Merge branch '2.4/dev' into kilo

2026-06-15 06:38:40 +02:00 · 2023-06-14 13:34:15 -04:00
parent 21a7b76352 03082339ca
commit a88227d13f
246 changed files with 16512 additions and 5801 deletions
@@ -0,0 +1,52 @@
 ### 2.4.2-20230531 ISO image built on 2023/05/31
 ### Download and Verify
 2.4.2-20230531 ISO image:  
 https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
 MD5: EB861EFB7F7DA6FB418075B4C452E4EB  
 SHA1: 479A72DBB0633CB23608122F7200A24E2C3C3128  
 SHA256: B69C1AE4C576BBBC37F4B87C2A8379903421E65B2C4F24C90FABB0EAD6F0471B 
 Signature for ISO image:  
 https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
 For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image.
 Download and import the signing key:  
 ```
 wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS -O - | gpg --import -  
 ```
 Download the signature file for the ISO:  
 ```
 wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
 ```
 Download the ISO image:  
 ```
 wget https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
 gpg --verify securityonion-2.4.2-20230531.iso.sig securityonion-2.4.2-20230531.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
 gpg: Signature made Wed 31 May 2023 05:01:41 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
 ```
 Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
 https://docs.securityonion.net/en/2.4/installation.html
@@ -1,20 +1,26 @@
-## Security Onion 2.4 Beta 3
+## Security Onion 2.4 Release Candidate 1 (RC1)
-Security Onion 2.4 Beta 3 is here!
+Security Onion 2.4 Release Candidate 1 (RC1) is here!
 ## Screenshots
 Alerts
-![Alerts](./assets/images/screenshots/alerts.png)
+![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/39_alerts.png)
 Dashboards
-![Dashboards](./assets/images/screenshots/dashboards.png)
+![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/40_dashboards.png)
 Hunt
-![Hunt](./assets/images/screenshots/hunt.png)
+![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/41_hunt.png)
-Cases
+PCAP
-![Cases](./assets/images/screenshots/cases-comments.png)
+![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/42_pcap.png)
 Grid
 ![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/46_grid.png)
 Config
 ![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_config.png)
 ### Release Notes
@@ -1 +0,0 @@
 ### An ISO will be available starting in RC1. 
@@ -52,6 +52,8 @@ base:
    - influxdb.adv_influxdb
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
    - elasticfleet.adv_elasticfleet
    - elastalert.soc_elastalert
    - elastalert.adv_elastalert
    - backup.soc_backup
@@ -91,6 +93,8 @@ base:
    - kratos.soc_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
    - elasticfleet.adv_elasticfleet
    - elastalert.soc_elastalert
    - elastalert.adv_elastalert
    - manager.soc_manager
@@ -149,6 +153,8 @@ base:
    - influxdb.adv_influxdb
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
    - elasticfleet.adv_elasticfleet
    - elastalert.soc_elastalert
    - elastalert.adv_elastalert
    - manager.soc_manager
@@ -244,6 +250,8 @@ base:
    - kratos.soc_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
    - elasticfleet.adv_elasticfleet
    - elastalert.soc_elastalert
    - elastalert.adv_elastalert
    - manager.soc_manager
@@ -283,6 +291,8 @@ base:
    - logstash.nodes
    - logstash.soc_logstash
    - logstash.adv_logstash
    - elasticfleet.soc_elasticfleet
    - elasticfleet.adv_elasticfleet
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
@@ -5,6 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
@@ -160,41 +161,6 @@ disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 elastic_fleet_integration_create() {
    JSON_STRING=$1
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 elastic_fleet_policy_create() {
    NAME=$1
    DESC=$2
    FLEETSERVER=$3
 	TIMEOUT=$4
    JSON_STRING=$( jq -n \
                    --arg NAME "$NAME" \
                    --arg DESC "$DESC" \
                    --arg TIMEOUT $TIMEOUT \
                    --arg FLEETSERVER "$FLEETSERVER" \
                    '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}'
                    )
    # Create Fleet Policy
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" 
 }
 elastic_fleet_policy_update() {
    POLICYID=$1
    JSON_STRING=$2
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 elastic_license() {
 read -r -d '' message <<- EOM
@@ -14,19 +14,56 @@
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
 LOG_FILE=/nsm/import/evtx-import.log
 . /usr/sbin/so-common
 function usage {
  cat << EOF
-Usage: $0 <evtx-file-1> [evtx-file-2] [evtx-file-*]
+Usage: $0 [options] <evtx-file-1> [evtx-file-2] [evtx-file-*]
 Imports one or more evtx files into Security Onion. The evtx files will be analyzed and made available for review in the Security Onion toolset.
