include spaces -for EVTX in "$@"; do +for EVTX in $INPUT_FILES; do EVTX=$(/usr/bin/realpath "$EVTX") - echo "Processing Import: ${EVTX}" + status "Processing Import: ${EVTX}" # generate a unique hash to assist with dedupe checks HASH=$(md5sum "${EVTX}" | awk '{ print $1 }') HASH_DIR=/nsm/import/${HASH} - echo "- assigning unique identifier to import: $HASH" + status "- assigning unique identifier to import: $HASH" + + if [[ "$HASH_FILTERS" == "" ]]; then + HASH_FILTERS="import.id:${HASH}" + HASHES="${HASH}" + else + HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}" + HASHES="${HASHES} ${HASH}" + fi if [ -d $HASH_DIR ]; then - echo "- this EVTX has already been imported; skipping" - INVALID_EVTXS="yes" + status "- this EVTX has already been imported; skipping" + SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1)) else - VALID_EVTXS="yes" - EVTX_DIR=$HASH_DIR/evtx mkdir -p $EVTX_DIR # import evtx and write them to import ingest pipeline - echo "- importing logs to Elasticsearch..." + status "- importing logs to Elasticsearch..." evtx2es "${EVTX}" $HASH + if [[ $? -ne 0 ]]; then + INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1)) + status "- WARNING: This evtx file may not have fully imported successfully" + else + VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1)) + fi # compare $START to $START_OLDEST START=$(cat /nsm/import/evtx-start_oldest) @@ -118,38 +166,60 @@ for EVTX in "$@"; do fi # end of valid evtx - echo + status done # end of for-loop processing evtx files -# remove temp files -echo "Cleaning up:" -for TEMP_EVTX in ${TEMP_EVTXS[@]}; do - echo "- removing temporary evtx $TEMP_EVTX" - rm -f $TEMP_EVTX -done - # output final messages -if [ "$INVALID_EVTXS" = "yes" ]; then - echo - echo "Please note! One or more evtx was invalid! You can scroll up to see which ones were invalid." +if [[ $INVALID_EVTXS_COUNT -gt 0 ]]; then + status + status "Please note! One or more evtx was invalid! You can scroll up to see which ones were invalid." fi START_OLDEST_FORMATTED=`date +%Y-%m-%d --date="$START_OLDEST"` START_OLDEST_SLASH=$(echo $START_OLDEST_FORMATTED | sed -e 's/-/%2F/g') END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g') -if [ "$VALID_EVTXS" = "yes" ]; then -cat << EOF +if [[ $VALID_EVTXS_COUNT -gt 0 ]] || [[ $SKIPPED_EVTXS_COUNT -gt 0 ]]; then + URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC" -Import complete! - -You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC - -or you can manually set your Time Range to be (in UTC): -From: $START_OLDEST_FORMATTED To: $END_NEWEST - -Please note that it may take 30 seconds or more for events to appear in Security Onion Console. -EOF + status "Import complete!" + status + status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:" + status + status "$URL" + status + status "or, manually set the Time Range to be (in UTC):" + status + status "From: $START_OLDEST_FORMATTED To: $END_NEWEST" + status + status "Note: It can take 30 seconds or more for events to appear in Security Onion Console." + RESULT=0 +else + START_OLDEST= + END_NEWEST= + URL= + RESULT=1 fi + +if [[ $json -eq 1 ]]; then + jq -n \ + --arg success_count "$VALID_EVTXS_COUNT" \ + --arg fail_count "$INVALID_EVTXS_COUNT" \ + --arg skipped_count "$SKIPPED_EVTXS_COUNT" \ + --arg begin_date "$START_OLDEST" \ + --arg end_date "$END_NEWEST" \ + --arg url "$URL" \ + --arg hashes "$HASHES" \ + '''{ + success_count: $success_count, + fail_count: $fail_count, + skipped_count: $skipped_count, + begin_date: $begin_date, + end_date: $end_date, + url: $url, + hash: ($hashes / " ") + }''' +fi + +exit $RESULT \ No newline at end of file diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index d443e9f07..b8a90421f 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -15,12 +15,51 @@ function usage { cat << EOF -Usage: $0 [pcap-file-2] [pcap-file-N] +Usage: $0 [options] [pcap-file-2] [pcap-file-N] Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset. + +Options: + --json Outputs summary in JSON format. Implies --quiet. + --quiet Silences progress information to stdout. EOF } +quiet=0 +json=0 +INPUT_FILES= +while [[ $# -gt 0 ]]; do + param=$1 + shift + case "$param" in + --json) + json=1 + quiet=1 + ;; + --quiet) + quiet=1 + ;; + -*) + echo "Encountered unexpected parameter: $param" + usage + exit 1 + ;; + *) + if [[ "$INPUT_FILES" != "" ]]; then + INPUT_FILES="$INPUT_FILES $param" + else + INPUT_FILES="$param" + fi + ;; + esac +done + +function status { + msg=$1 + [[ $quiet -eq 1 ]] && return + echo "$msg" +} + function pcapinfo() { PCAP=$1 ARGS=$2 @@ -84,7 +123,7 @@ function zeek() { } # if no parameters supplied, display usage -if [ $# -eq 0 ]; then +if [ "$INPUT_FILES" == "" ]; then usage exit 1 fi @@ -96,31 +135,30 @@ if [ ! -d /opt/so/conf/suricata ]; then fi # verify that all parameters are files -for i in "$@"; do +for i in $INPUT_FILES; do if ! [ -f "$i" ]; then - usage echo "\"$i\" is not a valid file!" exit 2 fi done -# track if we have any valid or invalid pcaps -INVALID_PCAPS="no" -VALID_PCAPS="no" - # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end START_OLDEST="2050-12-31" END_NEWEST="1971-01-01" +INVALID_PCAPS_COUNT=0 +VALID_PCAPS_COUNT=0 +SKIPPED_PCAPS_COUNT=0 + # paths must be quoted in case they include spaces -for PCAP in "$@"; do +for PCAP in $INPUT_FILES; do PCAP=$(/usr/bin/realpath "$PCAP") - echo "Processing Import: ${PCAP}" - echo "- verifying file" + status "Processing Import: ${PCAP}" + status "- verifying file" if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then # try to fix pcap and then process the fixed pcap directly PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap` - echo "- attempting to recover corrupted PCAP file" + status "- attempting to recover corrupted PCAP file" pcapfix "${PCAP}" "${PCAP_FIXED}" # Make fixed file world readable since the Suricata docker container will runas a non-root user chmod a+r "${PCAP_FIXED}" @@ -131,33 +169,44 @@ for PCAP in "$@"; do # generate a unique hash to assist with dedupe checks HASH=$(md5sum "${PCAP}" | awk '{ print $1 }') HASH_DIR=/nsm/import/${HASH} - echo "- assigning unique identifier to import: $HASH" + status "- assigning unique identifier to import: $HASH" - if [ -d $HASH_DIR ]; then - echo "- this PCAP has already been imported; skipping" - INVALID_PCAPS="yes" - elif pcapinfo "${PCAP}" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then - echo "- this PCAP file is invalid; skipping" - INVALID_PCAPS="yes" + pcap_data=$(pcapinfo "${PCAP}") + if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time: 1970-01-01|Last packet time: n/a"; then + status "- this PCAP file is invalid; skipping" + INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1)) else - VALID_PCAPS="yes" + if [ -d $HASH_DIR ]; then + status "- this PCAP has already been imported; skipping" + SKIPPED_PCAPS_COUNT=$((SKIPPED_PCAPS_COUNT + 1)) + else + VALID_PCAPS_COUNT=$((VALID_PCAPS_COUNT + 1)) - PCAP_DIR=$HASH_DIR/pcap - mkdir -p $PCAP_DIR + PCAP_DIR=$HASH_DIR/pcap + mkdir -p $PCAP_DIR - # generate IDS alerts and write them to standard pipeline - echo "- analyzing traffic with Suricata" - suricata "${PCAP}" $HASH - {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %} - # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/ - # since each run writes to a unique subdirectory, there is no need for a lock file - echo "- analyzing traffic with Zeek" - zeek "${PCAP}" $HASH - {% endif %} + # generate IDS alerts and write them to standard pipeline + status "- analyzing traffic with Suricata" + suricata "${PCAP}" $HASH + {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %} + # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/ + # since each run writes to a unique subdirectory, there is no need for a lock file + status "- analyzing traffic with Zeek" + zeek "${PCAP}" $HASH + {% endif %} + fi + + if [[ "$HASH_FILTERS" == "" ]]; then + HASH_FILTERS="import.id:${HASH}" + HASHES="${HASH}" + else + HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}" + HASHES="${HASHES} ${HASH}" + fi START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') - echo "- saving PCAP data spanning dates $START through $END" + status "- found PCAP data spanning dates $START through $END" # compare $START to $START_OLDEST START_COMPARE=$(date -d $START +%s) @@ -179,37 +228,62 @@ for PCAP in "$@"; do fi # end of valid pcap - echo + status done # end of for-loop processing pcap files # remove temp files -echo "Cleaning up:" for TEMP_PCAP in ${TEMP_PCAPS[@]}; do - echo "- removing temporary pcap $TEMP_PCAP" + status "- removing temporary pcap $TEMP_PCAP" rm -f $TEMP_PCAP done # output final messages -if [ "$INVALID_PCAPS" = "yes" ]; then - echo - echo "Please note! One or more pcaps was invalid! You can scroll up to see which ones were invalid." +if [[ $INVALID_PCAPS_COUNT -gt 0 ]]; then + status + status "WARNING: One or more pcaps was invalid. Scroll up to see which ones were invalid." fi START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g') END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g') +if [[ $VALID_PCAPS_COUNT -gt 0 ]] || [[ $SKIPPED_PCAPS_COUNT -gt 0 ]]; then + URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC" -if [ "$VALID_PCAPS" = "yes" ]; then -cat << EOF - -Import complete! - -You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC - -or you can manually set your Time Range to be (in UTC): -From: $START_OLDEST To: $END_NEWEST - -Please note that it may take 30 seconds or more for events to appear in Security Onion Console. -EOF + status "Import complete!" + status + status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:" + status "$URL" + status + status "or, manually set the Time Range to be (in UTC):" + status "From: $START_OLDEST To: $END_NEWEST" + status + status "Note: It can take 30 seconds or more for events to appear in Security Onion Console." + RESULT=0 +else + START_OLDEST= + END_NEWEST= + URL= + RESULT=1 fi + +if [[ $json -eq 1 ]]; then + jq -n \ + --arg success_count "$VALID_PCAPS_COUNT" \ + --arg fail_count "$INVALID_PCAPS_COUNT" \ + --arg skipped_count "$SKIPPED_PCAPS_COUNT" \ + --arg begin_date "$START_OLDEST" \ + --arg end_date "$END_NEWEST" \ + --arg url "$URL" \ + --arg hashes "$HASHES" \ + '''{ + success_count: $success_count, + fail_count: $fail_count, + skipped_count: $skipped_count, + begin_date: $begin_date, + end_date: $end_date, + url: $url, + hash: ($hashes / " ") + }''' +fi + +exit $RESULT diff --git a/salt/curator/files/action/logs-elastic_agent-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-default-close.yaml index ef03e4ba2..03c1ea81d 100644 --- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml index 1157f94b2..2d7e897cf 100644 --- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml index 6bc2026b9..0fd1d6129 100644 --- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml index a4e38cd8e..cedf64eeb 100644 --- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml index 9243d8cfb..e25b7f2b8 100644 --- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml index 52ddb5eb5..e2d28fd06 100644 --- a/salt/curator/files/action/logs-import-so-close.yml +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml index a5b31785f..c4b57995d 100644 --- a/salt/curator/files/action/logs-strelka-so-close.yml +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml index a25be9f3d..c99a85285 100644 --- a/salt/curator/files/action/logs-suricata-so-close.yml +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml index b9baf3c1a..3ccf7834b 100644 --- a/salt/curator/files/action/logs-syslog-so-close.yml +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-application-default-close.yaml b/salt/curator/files/action/logs-system-application-default-close.yaml index 76d01ecb4..4a04ebbb7 100644 --- a/salt/curator/files/action/logs-system-application-default-close.yaml +++ b/salt/curator/files/action/logs-system-application-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml index af9843b35..287997e87 100644 --- a/salt/curator/files/action/logs-system-auth-default-close.yaml +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-security-default-close.yaml b/salt/curator/files/action/logs-system-security-default-close.yaml index 9a8cab35c..2506ca357 100644 --- a/salt/curator/files/action/logs-system-security-default-close.yaml +++ b/salt/curator/files/action/logs-system-security-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml index 3c9482b40..8da3afd45 100644 --- a/salt/curator/files/action/logs-system-syslog-default-close.