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
 EOF
 }
 quiet=0
 json=0
 INPUT_FILES=
 while [[ $# -gt 0 ]]; do
  param=$1
  shift
  case "$param" in
    --json)
      json=1
      quiet=1
      ;;
    --quiet)
      quiet=1
      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
      exit 1
      ;;
    *) 
      if [[ "$INPUT_FILES" != "" ]]; then
        INPUT_FILES="$INPUT_FILES $param"
      else
        INPUT_FILES="$param"
      fi
      ;;
  esac
 done
 function status {
  msg=$1
  [[ $quiet -eq 1 ]] && return
  echo "$msg"
 }
 function evtx2es() {
  EVTX=$1
@@ -42,31 +79,30 @@ function evtx2es() {
 }
 # if no parameters supplied, display usage
-if [ $# -eq 0 ]; then
+if [ "$INPUT_FILES" == "" ]; then
  usage
  exit 1
 fi
 # ensure this is a Manager node
-require_manager
+require_manager @> /dev/null
 # verify that all parameters are files
-for i in "$@"; do
+for i in $INPUT_FILES; do
  if ! [ -f "$i" ]; then
    usage
    echo "\"$i\" is not a valid file!"
    exit 2
  fi
 done
 # track if we have any valid or invalid evtx
 INVALID_EVTXS="no"
 VALID_EVTXS="no"
 # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end
 START_OLDEST="2050-12-31"
 END_NEWEST="1971-01-01"
 INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0
 touch /nsm/import/evtx-start_oldest
 touch /nsm/import/evtx-end_newest
@@ -74,27 +110,39 @@ echo $START_OLDEST > /nsm/import/evtx-start_oldest
 echo $END_NEWEST > /nsm/import/evtx-end_newest
 # paths must be quoted in case they include spaces
-for EVTX in "$@"; do
+for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
-  echo "Processing Import: ${EVTX}"
+  status "Processing Import: ${EVTX}"
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
-  echo "- assigning unique identifier to import: $HASH"
+  status "- assigning unique identifier to import: $HASH"
  if [[ "$HASH_FILTERS" == "" ]]; then
    HASH_FILTERS="import.id:${HASH}"
    HASHES="${HASH}"
  else
    HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}"
    HASHES="${HASHES} ${HASH}"
  fi
  if [ -d $HASH_DIR ]; then
-    echo "- this EVTX has already been imported; skipping"
+    status "- this EVTX has already been imported; skipping"
-    INVALID_EVTXS="yes"
+    SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
  else
    VALID_EVTXS="yes"
    EVTX_DIR=$HASH_DIR/evtx
    mkdir -p $EVTX_DIR
    # import evtx and write them to import ingest pipeline
-    echo "- importing logs to Elasticsearch..."
+    status "- importing logs to Elasticsearch..."
    evtx2es "${EVTX}" $HASH
    if [[ $? -ne 0 ]]; then
      INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
      status "- WARNING: This evtx file may not have fully imported successfully"
    else
      VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
    fi
    # compare $START to $START_OLDEST
    START=$(cat /nsm/import/evtx-start_oldest)
@@ -118,38 +166,60 @@ for EVTX in "$@"; do
  fi # end of valid evtx
-  echo
+  status
 done # end of for-loop processing evtx files
 # remove temp files
 echo "Cleaning up:"
 for TEMP_EVTX in ${TEMP_EVTXS[@]}; do
  echo "- removing temporary evtx $TEMP_EVTX"
  rm -f $TEMP_EVTX
 done
 # output final messages
-if [ "$INVALID_EVTXS" = "yes" ]; then
+if [[ $INVALID_EVTXS_COUNT -gt 0 ]]; then
-  echo
+  status
-  echo "Please note!  One or more evtx was invalid!  You can scroll up to see which ones were invalid."
+  status "Please note!  One or more evtx was invalid!  You can scroll up to see which ones were invalid."
 fi
 START_OLDEST_FORMATTED=`date +%Y-%m-%d --date="$START_OLDEST"`
 START_OLDEST_SLASH=$(echo $START_OLDEST_FORMATTED | sed -e 's/-/%2F/g')
 END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
-if [ "$VALID_EVTXS" = "yes" ]; then
+if [[ $VALID_EVTXS_COUNT -gt 0 ]] || [[ $SKIPPED_EVTXS_COUNT -gt 0 ]]; then
-cat << EOF
+  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"
-Import complete!
+  status "Import complete!"
-
+  status
-You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
+  status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:"
-https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+  status
-
+  status "$URL"
-or you can manually set your Time Range to be (in UTC):
+  status
-From: $START_OLDEST_FORMATTED    To: $END_NEWEST
+  status "or, manually set the Time Range to be (in UTC):"
-
+  status
-Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
+  status "From: $START_OLDEST_FORMATTED    To: $END_NEWEST"
-EOF
+  status
  status "Note: It can take 30 seconds or more for events to appear in Security Onion Console."