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-system-default-close.yaml b/salt/curator/files/action/logs-system-system-default-close.yaml index 284d6e219..401125e08 100644 --- a/salt/curator/files/action/logs-system-system-default-close.yaml +++ b/salt/curator/files/action/logs-system-system-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-windows-powershell-default-close.yaml b/salt/curator/files/action/logs-windows-powershell-default-close.yaml index 7c3cebab3..8f878f4c9 100644 --- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml +++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml index ae98b8939..8cd9c99f3 100644 --- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml index f8ad13ca0..020c89cbc 100644 --- a/salt/curator/files/action/logs-zeek-so-close.yml +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 27985a50d..88c7ce91a 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index 11e0b1e7b..e4d8824bd 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 9b2a619ef..18d30737d 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -13,7 +13,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 25b2650ab..359e0a4cc 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -13,7 +13,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index 017c5f08e..7a60b9343 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 72a234d98..7c29ed294 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 7b99a508e..d5fc3385c 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index bbd52c706..34402d95c 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index 587d749d4..359d6f1f1 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index d8bc54579..59b6a92b2 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 4de77abb1..ac0691ad8 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index 36c1b9744..f7c5ef4c6 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index e168e44fa..9d908d6d2 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 8fcf46f52..e5a58e437 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 950f3e6b2..1e9ea59e4 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/tools/sbin_jinja/so-curator-cluster-delete-delete b/salt/curator/tools/sbin_jinja/so-curator-cluster-delete-delete index d6049ffb8..e0c5144bc 100755 --- a/salt/curator/tools/sbin_jinja/so-curator-cluster-delete-delete +++ b/salt/curator/tools/sbin_jinja/so-curator-cluster-delete-delete @@ -10,44 +10,58 @@ {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%} LOG="/opt/so/log/curator/so-curator-cluster-delete.log" -LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) +ALERT_LOG="/opt/so/log/curator/alert.log" +LOG_SIZE_LIMIT_GB=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) +LOG_SIZE_LIMIT=$(( "$LOG_SIZE_LIMIT_GB" * 1000 * 1000 * 1000 )) +ITERATION=0 +MAX_ITERATIONS=10 overlimit() { - [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]] + [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt ${LOG_SIZE_LIMIT} ]] } -# Check to see if Elasticsearch indices using more disk space than LOG_SIZE_LIMIT -# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, we will break out of the loop. -while overlimit; do +########################### +# Check for 2 conditions: # +########################### +# 1. Check if Elasticsearch indices are using more disk space than LOG_SIZE_LIMIT +# 2. Check if the maximum number of iterations - MAX_ITERATIONS - has been exceeded. If so, exit. +# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, or the number of iterations has exceeded the maximum allowed number of iterations, we will break out of the loop. + +while overlimit && [[ $ITERATION -lt $MAX_ITERATIONS ]]; do + # If we can't query Elasticsearch, then immediately return false. /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status > /dev/null 2>&1 [ $? -eq 1 ] && echo "$(date) - Could not query Elasticsearch." >> ${LOG} && exit + # We iterate through the closed and open indices - CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do - # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream + CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + + for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do + # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" DATASTREAM=$(echo "${INDEX}" | grep -oE "$DATASTREAM_PATTERN") # We look up the data stream, and determine the write index. If there is only one backing index, we delete the entire data stream - BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length') - if [ "$BACKING_INDICES" -gt 1 ]; then + BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length') + if [ "$BACKING_INDICES" -gt 1 ]; then CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) - # We make sure we are not trying to delete a write index + # We make sure we are not trying to delete a write index if [ "${INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then # This should not be a write index, so we should be allowed to delete it - printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${INDEX} index...\n" >> ${LOG} + printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT_GB} GB) - Deleting ${INDEX} index...\n" >> ${LOG} /usr/sbin/so-elasticsearch-query ${INDEX} -XDELETE >> ${LOG} 2>&1 fi - else - # We delete the entire data stream, since there is only one backing index - printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${DATASTREAM} data stream...\n" >> ${LOG} - /usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE >> ${LOG} 2>&1 - fi - if ! overlimit; then + fi + if ! overlimit ; then exit fi + ((ITERATION++)) done + if [[ $ITERATION -ge $MAX_ITERATIONS ]]; then + alert_id=$(uuidgen) + printf "\n$(date) -> Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold. Writing alert ($alert_id) to ${ALERT_LOG}\n" >> ${LOG} + printf "\n$(date),$alert_id,Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold.\n" >> ${ALERT_LOG} + fi done diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index c073e4ee6..a01c80952 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -13,7 +13,6 @@ elastalert: es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 - eql: true use_ssl: true verify_certs: false writeback_index: elastalert diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index 680c81d53..3b38fcf57 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter): creds = (self.rule['es_username'], self.rule['es_password']) payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} - url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/" + url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds) def get_info(self): diff --git a/salt/elastalert/map.jinja b/salt/elastalert/map.jinja index 7cec262d0..cc395d8ee 100644 --- a/salt/elastalert/map.jinja +++ b/salt/elastalert/map.jinja @@ -8,7 +8,7 @@ {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %} +{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %} {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 29aa7eb30..cc3b0675f 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -4,6 +4,7 @@ # Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} {% if sls.split('.')[0] in allowed_states %} # Add EA Group @@ -51,6 +52,36 @@ eastatedir: - group: 939 - makedirs: True +{% if GLOBALS.role != "so-fleet" %} +eaintegrationsdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/integrations + - user: 947 + - group: 939 + - makedirs: True + +eadynamicintegration: + file.recurse: + - name: /opt/so/conf/elastic-fleet/integrations + - source: salt://elasticfleet/files/integrations-dynamic + - user: 947 + - group: 939 + - template: jinja + +eaintegration: + file.recurse: + - name: /opt/so/conf/elastic-fleet/integrations + - source: salt://elasticfleet/files/integrations + - user: 947 + - group: 939 + +ea-integrations-load: + file.absent: + - name: /opt/so/state/eaintegrations.txt + - onchanges: + - file: eaintegration + - file: eadynamicintegration +{% endif %} {% else %} {{sls}}_state_not_allowed: diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index d29e08f9a..8c858c711 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -6,3 +6,20 @@ elasticfleet: es_token: '' grid_enrollment: '' url: '' + logging: + zeek: + excluded: + - broker + - capture_loss + - cluster + - ecat_arp_info + - known_hosts + - known_services + - loaded_scripts + - ntp + - ocsp + - packet_filter + - reporter + - stats + - stderr + - stdout diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index e93ebd4db..f388cb1c7 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -62,6 +62,12 @@ so-elastic-fleet: {% endif %} {% endif %} +{% if GLOBALS.role != "so-fleet" %} +so-elastic-fleet-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-integration-policy-load +{% endif %} + delete_so-elastic-fleet_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json similarity index 84% rename from salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json rename to salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json index 75c0f02e2..feaebf60b 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/import-zeek-logs.json @@ -1,3 +1,5 @@ +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{%- raw -%} { "package": { "name": "log", @@ -20,10 +22,11 @@ "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" + "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n" } } } } } } +{%- endraw -%} diff --git a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json similarity index 82% rename from salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json rename to salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json index 03543b124..e2dd069ab 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes/zeek-logs.json @@ -1,8 +1,11 @@ +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{%- raw -%} { "package": { "name": "log", "version": "" }, + "id": "zeek-logs", "name": "zeek-logs", "namespace": "so", "description": "Zeek logs", @@ -20,10 +23,11 @@ "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|packet_filter|reporter|stats|stderr|stdout.log$\"]\n" + "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n" } } } } } } +{%- endraw -%} diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index e8bf03ad1..80b3a22b5 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,6 +3,12 @@ elasticfleet: description: You can enable or disable Elastic Fleet. advanced: True helpLink: elastic-fleet.html + logging: + zeek: + excluded: + description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors. + forcedType: "[]string" + helpLink: zeek.html config: server: endpoints_enrollment: diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete index 70b483424..d603f750f 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list index d81067a7e..6a51db6b6 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-list @@ -4,14 +4,12 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') -echo "Setting up default Security Onion package policies for Elastic Agent..." - # List configured agent policies -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq echo diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view index 5e5b62de0..9b1e2ed65 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-agent-policy-view @@ -4,16 +4,14 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 # Let's snag a cookie from Kibana -SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - -echo "Viewing agent policy $POLICY_ID" +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # View agent policy -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID/full" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -H "kbn-xsrf: true" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq echo diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common new file mode 100755 index 000000000..e56ee7f0a --- /dev/null +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -0,0 +1,79 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +DEFAULT_SALT_DIR=/opt/so/saltstack/default + +if [ -z $NOROOT ]; then + # Check for prerequisites + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi +fi + +# Ensure /usr/sbin is in path +if ! echo "$PATH" | grep -q "/usr/sbin"; then + export PATH="$PATH:/usr/sbin" +fi + +# Define a banner to separate sections +banner="=========================================================================" + +elastic_fleet_integration_check() { + + AGENT_POLICY=$1 + + JSON_STRING=$2 + + NAME=$(jq -r .name $JSON_STRING) + + INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id') + +} + +elastic_fleet_integration_create() { + + JSON_STRING=$1 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +elastic_fleet_integration_update() { + + UPDATE_ID=$1 + + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} + +elastic_fleet_policy_create() { + + NAME=$1 + DESC=$2 + FLEETSERVER=$3 + TIMEOUT=$4 + + JSON_STRING=$( jq -n \ + --arg NAME "$NAME" \ + --arg DESC "$DESC" \ + --arg TIMEOUT $TIMEOUT \ + --arg FLEETSERVER "$FLEETSERVER" \ + '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}' + ) + # Create Fleet Policy + curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + +} + +elastic_fleet_policy_update() { + + POLICYID=$1 + JSON_STRING=$2 + + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +} diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list index b3e35fdba..451c23f3d 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-data-streams-list @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete index ac600ab40..8bf50ecee 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete index ded8da808..d4155e821 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-delete @@ -4,7 +4,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common POLICY_ID=$1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list index 9dffc613c..6696ede25 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-list @@ -4,14 +4,12 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common # Let's snag a cookie from Kibana -SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') - -echo "Setting up default Security Onion package policies for Elastic Agent..." +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # List configured package policies -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' | jq echo diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index a65e29244..771d923ef 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -4,18 +4,46 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common -# Initial Endpoints -for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json -do - printf "\n\nInitial Endpoint Policy - Loading $INTEGRATION\n" - elastic_fleet_integration_create "@$INTEGRATION" -done +RETURN_CODE=0 + +if [ ! -f /opt/so/state/eaintegrations.txt ]; then + # Initial Endpoints + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json + do + printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + if [ "$NAME" != "elastic-defend-endpoints" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + fi + else + printf "\n\nIntegration does not exist - Creating integration\n" + elastic_fleet_integration_create "@$INTEGRATION" + fi + done + + # Grid Nodes + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes/*.json + do + printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" + elastic_fleet_integration_check "so-grid-nodes" "$INTEGRATION" + if [ -n "$INTEGRATION_ID" ]; then + printf "\n\nIntegration $NAME exists - Updating integration\n" + elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" + else + printf "\n\nIntegration does not exist - Creating integration\n" + if [ "$NAME" != "elasticsearch-logs" ]; then + elastic_fleet_integration_create "@$INTEGRATION" + fi + fi + done + if [[ "$RETURN_CODE" != "1" ]]; then + touch /opt/so/state/eaintegrations.txt + fi +else + exit $RETURN_CODE +fi -# Grid Nodes -for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/grid-nodes/*.json -do - printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n" - elastic_fleet_integration_create "@$INTEGRATION" -done \ No newline at end of file diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart index e3c38b409..7f7d9676c 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-restart elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start index 5ae7d21a1..7350e6c57 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-start elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop index f3fc3b923..29174c2ae 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop @@ -7,6 +7,6 @@ -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common /usr/sbin/so-stop elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 84a519d37..704f1537a 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -9,16 +9,20 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} . /usr/sbin/so-common - -#FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220" +. /usr/sbin/so-elastic-fleet-common for i in {1..30} do ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') -if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi +if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]] && [[ $ELASTICVERSION ]]; then break; else sleep 10; fi done -if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi + +if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then + printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..." + printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n" + exit +fi OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" ) @@ -27,7 +31,7 @@ rm -rf /nsm/elastic-agent-workspace mkdir -p /nsm/elastic-agent-workspace printf "\n### Extracting outer tarball and then each individual tarball/zip\n" -tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/ +tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/ unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/ for archive in /nsm/elastic-agent-workspace/*.tar.gz do diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index c81d69282..94a42a70a 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,7 +6,7 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common printf "\n### Create ES Token ###\n" ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) @@ -47,7 +47,6 @@ fi curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/fleet_server_hosts" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" - ### Create Policies & Associated Integration Configuration ### # Manager Fleet Server Host @@ -72,7 +71,7 @@ so-elastic-fleet-integration-policy-load # Set Elastic Agent Artifact Registry URL JSON_STRING=$( jq -n \ --arg NAME "FleetServer_{{ GLOBALS.hostname }}" \ - --arg URL "http://{{ GLOBALS.url_base }}/artifacts/" \ + --arg URL "http://{{ GLOBALS.url_base }}:8443/artifacts/" \ '{"name":$NAME,"host":$URL,"is_default":true}' ) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 10cc347d1..d27f291eb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -111,22 +111,208 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-osquery-manager: + so-logs-system.auth: index_sorting: False index_template: index_patterns: - - ".logs-osquery*" + - "logs-system.auth*" template: settings: index: number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.auth@package" + - "logs-system.auth@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.syslog: + index_sorting: False + index_template: + index_patterns: + - "logs-system.syslog*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.syslog@package" + - "logs-system.syslog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.system: + index_sorting: False + index_template: + index_patterns: + - "logs-system.system*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.system@package" + - "logs-system.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.application: + index_sorting: False + index_template: + index_patterns: + - "logs-system.application*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.application@package" + - "logs-system.application@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-system.security: + index_sorting: False + index_template: + index_patterns: + - "logs-system.security*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "event-mappings" + - "logs-system.security@package" + - "logs-system.security@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.forwarded: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.forwarded*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.forwarded@package" + - "logs-windows.forwarded@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell@package" + - "logs-windows.powershell@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.powershell_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.powershell_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.powershell_operational@package" + - "logs-windows.powershell_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-windows.sysmon_operational: + index_sorting: False + index_template: + index_patterns: + - "logs-windows.sysmon_operational-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-windows.sysmon_operational@package" + - "logs-windows.sysmon_operational@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-osquery-manager-actions: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.actions*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.actions" priority: 501 _meta: package: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.apm_server: + so-logs-osquery-manager-action.responses: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.action.responses*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.action.responses" + priority: 501 + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-elastic_agent.apm_server: index_sorting: False index_template: index_patterns: @@ -152,7 +338,7 @@ elasticsearch: - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -180,7 +366,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.auditbeat: + so-logs-elastic_agent.auditbeat: index_sorting: False index_template: index_patterns: @@ -206,7 +392,7 @@ elasticsearch: - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -234,7 +420,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.cloudbeat: + so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: index_patterns: @@ -260,7 +446,7 @@ elasticsearch: - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -285,7 +471,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.endpoint_security: + so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: index_patterns: @@ -300,18 +486,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.endpoint_security@package" - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -339,7 +520,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.filebeat: + so-logs-elastic_agent.filebeat: index_sorting: False index_template: index_patterns: @@ -354,18 +535,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.filebeat@package" - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -393,7 +569,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.fleet_server: + so-logs-elastic_agent.fleet_server: index_sorting: False index_template: index_patterns: @@ -402,24 +578,16 @@ elasticsearch: settings: index: number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.fleet_server@package" - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -447,7 +615,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.heartbeat: + so-logs-elastic_agent.heartbeat: index_sorting: False index_template: index_patterns: @@ -473,7 +641,7 @@ elasticsearch: - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 policy: phases: hot: @@ -498,7 +666,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent: + so-logs-elastic_agent: index_sorting: False index_template: index_patterns: @@ -520,11 +688,12 @@ elasticsearch: managed_by: security_onion managed: true composed_of: + - "event-mappings" - "logs-elastic_agent@package" - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -552,7 +721,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.metricbeat: + so-logs-elastic_agent.metricbeat: index_sorting: False index_template: index_patterns: @@ -567,18 +736,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.metricbeat@package" - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -606,7 +770,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.osquerybeat: + so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: index_patterns: @@ -621,18 +785,13 @@ elasticsearch: sort: field: "@timestamp" order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true composed_of: + - "event-mappings" - "logs-elastic_agent.osquerybeat@package" - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false @@ -660,7 +819,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - logs-elastic_agent.packetbeat: + so-logs-elastic_agent.packetbeat: index_sorting: False index_template: index_patterns: @@ -686,7 +845,7 @@ elasticsearch: - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" - priority: 200 + priority: 501 data_stream: hidden: false allow_custom_routing: false diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 new file mode 100644 index 000000000..cf36bc798 --- /dev/null +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -0,0 +1,94 @@ +{ + "version": 3, + "_meta": { + "managed_by": "fleet", + "managed": true + }, + "description": "Final pipeline for processing all incoming Fleet Agent documents. \n", + "processors": [ + { + "date": { + "description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)", + "tag": "truncate-subseconds-event-ingested", + "field": "_ingest.timestamp", + "target_field": "event.ingested", + "formats": [ + "ISO8601" + ], + "output_format": "date_time_no_millis", + "ignore_failure": true + } + }, + { + "remove": { + "description": "Remove any pre-existing untrusted values.", + "field": [ + "event.agent_id_status", + "_security" + ], + "ignore_missing": true + } + }, + { + "set_security_user": { + "field": "_security", + "properties": [ + "authentication_type", + "username", + "realm", + "api_key" + ] + } + }, + { + "script": { + "description": "Add event.agent_id_status based on the API key metadata and the agent.id contained in the event.\n", + "tag": "agent-id-status", + "source": "boolean is_user_trusted(def ctx, def users) {\n if (ctx?._security?.username == null) {\n return false;\n }\n\n def user = null;\n for (def item : users) {\n if (item?.username == ctx._security.username) {\n user = item;\n break;\n }\n }\n\n if (user == null || user?.realm == null || ctx?._security?.realm?.name == null) {\n return false;\n }\n\n if (ctx._security.realm.name != user.realm) {\n return false;\n }\n\n return true;\n}\n\nString verified(def ctx, def params) {\n // No agent.id field to validate.\n if (ctx?.agent?.id == null) {\n return \"missing\";\n }\n\n // Check auth metadata from API key.\n if (ctx?._security?.authentication_type == null\n // Agents only use API keys.\n || ctx._security.authentication_type != 'API_KEY'\n // Verify the API key owner before trusting any metadata it contains.\n || !is_user_trusted(ctx, params.trusted_users)\n // Verify the API key has metadata indicating the assigned agent ID.\n || ctx?._security?.api_key?.metadata?.agent_id == null) {\n return \"auth_metadata_missing\";\n }\n\n // The API key can only be used represent the agent.id it was issued to.\n if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {\n // Potential masquerade attempt.\n return \"mismatch\";\n }\n\n return \"verified\";\n}\n\nif (ctx?.event == null) {\n ctx.event = [:];\n}\n\nctx.event.agent_id_status = verified(ctx, params);", + "params": { + "trusted_users": [ + { + "username": "elastic/fleet-server", + "realm": "_service_account" + }, + { + "username": "cloud-internal-agent-server", + "realm": "found" + }, + { + "username": "elastic", + "realm": "reserved" + } + ] + } + } + }, + { + "remove": { + "field": "_security", + "ignore_missing": true + } + }, + { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }}, + { "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + ], + "on_failure": [ + { + "remove": { + "field": "_security", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "append": { + "field": "error.message", + "value": [ + "failed in Fleet agent final_pipeline: {{ _ingest.on_failure_message }}" + ] + } + } + ] +} diff --git a/salt/elasticsearch/files/ingest/suricata.dhcp b/salt/elasticsearch/files/ingest/suricata.dhcp index 46eb9cde4..7e8e0187f 100644 --- a/salt/elasticsearch/files/ingest/suricata.dhcp +++ b/salt/elasticsearch/files/ingest/suricata.dhcp @@ -1,6 +1,8 @@ { "description" : "suricata.dhcp", "processors" : [ + { "remove": { "field": "host.hostname", "ignore_failure": true } }, + { "remove": { "field": "host.mac", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/suricata.fileinfo b/salt/elasticsearch/files/ingest/suricata.fileinfo index fe9e4b109..4f6182139 100644 --- a/salt/elasticsearch/files/ingest/suricata.fileinfo +++ b/salt/elasticsearch/files/ingest/suricata.fileinfo @@ -1,7 +1,7 @@ { "description" : "suricata.fileinfo", "processors" : [ - { "set": { "field": "dataset", "value": "file" } }, + { "set": { "field": "event.dataset", "value": "file" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.filename", "target_field": "file.name", "ignore_missing": true } }, @@ -13,7 +13,7 @@ { "rename": { "field": "message2.fileinfo.size", "target_field": "file.size", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.state", "target_field": "file.state", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.stored", "target_field": "file.saved", "ignore_missing": true } }, - { "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } }, { "set": { "if": "ctx.network?.protocol != null", "field": "file.source", "value": "{{network.protocol}}" } }, { "pipeline": { "name": "common" } } ] diff --git a/salt/elasticsearch/files/ingest/suricata.flow b/salt/elasticsearch/files/ingest/suricata.flow index 47bec3a60..03fcc7277 100644 --- a/salt/elasticsearch/files/ingest/suricata.flow +++ b/salt/elasticsearch/files/ingest/suricata.flow @@ -1,12 +1,12 @@ { "description" : "suricata.flow", "processors" : [ - { "set": { "field": "dataset", "value": "conn" } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "conn" } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.flow.state", "target_field": "connection.state", "ignore_missing": true } }, - { "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.flow.start", "target_field": "connection.start", "ignore_missing": true } }, { "rename": { "field": "message2.flow.end", "target_field": "connection.end", "ignore_missing": true } }, { "pipeline": { "name": "common" } } diff --git a/salt/elasticsearch/files/ingest/suricata.krb5 b/salt/elasticsearch/files/ingest/suricata.krb5 index 1e3039830..9f5a643db 100644 --- a/salt/elasticsearch/files/ingest/suricata.krb5 +++ b/salt/elasticsearch/files/ingest/suricata.krb5 @@ -1,15 +1,15 @@ { "description" : "suricata.krb5", "processors" : [ - { "set": { "field": "dataset", "value": "kerberos" } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, - { "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "kerberos" } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/suricata.tls b/salt/elasticsearch/files/ingest/suricata.tls index 6fb0aa5ad..3d738c75e 100644 --- a/salt/elasticsearch/files/ingest/suricata.tls +++ b/salt/elasticsearch/files/ingest/suricata.tls @@ -1,7 +1,7 @@ { "description" : "suricata.tls", "processors" : [ - { "set": { "field": "dataset", "value": "ssl" } }, + { "set": { "field": "event.dataset", "value": "ssl" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.tls.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index 7ce7f9ed5..f95ff3d46 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -1,36 +1,35 @@ { "description" : "zeek.files", "processors" : [ - { "set": { "field": "event.dataset", "value": "file" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "set": { "field": "event.dataset", "value": "file" } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, - { "remove": { "field": "source", "ignore_missing": true } }, - { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, - { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, - { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, + { "remove": { "field": "source", "ignore_missing": true } }, + { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, + { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, + { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uid", "ignore_missing": true } }, - { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, - { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, + { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, { "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } }, { "rename": { "field": "message2.mime_type", "target_field": "file.mime_type", "ignore_missing": true } }, - { "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, { "rename": { "field": "message2.local_orig", "target_field": "file.local_orig", "ignore_missing": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } }, { "rename": { "field": "message2.seen_bytes", "target_field": "file.bytes.seen", "ignore_missing": true } }, { "rename": { "field": "message2.total_bytes", "target_field": "file.bytes.total", "ignore_missing": true } }, - { "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } }, - { "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } }, + { "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } }, + { "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } }, { "rename": { "field": "message2.timedout", "target_field": "file.timed_out", "ignore_missing": true } }, { "rename": { "field": "message2.parent_fuid", "target_field": "log.id.parent_fuid", "ignore_missing": true } }, { "rename": { "field": "message2.md5", "target_field": "hash.md5", "ignore_missing": true } }, { "rename": { "field": "message2.sha1", "target_field": "hash.sha1", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, - { "set": { "field": "dataset", "value": "file" } }, + { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json index 9fd8c928f..919763caa 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json