  RESULT=0
 else
  START_OLDEST=
  END_NEWEST=
  URL=
  RESULT=1
 fi
 if [[ $json -eq 1 ]]; then
  jq -n \
    --arg success_count "$VALID_EVTXS_COUNT" \
    --arg fail_count "$INVALID_EVTXS_COUNT" \
    --arg skipped_count "$SKIPPED_EVTXS_COUNT" \
    --arg begin_date "$START_OLDEST" \
    --arg end_date "$END_NEWEST" \
    --arg url "$URL" \
    --arg hashes "$HASHES" \
    '''{
      success_count: $success_count,
      fail_count: $fail_count,
      skipped_count: $skipped_count,
      begin_date: $begin_date,
      end_date: $end_date,
      url: $url,
      hash: ($hashes / " ")
    }'''
 fi
 exit $RESULT
@@ -15,12 +15,51 @@
 function usage {
  cat << EOF
-Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
+Usage: $0 [options] <pcap-file-1> [pcap-file-2] [pcap-file-N]
 Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset.
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
 EOF
 }
 quiet=0
 json=0
 INPUT_FILES=
 while [[ $# -gt 0 ]]; do
  param=$1
  shift
  case "$param" in
    --json)
      json=1
      quiet=1
      ;;
    --quiet)
      quiet=1
      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
      exit 1
      ;;
    *) 
      if [[ "$INPUT_FILES" != "" ]]; then
        INPUT_FILES="$INPUT_FILES $param"
      else
        INPUT_FILES="$param"
      fi
      ;;
  esac
 done
 function status {
  msg=$1
  [[ $quiet -eq 1 ]] && return
  echo "$msg"
 }
 function pcapinfo() {
  PCAP=$1
  ARGS=$2
@@ -84,7 +123,7 @@ function zeek() {
 }
 # if no parameters supplied, display usage
-if [ $# -eq 0 ]; then
+if [ "$INPUT_FILES" == "" ]; then
  usage
  exit 1
 fi
@@ -96,31 +135,30 @@ if [ ! -d /opt/so/conf/suricata ]; then
 fi
 # verify that all parameters are files
-for i in "$@"; do
+for i in $INPUT_FILES; do
  if ! [ -f "$i" ]; then
    usage
    echo "\"$i\" is not a valid file!"
    exit 2
  fi
 done
 # track if we have any valid or invalid pcaps
 INVALID_PCAPS="no"
 VALID_PCAPS="no"
 # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end
 START_OLDEST="2050-12-31"
 END_NEWEST="1971-01-01"
 INVALID_PCAPS_COUNT=0
 VALID_PCAPS_COUNT=0
 SKIPPED_PCAPS_COUNT=0
 # paths must be quoted in case they include spaces
-for PCAP in "$@"; do
+for PCAP in $INPUT_FILES; do
  PCAP=$(/usr/bin/realpath "$PCAP")
-  echo "Processing Import: ${PCAP}"
+  status "Processing Import: ${PCAP}"
-  echo "- verifying file"
+  status "- verifying file"
  if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then
    # try to fix pcap and then process the fixed pcap directly
    PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap`
-    echo "- attempting to recover corrupted PCAP file"
+    status "- attempting to recover corrupted PCAP file"
    pcapfix "${PCAP}" "${PCAP_FIXED}"
    # Make fixed file world readable since the Suricata docker container will runas a non-root user
    chmod a+r "${PCAP_FIXED}"
@@ -131,33 +169,44 @@ for PCAP in "$@"; do
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${PCAP}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
-  echo "- assigning unique identifier to import: $HASH"
+  status "- assigning unique identifier to import: $HASH"
-  if [ -d $HASH_DIR ]; then
+  pcap_data=$(pcapinfo "${PCAP}")
-    echo "- this PCAP has already been imported; skipping"
+  if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
-    INVALID_PCAPS="yes"
+    status "- this PCAP file is invalid; skipping"
-  elif pcapinfo "${PCAP}" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
+    INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1))
    echo "- this PCAP file is invalid; skipping"
    INVALID_PCAPS="yes"
  else
-    VALID_PCAPS="yes"
+    if [ -d $HASH_DIR ]; then
      status "- this PCAP has already been imported; skipping"
      SKIPPED_PCAPS_COUNT=$((SKIPPED_PCAPS_COUNT + 1))
    else
      VALID_PCAPS_COUNT=$((VALID_PCAPS_COUNT + 1))
-    PCAP_DIR=$HASH_DIR/pcap
+      PCAP_DIR=$HASH_DIR/pcap
-    mkdir -p $PCAP_DIR
+      mkdir -p $PCAP_DIR
-    # generate IDS alerts and write them to standard pipeline
+      # generate IDS alerts and write them to standard pipeline
-    echo "- analyzing traffic with Suricata"
+      status "- analyzing traffic with Suricata"
-    suricata "${PCAP}" $HASH
+      suricata "${PCAP}" $HASH
-    {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