index 9fd8c928f..175ad4431 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json index c4874ed3c..a96480471 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -1,510 +1,339 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "decision_id", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + }, + "message": { + "type": "match_only_text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "result": { + "type": "object" + }, + "input": { + "type": "object" + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decision_id": { + "type": "text" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json index 36978b0d8..5f16d18de 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json index 36978b0d8..f5b1ab12a 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json index 36978b0d8..a61d9f7a9 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json index f353ac542..d7e244dc2 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json index 36978b0d8..7b0c81283 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json index 36978b0d8..2a6780e69 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -1,505 +1,329 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json index 9e593d3f8..973427be1 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -1,498 +1,322 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json index 7df3309b1..57dc73c66 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -1,505 +1,382 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-elastic_agent-1.7.0", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "ecs.version", + "agent.build.original", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version", + "component.id", + "component.type", + "component.binary", + "component.state", + "component.old_state", + "unit.id", + "unit.type", + "unit.state", + "unit.old_state" + ] + } + } + }, + "mappings": { + "dynamic": false, + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "snapshot": { + "type": "boolean" + } } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" + }, + "message": { + "type": "text" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} + } + }, + "component": { + "properties": { + "binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "unit": { + "properties": { + "old_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "wildcard" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } } } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} } } }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true } } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json new file mode 100644 index 000000000..05741a4f0 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json @@ -0,0 +1,952 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.application-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.code", + "event.original", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.application" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json new file mode 100644 index 000000000..51e707850 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json @@ -0,0 +1,530 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.auth-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "error.message", + "group.id", + "group.name", + "message", + "process.name", + "related.hosts", + "related.user", + "source.as.organization.name", + "source.geo.city_name", + "source.geo.continent_name", + "source.geo.country_iso_code", + "source.geo.country_name", + "source.geo.region_iso_code", + "source.geo.region_name", + "user.effective.name", + "user.id", + "user.name", + "system.auth.ssh.method", + "system.auth.ssh.signature", + "system.auth.ssh.event", + "system.auth.sudo.error", + "system.auth.sudo.tty", + "system.auth.sudo.pwd", + "system.auth.sudo.user", + "system.auth.sudo.command", + "system.auth.useradd.home", + "system.auth.useradd.shell", + "version" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "geo": { + "properties": { + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "port": { + "type": "long" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "system": { + "properties": { + "auth": { + "properties": { + "ssh": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_ip": { + "type": "ip" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "shell": { + "ignore_above": 1024, + "type": "keyword" + }, + "home": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.auth" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json new file mode 100644 index 000000000..a74cd4a70 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json @@ -0,0 +1,1840 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.security-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "ecs.version", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.parent.executable", + "process.parent.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.effective.domain", + "user.effective.id", + "user.effective.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "user.target.domain", + "user.target.id", + "user.changes.name", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.channel", + "winlog.computer_name", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessList", + "winlog.event_data.AccessListDescription", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.ResourceAttributes", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.level", + "winlog.outcome", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.time_created", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResourceAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessListDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessList": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.security" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "changes": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json new file mode 100644 index 000000000..30576a635 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json @@ -0,0 +1,327 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.syslog-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.os.full", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "ecs.version", + "message", + "process.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword", + "value": "logs" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.syslog" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json new file mode 100644 index 000000000..068e6846b --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json @@ -0,0 +1,986 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-system.system-1.6.4", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.original", + "event.outcome", + "event.provider", + "event.type", + "error.message", + "message", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "system" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "system.system" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "message": { + "type": "match_only_text" + } + } + }, + "message": { + "type": "match_only_text" + } + } + } + }, + "_meta": { + "package": { + "name": "system" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json new file mode 100644 index 000000000..967641107 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json @@ -0,0 +1,2544 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.forwarded-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.file.path", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.hash.md5", + "process.parent.hash.sha1", + "process.parent.hash.sha256", + "process.parent.hash.sha512", + "process.parent.name", + "process.parent.pe.architecture", + "process.parent.pe.company", + "process.parent.pe.description", + "process.parent.pe.file_version", + "process.parent.pe.imphash", + "process.parent.pe.original_file_name", + "process.parent.pe.product", + "process.parent.title", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.logon.type", + "winlog.logon.id", + "winlog.logon.failure.reason", + "winlog.logon.failure.status", + "winlog.logon.failure.sub_status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.level", + "winlog.outcome", + "winlog.trustAttribute", + "winlog.trustDirection", + "winlog.trustType", + "winlog.computerObject.domain", + "winlog.computerObject.id", + "winlog.computerObject.name", + "winlog.event_data.AccessGranted", + "winlog.event_data.AccessMask", + "winlog.event_data.AccessMaskDescription", + "winlog.event_data.AccessRemoved", + "winlog.event_data.AccountDomain", + "winlog.event_data.AccountExpires", + "winlog.event_data.AccountName", + "winlog.event_data.AllowedToDelegateTo", + "winlog.event_data.AuditPolicyChanges", + "winlog.event_data.AuditPolicyChangesDescription", + "winlog.event_data.AuditSourceName", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallerProcessId", + "winlog.event_data.CallerProcessName", + "winlog.event_data.Category", + "winlog.event_data.CategoryId", + "winlog.event_data.ClientAddress", + "winlog.event_data.ClientInfo", + "winlog.event_data.ClientName", + "winlog.event_data.CommandLine", + "winlog.event_data.Company", + "winlog.event_data.ComputerAccountChange", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CrashOnAuditFailValue", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DisplayName", + "winlog.event_data.DnsHostName", + "winlog.event_data.DomainBehaviorVersion", + "winlog.event_data.DomainName", + "winlog.event_data.DomainPolicyChanged", + "winlog.event_data.DomainSid", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.Dummy", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventSourceId", + "winlog.event_data.EventType", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FailureReason", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.GroupTypeChange", + "winlog.event_data.HandleId", + "winlog.event_data.HomeDirectory", + "winlog.event_data.HomePath", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KerberosPolicyChange", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonHours", + "winlog.event_data.LogonId", + "winlog.event_data.LogonID", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MachineAccountQuota", + "winlog.event_data.MajorVersion", + "winlog.event_data.MandatoryLabel", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.MixedDomainMode", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewSd", + "winlog.event_data.NewSdDacl0", + "winlog.event_data.NewSdDacl1", + "winlog.event_data.NewSdDacl2", + "winlog.event_data.NewSdSacl0", + "winlog.event_data.NewSdSacl1", + "winlog.event_data.NewSdSacl2", + "winlog.event_data.NewTargetUserName", + "winlog.event_data.NewTime", + "winlog.event_data.NewUACList", + "winlog.event_data.NewUacValue", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.ObjectName", + "winlog.event_data.ObjectServer", + "winlog.event_data.ObjectType", + "winlog.event_data.OemInformation", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldSd", + "winlog.event_data.OldSdDacl0", + "winlog.event_data.OldSdDacl1", + "winlog.event_data.OldSdDacl2", + "winlog.event_data.OldSdSacl0", + "winlog.event_data.OldSdSacl1", + "winlog.event_data.OldSdSacl2", + "winlog.event_data.OldTargetUserName", + "winlog.event_data.OldTime", + "winlog.event_data.OldUacValue", + "winlog.event_data.OriginalFileName", + "winlog.event_data.PackageName", + "winlog.event_data.PasswordLastSet", + "winlog.event_data.PasswordHistoryLength", + "winlog.event_data.Path", + "winlog.event_data.ParentProcessName", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreAuthType", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrimaryGroupId", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.ProfilePath", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SamAccountName", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptPath", + "winlog.event_data.Session", + "winlog.event_data.SidHistory", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.Service", + "winlog.event_data.ServiceAccount", + "winlog.event_data.ServiceFileName", + "winlog.event_data.ServiceName", + "winlog.event_data.ServicePrincipalNames", + "winlog.event_data.ServiceSid", + "winlog.event_data.ServiceStartType", + "winlog.event_data.ServiceType", + "winlog.event_data.ServiceVersion", + "winlog.event_data.SessionName", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.SidFilteringEnabled", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StatusDescription", + "winlog.event_data.StopTime", + "winlog.event_data.SubCategory", + "winlog.event_data.SubCategoryGuid", + "winlog.event_data.SubcategoryGuid", + "winlog.event_data.SubCategoryId", + "winlog.event_data.SubcategoryId", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.SubStatus", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetSid", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TdoAttributes", + "winlog.event_data.TdoDirection", + "winlog.event_data.TdoType", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TicketEncryptionType", + "winlog.event_data.TicketEncryptionTypeDescription", + "winlog.event_data.TicketOptions", + "winlog.event_data.TicketOptionsDescription", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserAccountControl", + "winlog.event_data.UserParameters", + "winlog.event_data.UserPrincipalName", + "winlog.event_data.UserSid", + "winlog.event_data.UserWorkstations", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.WorkstationName", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user_data.BackupPath", + "winlog.user_data.Channel", + "winlog.user_data.SubjectDomainName", + "winlog.user_data.SubjectLogonId", + "winlog.user_data.SubjectUserName", + "winlog.user_data.SubjectUserSid", + "winlog.user_data.xml_name", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.forwarded" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "start": { + "type": "date" + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonHours": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "AllowedToDelegateTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoAttributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMask": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordHistoryLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "PackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidHistory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CrashOnAuditFailValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "HandleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DnsHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineAccountQuota": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserParameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUacValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProfilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ComputerAccountChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainPolicyChanged": { + "ignore_above": 1024, + "type": "keyword" + }, + "CategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreAuthType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewUACList": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SidFilteringEnabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSourceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrimaryGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PasswordLastSet": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "GroupTypeChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketOptionsDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserWorkstations": { + "ignore_above": 1024, + "type": "keyword" + }, + "SamAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditSourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategoryGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuditPolicyChangesDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessMaskDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TicketEncryptionTypeDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServicePrincipalNames": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "KerberosPolicyChange": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MandatoryLabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "HomeDirectory": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccountExpires": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceStartType": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "Dummy": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdSacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSd": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StatusDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "DomainBehaviorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessGranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubcategoryId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AccessRemoved": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "MixedDomainMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl1": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl0": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSdDacl2": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallerProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "Service": { + "ignore_above": 1024, + "type": "keyword" + }, + "TdoDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAccountControl": { + "ignore_above": 1024, + "type": "keyword" + }, + "OemInformation": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonID": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "trustDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustAttribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "computerObject": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "properties": { + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BackupPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "Channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xml_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustType": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json new file mode 100644 index 000000000..ad0ff857e --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json @@ -0,0 +1,1335 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "search_analyzer": "powershell_script_analyzer", + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json new file mode 100644 index 000000000..b5cc588c9 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json @@ -0,0 +1,1334 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.powershell_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "analysis": { + "analyzer": { + "powershell_script_analyzer": { + "pattern": "[\\W&&[^-]]+", + "type": "pattern" + } + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.user.domain", + "destination.user.id", + "destination.user.name", + "ecs.version", + "file.directory", + "file.extension", + "file.name", + "file.path", + "log.level", + "message", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.name", + "process.title", + "related.hash", + "related.hosts", + "related.user", + "source.user.domain", + "source.user.id", + "source.user.name", + "user.domain", + "user.id", + "user.name", + "powershell.id", + "powershell.pipeline_id", + "powershell.runspace_id", + "powershell.command.path", + "powershell.command.name", + "powershell.command.type", + "powershell.command.value", + "powershell.connected_user.domain", + "powershell.connected_user.name", + "powershell.engine.version", + "powershell.engine.previous_state", + "powershell.engine.new_state", + "powershell.file.script_block_id", + "powershell.file.script_block_text", + "powershell.process.executable_version", + "powershell.provider.new_state", + "powershell.provider.name", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.Company", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "powershell": { + "properties": { + "sequence": { + "type": "long" + }, + "total": { + "type": "long" + }, + "connected_user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "executable_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "script_block_text": { + "analyzer": "powershell_script_analyzer", + "type": "text" + }, + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "engine": { + "properties": { + "previous_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runspace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "text" + } + } + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.powershell_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json new file mode 100644 index 000000000..451eaf7aa --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json @@ -0,0 +1,1752 @@ + {"template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "default_pipeline": "logs-windows.sysmon_operational-1.20.1", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "event.action", + "event.category", + "event.code", + "event.kind", + "event.outcome", + "event.provider", + "event.type", + "tags", + "input.type", + "destination.domain", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "error.code", + "error.message", + "file.code_signature.status", + "file.code_signature.subject_name", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.name", + "file.path", + "file.pe.architecture", + "file.pe.company", + "file.pe.description", + "file.pe.file_version", + "file.pe.imphash", + "file.pe.original_file_name", + "file.pe.product", + "group.domain", + "group.id", + "group.name", + "log.level", + "message", + "network.community_id", + "network.direction", + "network.protocol", + "network.transport", + "network.type", + "process.args", + "process.command_line", + "process.entity_id", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.parent.args", + "process.parent.command_line", + "process.parent.entity_id", + "process.parent.executable", + "process.parent.name", + "process.pe.architecture", + "process.pe.company", + "process.pe.description", + "process.pe.file_version", + "process.pe.imphash", + "process.pe.original_file_name", + "process.pe.product", + "process.title", + "process.working_directory", + "registry.data.strings", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.value", + "related.hash", + "related.hosts", + "related.user", + "rule.name", + "service.name", + "service.type", + "source.domain", + "user.domain", + "user.id", + "user.name", + "user.target.group.domain", + "user.target.group.id", + "user.target.group.name", + "user.target.name", + "sysmon.dns.status", + "winlog.api", + "winlog.activity_id", + "winlog.computer_name", + "winlog.event_data.AuthenticationPackageName", + "winlog.event_data.Binary", + "winlog.event_data.BitlockerUserInputTime", + "winlog.event_data.BootMode", + "winlog.event_data.BootType", + "winlog.event_data.BuildVersion", + "winlog.event_data.CallTrace", + "winlog.event_data.ClientInfo", + "winlog.event_data.Company", + "winlog.event_data.Configuration", + "winlog.event_data.CorruptionActionState", + "winlog.event_data.CreationUtcTime", + "winlog.event_data.Description", + "winlog.event_data.Detail", + "winlog.event_data.DeviceName", + "winlog.event_data.DeviceNameLength", + "winlog.event_data.DeviceTime", + "winlog.event_data.DeviceVersionMajor", + "winlog.event_data.DeviceVersionMinor", + "winlog.event_data.DriveName", + "winlog.event_data.DriverName", + "winlog.event_data.DriverNameLength", + "winlog.event_data.DwordVal", + "winlog.event_data.EntryCount", + "winlog.event_data.EventType", + "winlog.event_data