+      {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
-    # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
+      # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
-    # since each run writes to a unique subdirectory, there is no need for a lock file
+      # since each run writes to a unique subdirectory, there is no need for a lock file
-    echo "- analyzing traffic with Zeek"
+      status "- analyzing traffic with Zeek"
-    zeek "${PCAP}" $HASH
+      zeek "${PCAP}" $HASH
-    {% endif %}
+      {% endif %}
    fi
    if [[ "$HASH_FILTERS" == "" ]]; then
      HASH_FILTERS="import.id:${HASH}"
      HASHES="${HASH}"
    else
      HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}"
      HASHES="${HASHES} ${HASH}"
    fi
    START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
    END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
-    echo "- saving PCAP data spanning dates $START through $END"
+    status "- found PCAP data spanning dates $START through $END"
    # compare $START to $START_OLDEST
    START_COMPARE=$(date -d $START +%s)
@@ -179,37 +228,62 @@ for PCAP in "$@"; do
  fi # end of valid pcap
-  echo
+  status
 done # end of for-loop processing pcap files
 # remove temp files
 echo "Cleaning up:"
 for TEMP_PCAP in ${TEMP_PCAPS[@]}; do
-  echo "- removing temporary pcap $TEMP_PCAP"
+  status "- removing temporary pcap $TEMP_PCAP"
  rm -f $TEMP_PCAP
 done
 # output final messages
-if [ "$INVALID_PCAPS" = "yes" ]; then
+if [[ $INVALID_PCAPS_COUNT -gt 0 ]]; then
-  echo
+  status
-  echo "Please note!  One or more pcaps was invalid!  You can scroll up to see which ones were invalid."
+  status "WARNING: One or more pcaps was invalid. Scroll up to see which ones were invalid."
 fi
 START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g')
 END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
 if [[ $VALID_PCAPS_COUNT -gt 0 ]] || [[ $SKIPPED_PCAPS_COUNT -gt 0 ]]; then
  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"
-if [ "$VALID_PCAPS" = "yes" ]; then
+  status "Import complete!"
-cat << EOF
+  status
-
+  status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:"
-Import complete!
+  status "$URL"
-
+  status
-You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
+  status "or, manually set the Time Range to be (in UTC):"
-https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+  status "From: $START_OLDEST    To: $END_NEWEST"
-
+  status
-or you can manually set your Time Range to be (in UTC):
+  status "Note: It can take 30 seconds or more for events to appear in Security Onion Console."
-From: $START_OLDEST    To: $END_NEWEST
+  RESULT=0
-
+else
-Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
+  START_OLDEST=
-EOF
+  END_NEWEST=
  URL=
  RESULT=1
 fi
 if [[ $json -eq 1 ]]; then
  jq -n \
    --arg success_count "$VALID_PCAPS_COUNT" \
    --arg fail_count "$INVALID_PCAPS_COUNT" \
    --arg skipped_count "$SKIPPED_PCAPS_COUNT" \
    --arg begin_date "$START_OLDEST" \
    --arg end_date "$END_NEWEST" \
    --arg url "$URL" \
    --arg hashes "$HASHES" \
    '''{
      success_count: $success_count,
      fail_count: $fail_count,
      skipped_count: $skipped_count,
      begin_date: $begin_date,
      end_date: $end_date,
      url: $url,
      hash: ($hashes / " ")
    }'''
 fi
 exit $RESULT
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -13,7 +13,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -13,7 +13,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -10,44 +10,58 @@
 {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%}
 LOG="/opt/so/log/curator/so-curator-cluster-delete.log"
-LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}})
+ALERT_LOG="/opt/so/log/curator/alert.log"
 LOG_SIZE_LIMIT_GB=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}})
 LOG_SIZE_LIMIT=$(( "$LOG_SIZE_LIMIT_GB" * 1000 * 1000 * 1000 ))
 ITERATION=0
 MAX_ITERATIONS=10
 overlimit() {
-         [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]]
+         [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt ${LOG_SIZE_LIMIT} ]]
 }
-# Check to see if Elasticsearch indices using more disk space than LOG_SIZE_LIMIT
+###########################
-# Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, we will break out of the loop.
+# Check for 2 conditions: #
-while overlimit; do
+###########################
 # 1. Check if Elasticsearch indices are using more disk space than LOG_SIZE_LIMIT
 # 2. Check if the maximum number of iterations - MAX_ITERATIONS - has been exceeded. If so, exit.
 # Closed indices will be deleted first. If we are able to bring disk space under LOG_SIZE_LIMIT, or the number of iterations has exceeded the maximum allowed number of iterations, we will break out of the loop.
 while overlimit && [[ $ITERATION -lt $MAX_ITERATIONS ]]; do
  # If we can't query Elasticsearch, then immediately return false.
  /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status > /dev/null 2>&1
  [ $? -eq 1 ] && echo "$(date) - Could not query Elasticsearch." >> ${LOG} && exit
  # We iterate through the closed and open indices
-  CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+  CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'close$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-  OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
+  OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep 'open$' | awk '{print $1}' | grep -vE "playbook|so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3)
-	for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
+
-	  # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
+  for INDEX in ${CLOSED_INDICES} ${OPEN_INDICES}; do
    # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream
    # To do so, we need to identify to which data stream this index is associated
    # We extract the data stream name using the pattern below
    DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+"
    DATASTREAM=$(echo "${INDEX}" | grep -oE "$DATASTREAM_PATTERN")
    # We look up the data stream, and determine the write index. If there is only one backing index, we delete the entire data stream
-	  BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
+    BACKING_INDICES=$(/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} | jq -r '.data_streams[0].indices | length')
-	  if [ "$BACKING_INDICES" -gt 1 ]; then
+    if [ "$BACKING_INDICES" -gt 1 ]; then
      CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name)
-	    # We make sure we are not trying to delete a write index
+      # We make sure we are not trying to delete a write index
      if [ "${INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then
        # This should not be a write index, so we should be allowed to delete it
-        printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
+        printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT_GB} GB) - Deleting ${INDEX} index...\n" >> ${LOG}
        /usr/sbin/so-elasticsearch-query ${INDEX} -XDELETE >> ${LOG} 2>&1
      fi
-	  else
+    fi
-      # We delete the entire data stream, since there is only one backing index
+    if ! overlimit ; then
 	    printf "\n$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Deleting ${DATASTREAM} data stream...\n" >> ${LOG}
      /usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE >> ${LOG} 2>&1
 	  fi
    if ! overlimit; then
      exit
    fi
    ((ITERATION++))
  done
    if [[ $ITERATION -ge $MAX_ITERATIONS ]]; then
      alert_id=$(uuidgen)
      printf "\n$(date) -> Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold. Writing alert ($alert_id) to ${ALERT_LOG}\n" >> ${LOG}
      printf "\n$(date),$alert_id,Maximum iteration limit reached ($MAX_ITERATIONS). Unable to bring disk below threshold.\n" >> ${ALERT_LOG}
    fi
 done
@@ -13,7 +13,6 @@ elastalert:
    es_port: 9200
    es_conn_timeout: 55
    max_query_size: 5000
    eql: true
    use_ssl: true
    verify_certs: false
    writeback_index: elastalert
@@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter):
                creds = (self.rule['es_username'], self.rule['es_password'])
            payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
-            url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/"
+            url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/"
            requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
    def get_info(self):
@@ -8,7 +8,7 @@
 {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
-{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %}
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
@@ -4,6 +4,7 @@
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if sls.split('.')[0] in allowed_states %}
 # Add EA Group
@@ -51,6 +52,36 @@ eastatedir:
    - group: 939
    - makedirs: True
 {%   if GLOBALS.role != "so-fleet" %}
 eaintegrationsdir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/integrations
    - user: 947
    - group: 939
    - makedirs: True
 eadynamicintegration:
  file.recurse:
    - name: /opt/so/conf/elastic-fleet/integrations
    - source: salt://elasticfleet/files/integrations-dynamic
    - user: 947
    - group: 939
    - template: jinja
 eaintegration:
  file.recurse:
    - name: /opt/so/conf/elastic-fleet/integrations
    - source: salt://elasticfleet/files/integrations
    - user: 947
    - group: 939
 ea-integrations-load:
  file.absent:
    - name: /opt/so/state/eaintegrations.txt
    - onchanges:
      - file: eaintegration
      - file: eadynamicintegration
 {% endif %}
 {% else %}
 {{sls}}_state_not_allowed:
@@ -6,3 +6,20 @@ elasticfleet:
      es_token: ''
      grid_enrollment: ''
      url: ''
  logging:
    zeek:
      excluded:
        - broker
        - capture_loss
        - cluster
        - ecat_arp_info
        - known_hosts
        - known_services