.EventNamespace", + "winlog.event_data.ExtraInfo", + "winlog.event_data.FailureName", + "winlog.event_data.FailureNameLength", + "winlog.event_data.FileVersion", + "winlog.event_data.FinalStatus", + "winlog.event_data.GrantedAccess", + "winlog.event_data.Group", + "winlog.event_data.IdleImplementation", + "winlog.event_data.IdleStateCount", + "winlog.event_data.ImpersonationLevel", + "winlog.event_data.IntegrityLevel", + "winlog.event_data.IpAddress", + "winlog.event_data.IpPort", + "winlog.event_data.KeyLength", + "winlog.event_data.LastBootGood", + "winlog.event_data.LastShutdownGood", + "winlog.event_data.LmPackageName", + "winlog.event_data.LogonGuid", + "winlog.event_data.LogonId", + "winlog.event_data.LogonProcessName", + "winlog.event_data.LogonType", + "winlog.event_data.MajorVersion", + "winlog.event_data.MaximumPerformancePercent", + "winlog.event_data.MemberName", + "winlog.event_data.MemberSid", + "winlog.event_data.MinimumPerformancePercent", + "winlog.event_data.MinimumThrottlePercent", + "winlog.event_data.MinorVersion", + "winlog.event_data.Name", + "winlog.event_data.NewProcessId", + "winlog.event_data.NewProcessName", + "winlog.event_data.NewSchemeGuid", + "winlog.event_data.NewThreadId", + "winlog.event_data.NewTime", + "winlog.event_data.NominalFrequency", + "winlog.event_data.Number", + "winlog.event_data.OldSchemeGuid", + "winlog.event_data.OldTime", + "winlog.event_data.Operation", + "winlog.event_data.OriginalFileName", + "winlog.event_data.Path", + "winlog.event_data.PerformanceImplementation", + "winlog.event_data.PreviousCreationUtcTime", + "winlog.event_data.PreviousTime", + "winlog.event_data.PrivilegeList", + "winlog.event_data.ProcessId", + "winlog.event_data.ProcessName", + "winlog.event_data.ProcessPath", + "winlog.event_data.ProcessPid", + "winlog.event_data.Product", + "winlog.event_data.PuaCount", + "winlog.event_data.PuaPolicyId", + "winlog.event_data.QfeVersion", + "winlog.event_data.Query", + "winlog.event_data.Reason", + "winlog.event_data.SchemaVersion", + "winlog.event_data.ScriptBlockText", + "winlog.event_data.ServiceName", + "winlog.event_data.ServiceVersion", + "winlog.event_data.Session", + "winlog.event_data.ShutdownActionType", + "winlog.event_data.ShutdownEventCode", + "winlog.event_data.ShutdownReason", + "winlog.event_data.Signature", + "winlog.event_data.SignatureStatus", + "winlog.event_data.Signed", + "winlog.event_data.StartAddress", + "winlog.event_data.StartFunction", + "winlog.event_data.StartModule", + "winlog.event_data.StartTime", + "winlog.event_data.State", + "winlog.event_data.Status", + "winlog.event_data.StopTime", + "winlog.event_data.SubjectDomainName", + "winlog.event_data.SubjectLogonId", + "winlog.event_data.SubjectUserName", + "winlog.event_data.SubjectUserSid", + "winlog.event_data.TSId", + "winlog.event_data.TargetDomainName", + "winlog.event_data.TargetImage", + "winlog.event_data.TargetInfo", + "winlog.event_data.TargetLogonGuid", + "winlog.event_data.TargetLogonId", + "winlog.event_data.TargetProcessGUID", + "winlog.event_data.TargetProcessId", + "winlog.event_data.TargetServerName", + "winlog.event_data.TargetUserName", + "winlog.event_data.TargetUserSid", + "winlog.event_data.TerminalSessionId", + "winlog.event_data.TokenElevationType", + "winlog.event_data.TransmittedServices", + "winlog.event_data.Type", + "winlog.event_data.UserSid", + "winlog.event_data.Version", + "winlog.event_data.Workstation", + "winlog.event_data.param1", + "winlog.event_data.param2", + "winlog.event_data.param3", + "winlog.event_data.param4", + "winlog.event_data.param5", + "winlog.event_data.param6", + "winlog.event_data.param7", + "winlog.event_data.param8", + "winlog.event_id", + "winlog.keywords", + "winlog.channel", + "winlog.record_id", + "winlog.related_activity_id", + "winlog.opcode", + "winlog.provider_guid", + "winlog.provider_name", + "winlog.task", + "winlog.user.identifier", + "winlog.user.name", + "winlog.user.domain", + "winlog.user.type" + ] + } + } + }, + "mappings": { + "dynamic_templates": [ + { + "container.labels": { + "path_match": "container.labels.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, + { + "winlog.user_data": { + "path_match": "winlog.user_data.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + }, + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "port": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + } + } + }, + "network": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "sequence": { + "type": "long" + }, + "ingested": { + "type": "date" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "type": "constant_keyword", + "value": "windows" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "type": "constant_keyword", + "value": "windows.sysmon_operational" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + } + } + }, + "pe": { + "properties": { + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "pid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "args_count": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "wildcard", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "winlog": { + "properties": { + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Query": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "CallTrace": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "GrantedAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewThreadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "Type": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessGUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartFunction": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetImage": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartModule": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Session": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "answers": { + "properties": { + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dataset": { + "properties": { + "name": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "windows" + }, + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index d17b832dc..5d647917b 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -137,6 +137,19 @@ } } }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, "timezone": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 7fdc6ff7b..350ac97c5 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -42,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." - for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done + for i in .[a-z]* *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-cluster-space-used b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-cluster-space-used index b8ac4f6e6..5d8a60e22 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-cluster-space-used +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-cluster-space-used @@ -1,28 +1,38 @@ #!/bin/bash # # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. . /usr/sbin/so-common {% from 'vars/globals.map.jinja' import GLOBALS %} -TOTAL_AVAILABLE_SPACE=0 +TOTAL_USED_SPACE=0 -# Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space +# Iterate through the output of _cat/allocation for each node in the cluster to determine the total used space {% if GLOBALS.role == 'so-manager' %} +# Get total disk space - disk.total for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBALS.manager }} | awk '{print $3}'); do {% else %} -for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $3}'); do +# Get disk space taken up by indices - disk.indices +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $2}'); do {% endif %} size=$(echo $i | grep -oE '[0-9].*' | awk '{print int($1+0.5)}') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then - size=$(( size * 1024 )) + size=$(( size * 1000 * 1000 * 1000 * 1000 )) + elif [ $unit = "gb" ]; then + size=$(( size * 1000 * 1000 * 1000 )) + elif [ $unit = "mb" ]; then + size=$(( size * 1000 * 1000 )) + elif [ $unit = "kb" ]; then + size=$(( size * 1000 )) + elif [ $unit = "b" ]; then + size=size fi - TOTAL_AVAILABLE_SPACE=$(( TOTAL_AVAILABLE_SPACE + size )) + TOTAL_USED_SPACE=$(( TOTAL_USED_SPACE + size )) done -# Calculate the percentage of available space based on our previously defined value -echo "$TOTAL_AVAILABLE_SPACE" +# Calculate the percentage of used space based on our previously defined value +echo "$TOTAL_USED_SPACE" diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index c0129c6e1..91433cba8 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -12,7 +12,9 @@ {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} include: +{% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - elasticsearch.ca +{% endif %} - logstash.config - logstash.sostatus diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 66236492c..e9aff9e09 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -385,10 +385,10 @@ function create_fleet_policy() { function update_fleet_host_urls() { # Query for current Fleet Host URLs & append New Fleet Node Hostname & IP - JSON_STRING=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq --arg HOSTNAME "https://$LSHOSTNAME:8220" --arg IP "https://$MAINIP:8220" -r '.items[].host_urls += [ $HOSTNAME, $IP ] | {"name":"Default","host_urls": .items[].host_urls,"is_default":true,"proxy_id":null}') + JSON_STRING=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq --arg HOSTNAME "https://$LSHOSTNAME:8220" --arg IP "https://$MAINIP:8220" '.item.host_urls += [ $HOSTNAME, $IP ] | {"name":"grid-default","is_default":true,"host_urls": .item.host_urls}') # Update Fleet Host URLs - curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/fleet-default-fleet-server-host" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" + curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/grid-default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } function update_logstash_outputs() { diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml index b29b8cebf..4ccc11ce9 100644 --- a/salt/sensoroni/defaults.yaml +++ b/salt/sensoroni/defaults.yaml @@ -6,6 +6,5 @@ sensoroni: timeout_ms: 900000 parallel_limit: 5 node_checkin_interval_ms: 10000 - node_description: '' sensoronikey: soc_host: diff --git a/salt/sensoroni/files/analyzers/emailrep/requirements.txt b/salt/sensoroni/files/analyzers/emailrep/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/emailrep/requirements.txt +++ b/salt/sensoroni/files/analyzers/emailrep/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/requirements.txt b/salt/sensoroni/files/analyzers/greynoise/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/greynoise/requirements.txt +++ b/salt/sensoroni/files/analyzers/greynoise/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/requirements.txt b/salt/sensoroni/files/analyzers/localfile/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/localfile/requirements.txt +++ b/salt/sensoroni/files/analyzers/localfile/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt b/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt index b6e7c15bf..dfaf321f1 100644 --- a/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt +++ b/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 python-whois>=0.7.3 diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.2.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.2.tar.gz deleted file mode 100644 index 3c5328a85..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.2.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz new file mode 100644 index 000000000..9ca264a4f Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.7.3.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.7.3.tar.gz deleted file mode 100644 index ef6392313..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.7.3.