        - loaded_scripts
        - ntp
        - ocsp
        - packet_filter
        - reporter
        - stats
        - stderr
        - stdout
@@ -62,6 +62,12 @@ so-elastic-fleet:
      {% endif %}
 {%   endif %}
 {%  if GLOBALS.role != "so-fleet" %}
 so-elastic-fleet-integrations:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-integration-policy-load
 {%  endif %}
 delete_so-elastic-fleet_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
@@ -1,3 +1,5 @@
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {%- raw -%}
 {
  "package": {
    "name": "log",
@@ -20,10 +22,11 @@
            "data_stream.dataset": "import",
            "tags": [],
            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"import.file\").slice(0,-4);\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n      imported: true\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n"
+            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
          }
        }
      }
    }
  }
 }
 {%- endraw -%}
@@ -1,8 +1,11 @@
 {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {%- raw -%}
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "id": "zeek-logs",
  "name": "zeek-logs",
  "namespace": "so",
  "description": "Zeek logs",
@@ -20,10 +23,11 @@
            "data_stream.dataset": "zeek",
            "tags": [],
            "processors": "- dissect:\n    tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n    field: \"log.file.path\"\n    trim_chars: \".log\"\n    target_prefix: \"\"\n- script:\n      lang: javascript\n      source: >\n        function process(event) {\n          var pl = event.Get(\"pipeline\");\n          event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n        }\n- add_fields:\n    target: event\n    fields:\n      category: network\n      module: zeek\n- add_tags:\n    tags: \"ics\"\n    when:\n      regexp:\n        pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"",
-            "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|packet_filter|reporter|stats|stderr|stdout.log$\"]\n"
+            "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n"
          }
        }
      }
    }
  }
 }
 {%- endraw -%}
@@ -3,6 +3,12 @@ elasticfleet:
    description: You can enable or disable Elastic Fleet.
    advanced: True
    helpLink: elastic-fleet.html
  logging:
    zeek:
      excluded:
        description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
        forcedType: "[]string"
        helpLink: zeek.html 
  config:
    server:
      endpoints_enrollment:
@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 POLICY_ID=$1
@@ -4,14 +4,12 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 # Let's snag a cookie from Kibana
 SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 echo "Setting up default Security Onion package policies for Elastic Agent..."
 # List configured agent policies
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq 
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq
 echo
@@ -4,16 +4,14 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 POLICY_ID=$1
 # Let's snag a cookie from Kibana
-SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 echo "Viewing agent policy $POLICY_ID"
 # View agent policy
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID/full" | jq
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -H "kbn-xsrf: true" -L -X GET "localhost:5601/api/fleet/agent_policies/$POLICY_ID" | jq
 echo
@@ -0,0 +1,79 @@
 #!/bin/bash
 #
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 if [ -z $NOROOT ]; then
        # Check for prerequisites
        if [ "$(id -u)" -ne 0 ]; then
                echo "This script must be run using sudo!"
                exit 1
        fi
 fi
 # Ensure /usr/sbin is in path
 if ! echo "$PATH" | grep -q "/usr/sbin"; then
  export PATH="$PATH:/usr/sbin"
 fi
 # Define a banner to separate sections
 banner="========================================================================="
 elastic_fleet_integration_check() {
    AGENT_POLICY=$1
    JSON_STRING=$2
    NAME=$(jq -r .name $JSON_STRING)
    INTEGRATION_ID=$(/usr/sbin/so-elastic-fleet-agent-policy-view "$AGENT_POLICY" | jq -r '.item.package_policies[] | select(.name=="'"$NAME"'") | .id')
 }
 elastic_fleet_integration_create() {
    JSON_STRING=$1
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 elastic_fleet_integration_update() {
    UPDATE_ID=$1
    JSON_STRING=$2
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 elastic_fleet_policy_create() {
    NAME=$1
    DESC=$2
    FLEETSERVER=$3
        TIMEOUT=$4
    JSON_STRING=$( jq -n \
                    --arg NAME "$NAME" \
                    --arg DESC "$DESC" \
                    --arg TIMEOUT $TIMEOUT \
                    --arg FLEETSERVER "$FLEETSERVER" \
                    '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}'
                    )
    # Create Fleet Policy
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
 elastic_fleet_policy_update() {
    POLICYID=$1
    JSON_STRING=$2
    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/$POLICYID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 # Let's snag a cookie from Kibana
 SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 POLICY_ID=$1
@@ -4,7 +4,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 POLICY_ID=$1
@@ -4,14 +4,12 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 # Let's snag a cookie from Kibana
-SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
 echo "Setting up default Security Onion package policies for Elastic Agent..."
 # List configured package policies
-curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" | jq 
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' | jq
 echo
@@ -4,18 +4,46 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
-# Initial Endpoints
+RETURN_CODE=0
-for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/endpoints-initial/*.json
+
-do
+if [ ! -f /opt/so/state/eaintegrations.txt ]; then
-  printf "\n\nInitial Endpoint Policy - Loading $INTEGRATION\n"
+  # Initial Endpoints
-  elastic_fleet_integration_create "@$INTEGRATION"
+  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
-done
+  do
    printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
    elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
    if [ -n "$INTEGRATION_ID" ]; then
      if [ "$NAME" != "elastic-defend-endpoints" ]; then
        printf "\n\nIntegration $NAME exists - Updating integration\n"
        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
      fi
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      elastic_fleet_integration_create "@$INTEGRATION"
    fi
  done
  # Grid Nodes
  for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes/*.json
  do
    printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n"
    elastic_fleet_integration_check "so-grid-nodes" "$INTEGRATION"
    if [ -n "$INTEGRATION_ID" ]; then
      printf "\n\nIntegration $NAME exists - Updating integration\n"
      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
    else
      printf "\n\nIntegration does not exist - Creating integration\n"
      if [ "$NAME" != "elasticsearch-logs" ]; then
        elastic_fleet_integration_create "@$INTEGRATION"
      fi
    fi
  done
  if [[ "$RETURN_CODE" != "1" ]]; then
    touch /opt/so/state/eaintegrations.txt
  fi
 else
  exit $RETURN_CODE
 fi
 # Grid Nodes
 for INTEGRATION in /opt/so/saltstack/default/salt/elasticfleet/files/integrations/grid-nodes/*.json
 do
  printf "\n\nGrid Nodes Policy - Loading $INTEGRATION\n"
  elastic_fleet_integration_create "@$INTEGRATION"
 done
@@ -7,6 +7,6 @@
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 /usr/sbin/so-restart elastic-fleet $1
@@ -7,6 +7,6 @@
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 /usr/sbin/so-start elastic-fleet $1
@@ -7,6 +7,6 @@
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 /usr/sbin/so-stop elastic-fleet $1
@@ -9,16 +9,20 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 . /usr/sbin/so-common
-
+. /usr/sbin/so-elastic-fleet-common
 #FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220"
 for i in {1..30}
 do
   ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
   FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r  '.item.host_urls[]' | paste -sd ',')
-if [[ $FLEETHOST ]] && [[  $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
+if [[ $FLEETHOST ]] && [[  $ENROLLMENTOKEN ]] && [[  $ELASTICVERSION ]]; then break; else sleep 10; fi
 done
-if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi
+
 if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then 
  printf "\nFleet Host URL, Enrollment Token or Elastic Version empty - exiting..."
  printf "\nFleet Host: $FLEETHOST, Enrollment Token: $ENROLLMENTOKEN\n"
  exit 
 fi
 OSARCH=( "linux-x86_64" "windows-x86_64" "darwin-x86_64" "darwin-aarch64" )
@@ -27,7 +31,7 @@ rm -rf /nsm/elastic-agent-workspace
 mkdir -p /nsm/elastic-agent-workspace
 printf "\n### Extracting outer tarball and then each individual tarball/zip\n"
-tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-{{ GLOBALS.so_version }}.tar.gz -C /nsm/elastic-agent-workspace/
+tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz -C /nsm/elastic-agent-workspace/
 unzip -q /nsm/elastic-agent-workspace/elastic-agent-*.zip -d /nsm/elastic-agent-workspace/
 for archive in /nsm/elastic-agent-workspace/*.tar.gz
 do
@@ -6,7 +6,7 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-. /usr/sbin/so-common
+. /usr/sbin/so-elastic-fleet-common
 printf "\n### Create ES Token ###\n"
 ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' |  jq -r .value)
@@ -47,7 +47,6 @@ fi
 curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/fleet_server_hosts" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d  "$JSON_STRING"
 printf "\n\n"
 ### Create Policies & Associated Integration Configuration ###
 # Manager Fleet Server Host
@@ -72,7 +71,7 @@ so-elastic-fleet-integration-policy-load
 # Set Elastic Agent Artifact Registry URL
 JSON_STRING=$( jq -n \
                --arg NAME "FleetServer_{{ GLOBALS.hostname }}" \
-                --arg URL "http://{{ GLOBALS.url_base }}/artifacts/" \
+                --arg URL "http://{{ GLOBALS.url_base }}:8443/artifacts/" \
                '{"name":$NAME,"host":$URL,"is_default":true}'
                )
@@ -111,22 +111,208 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true  
-    logs-osquery-manager:
+    so-logs-system.auth:
      index_sorting: False
      index_template:
        index_patterns:
-          - ".logs-osquery*"
+          - "logs-system.auth*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "event-mappings"
          - "logs-system.auth@package"
          - "logs-system.auth@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-system.syslog:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-system.syslog*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "event-mappings"
          - "logs-system.syslog@package"
          - "logs-system.syslog@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-system.system:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-system.system*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "event-mappings"
          - "logs-system.system@package"
          - "logs-system.system@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-system.application:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-system.application*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "event-mappings"
          - "logs-system.application@package"
          - "logs-system.application@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-system.security:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-system.security*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "event-mappings"
          - "logs-system.security@package"
          - "logs-system.security@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-windows.forwarded:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-windows.forwarded*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-windows.forwarded@package"