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz new file mode 100644 index 000000000..ffa2e5ded Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/requirements.txt b/salt/sensoroni/files/analyzers/otx/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/otx/requirements.txt +++ b/salt/sensoroni/files/analyzers/otx/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/requirements.txt b/salt/sensoroni/files/analyzers/pulsedive/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/pulsedive/requirements.txt +++ b/salt/sensoroni/files/analyzers/pulsedive/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.2.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.2.1-py3-none-any.whl deleted file mode 100644 index 645d5bb5b..000000000 Binary files a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.2.1-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl new file mode 100644 index 000000000..24dacf04a Binary files /dev/null and b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.3.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/requirements.txt b/salt/sensoroni/files/analyzers/urlhaus/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/urlhaus/requirements.txt +++ b/salt/sensoroni/files/analyzers/urlhaus/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/requirements.txt b/salt/sensoroni/files/analyzers/urlscan/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/urlscan/requirements.txt +++ b/salt/sensoroni/files/analyzers/urlscan/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/requirements.txt b/salt/sensoroni/files/analyzers/virustotal/requirements.txt index a8980057f..c7ff13467 100644 --- a/salt/sensoroni/files/analyzers/virustotal/requirements.txt +++ b/salt/sensoroni/files/analyzers/virustotal/requirements.txt @@ -1,2 +1,2 @@ -requests>=2.27.1 +requests>=2.31.0 pyyaml>=6.0 diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl similarity index 100% rename from salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.whl rename to salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/requirements.txt b/salt/sensoroni/files/analyzers/whoislookup/requirements.txt index a3901f38c..7de5f057c 100755 --- a/salt/sensoroni/files/analyzers/whoislookup/requirements.txt +++ b/salt/sensoroni/files/analyzers/whoislookup/requirements.txt @@ -1,2 +1,2 @@ -requests==2.27.1 -whoisit>=2.5.3 +requests>=2.31.0 +whoisit>=2.7.0 diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-2.0.12-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-2.0.12-py3-none-any.whl deleted file mode 100644 index 17a2dfbeb..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-2.0.12-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..f125c08aa Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl new file mode 100644 index 000000000..bce86d2ce Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.5.3.tar.gz b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.5.3.tar.gz deleted file mode 100644 index b48535618..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.5.3.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz new file mode 100644 index 000000000..8a619c85f Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-2.7.0.tar.gz differ diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 859a60d0c..8a35272ea 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -24,6 +24,8 @@ sensoroni: node_description: description: Description of the specific node. helpLink: sensoroni.html + node: True + forcedType: string sensoronikey: description: Shared key for sensoroni authentication. helpLink: sensoroni.html diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 74b40bef9..df120fd81 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -20,5 +20,3 @@ realert: minutes: 0 type: any filter: -- query: - query_string: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 34e1cdcdf..64a000109 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -3,11 +3,15 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'suricata/map.jinja' import SURICATAMERGED %} include: -{% if SURICATAMERGED.enabled %} +{% if SURICATAMERGED.enabled and GLOBALS.role != 'so-import' %} - suricata.enabled +{% elif GLOBALS.role == 'so-import' %} + - suricata.config + - suricata.disabled {% else %} - suricata.disabled {% endif %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 596f40b88..1a6cdc311 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -113,7 +113,7 @@ [[inputs.disk]] ## By default stats will be gathered for all mount points. ## Set mount_points will restrict the stats to only the specified mount points. - mount_points = ["/", "/host/nsm"] + #mount_points = ["/", "/host/nsm"] ## Ignore mount points by filesystem type. #ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"] diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 7fa524580..8e6814b2e 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -107,3 +107,18 @@ zeek: - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - application/vnd.openxmlformats-officedocument: doc + logging: + excluded: + - broker + - capture_loss + - ecat_arp_info + - known_hosts + - known_services + - loaded_scripts + - ntp + - packet_filter + - reporter + - stats + - stderr + - stdout + diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index fabd7c209..c69ce5ea1 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -2,10 +2,6 @@ zeek: enabled: description: You can enable or disable ZEEK on all sensors or a single sensor. helpLink: zeek.html - logging: - enabled: - description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor. - helpLink: zeek.html config: local: load: @@ -65,5 +61,5 @@ zeek: global: True advanced: True file_extraction: - description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"} + description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} helpLink: zeek.html diff --git a/setup/so-functions b/setup/so-functions index 247cf6c94..1b15bb140 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -898,6 +898,7 @@ create_local_nids_rules() { } create_manager_pillars() { + elasticfleet_pillar elasticsearch_pillar logstash_pillar manager_pillar @@ -975,14 +976,14 @@ detect_os() { download_elastic_agent_artifacts() { if [[ $is_iso ]]; then - logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" else logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" "" "" - retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" "" "" + retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" "" "" - SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }') - HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5) + SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz | awk '{ print $1 }') + HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5) if [[ "$HASH" == "$SOURCEHASH" ]]; then info "Elastic Agent source hash is good." @@ -991,7 +992,7 @@ download_elastic_agent_artifacts() { fail_setup fi - logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" + logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" fi } @@ -1120,6 +1121,12 @@ docker_seed_registry() { fi } +elasticfleet_pillar() { + logCmd "mkdir -p $local_salt_dir/pillar/elasticfleet" + touch $adv_elasticfleet_pillar_file + touch $elasticfleet_pillar_file +} + elasticsearch_pillar() { title "Create Advanced File" logCmd "touch $adv_elasticsearch_pillar_file" diff --git a/setup/so-setup b/setup/so-setup index aa6b7ce14..5f96106a5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -340,6 +340,7 @@ process_installtype if ! [[ -f $install_opt_file ]]; then # If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles if [[ $is_eval ]]; then + info "Setting up as node type eval" # waitforstate means we will run the full salt state at the end. This is for only nodes running the salt-master service waitforstate=true # Does this role have monitoring interfaces? @@ -397,6 +398,7 @@ if ! [[ -f $install_opt_file ]]; then collect_so_allow whiptail_end_settings elif [[ $is_manager ]]; then + info "Setting up as node type manager" check_elastic_license waitforstate=true #ubuntu_check @@ -417,6 +419,7 @@ if ! [[ -f $install_opt_file ]]; then collect_so_allow whiptail_end_settings elif [[ $is_managersearch ]]; then + info "Setting up as node type managersearch" check_elastic_license waitforstate=true [[ $is_iso ]] && whiptail_airgap @@ -436,6 +439,7 @@ if ! [[ -f $install_opt_file ]]; then collect_so_allow whiptail_end_settings elif [[ $is_sensor ]]; then + info "Setting up as node type sensor" installer_prereq_packages monints=true check_requirements "sensor" @@ -452,6 +456,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_fleet ]]; then + info "Setting up as node type fleet" check_requirements "fleet" networking_needful check_network_manager_conf @@ -464,6 +469,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_searchnode ]]; then + info "Setting up as node type searchnode" installer_prereq_packages check_requirements "elasticsearch" networking_needful @@ -477,6 +483,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_heavynode ]]; then + info "Setting up as node type heavynode" installer_prereq_packages monints=true check_requirements "heavynode" @@ -489,6 +496,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_idh ]]; then + info "Setting up as node type idh" installer_prereq_packages check_requirements "idh" networking_needful @@ -500,8 +508,8 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_import ]]; then + info "Setting up as node type import" waitforstate=true - monints=false [[ $is_iso ]] && whiptail_airgap check_elastic_license check_requirements "import" @@ -521,6 +529,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_receiver ]]; then + info "Setting up as node type receiver" installer_prereq_packages check_requirements "receiver" networking_needful @@ -541,9 +550,9 @@ if ! [[ -f $install_opt_file ]]; then set_proxy fi set_redirect - # Generate Interface Vars - generate_interface_vars if [[ $monints ]]; then + # Generate Interface Vars + generate_interface_vars configure_network_sensor fi info "Reserving ports" @@ -615,7 +624,9 @@ if ! [[ -f $install_opt_file ]]; then check_sos_appliance logCmd "salt-key -yd $MINION_ID" + sleep 2 # Debug RSA Key format errors logCmd "salt-call state.show_top" + sleep 2 # Debug RSA Key format errors logCmd "salt-key -ya $MINION_ID" logCmd "salt-call state.apply common.packages" @@ -661,7 +672,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-soc-restart" title "Setting up Elastic Fleet" logCmd "salt-call state.apply elasticfleet.config" - logCmd "so-elastic-fleet-setup" + logCmd "so-elastic-fleet-setup" if [[ ! $is_import ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" @@ -683,6 +694,8 @@ if ! [[ -f $install_opt_file ]]; then reserve_ports # Set the version mark_version + # Disable the setup from prompting at login + disable_auto_start info "Clearing the old manager" # Remove old manager if re-install clear_manager diff --git a/setup/so-variables b/setup/so-variables index b2e439a5c..7c5e51c6c 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -82,6 +82,12 @@ export global_pillar_file adv_global_pillar_file="$local_salt_dir/pillar/global/adv_global.sls" export adv_global_pillar_file +elasticfleet_pillar_file="$local_salt_dir/pillar/elasticfleet/soc_elasticfleet.sls" +export elasticfleet_pillar_file + +adv_elasticfleet_pillar_file="$local_salt_dir/pillar/elasticfleet/adv_elasticfleet.sls" +export adv_elasticfleet_pillar_file + elasticsearch_pillar_file="$local_salt_dir/pillar/elasticsearch/soc_elasticsearch.sls" export elasticsearch_pillar_file diff --git a/sigs b/sigs new file mode 100644 index 000000000..ef2cf9eb3 Binary files /dev/null and b/sigs differ