          - "logs-windows.forwarded@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-windows.powershell:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-windows.powershell-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-windows.powershell@package"
          - "logs-windows.powershell@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-windows.powershell_operational:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-windows.powershell_operational-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-windows.powershell_operational@package"
          - "logs-windows.powershell_operational@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-windows.sysmon_operational:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-windows.sysmon_operational-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-windows.sysmon_operational@package"
          - "logs-windows.sysmon_operational@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-osquery-manager-actions:
      index_sorting: False
      index_template:
        index_patterns:
          - ".logs-osquery_manager.actions*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-osquery_manager.actions"
        priority: 501
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.apm_server:
+    so-logs-osquery-manager-action.responses:
      index_sorting: False
      index_template:
        index_patterns:
          - ".logs-osquery_manager.action.responses*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-osquery_manager.action.responses"
        priority: 501
        _meta:
          package:
            name: elastic_agent
          managed_by: security_onion
          managed: true
    so-logs-elastic_agent.apm_server:
      index_sorting: False
      index_template:
        index_patterns:
@@ -152,7 +338,7 @@ elasticsearch:
          - "logs-elastic_agent.apm_server@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -180,7 +366,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.auditbeat:
+    so-logs-elastic_agent.auditbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -206,7 +392,7 @@ elasticsearch:
          - "logs-elastic_agent.auditbeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -234,7 +420,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.cloudbeat:
+    so-logs-elastic_agent.cloudbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -260,7 +446,7 @@ elasticsearch:
          - "logs-elastic_agent.cloudbeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
      policy:
        phases:
          hot:
@@ -285,7 +471,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.endpoint_security:
+    so-logs-elastic_agent.endpoint_security:
      index_sorting: False
      index_template:
        index_patterns:
@@ -300,18 +486,13 @@ elasticsearch:
              sort:
                field: "@timestamp"
                order: desc
          mappings:
            _meta:
              package:
                name: elastic_agent
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent.endpoint_security@package"
          - "logs-elastic_agent.endpoint_security@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -339,7 +520,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.filebeat:
+    so-logs-elastic_agent.filebeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -354,18 +535,13 @@ elasticsearch:
              sort:
                field: "@timestamp"
                order: desc
          mappings:
            _meta:
              package:
                name: elastic_agent
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent.filebeat@package"
          - "logs-elastic_agent.filebeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -393,7 +569,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.fleet_server:
+    so-logs-elastic_agent.fleet_server:
      index_sorting: False
      index_template:
        index_patterns:
@@ -402,24 +578,16 @@ elasticsearch:
          settings:
            index:
              number_of_replicas: 0
              mapping:
                total_fields:
                  limit: 5000
              sort:
                field: "@timestamp"
                order: desc
          mappings:
            _meta:
              package:
                name: elastic_agent
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent.fleet_server@package"
          - "logs-elastic_agent.fleet_server@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -447,7 +615,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.heartbeat:
+    so-logs-elastic_agent.heartbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -473,7 +641,7 @@ elasticsearch:
          - "logs-elastic_agent.heartbeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
      policy:
        phases:
          hot:
@@ -498,7 +666,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent:
+    so-logs-elastic_agent:
      index_sorting: False
      index_template:
        index_patterns:
@@ -520,11 +688,12 @@ elasticsearch:
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent@package"
          - "logs-elastic_agent@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -552,7 +721,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.metricbeat:
+    so-logs-elastic_agent.metricbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -567,18 +736,13 @@ elasticsearch:
              sort:
                field: "@timestamp"
                order: desc
          mappings:
            _meta:
              package:
                name: elastic_agent
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent.metricbeat@package"
          - "logs-elastic_agent.metricbeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -606,7 +770,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.osquerybeat:
+    so-logs-elastic_agent.osquerybeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -621,18 +785,13 @@ elasticsearch:
              sort:
                field: "@timestamp"
                order: desc
          mappings:
            _meta:
              package:
                name: elastic_agent
              managed_by: security_onion
              managed: true
        composed_of:
          - "event-mappings"
          - "logs-elastic_agent.osquerybeat@package"
          - "logs-elastic_agent.osquerybeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -660,7 +819,7 @@ elasticsearch:
            name: elastic_agent
          managed_by: security_onion
          managed: true
-    logs-elastic_agent.packetbeat:
+    so-logs-elastic_agent.packetbeat:
      index_sorting: False
      index_template:
        index_patterns:
@@ -686,7 +845,7 @@ elasticsearch:
          - "logs-elastic_agent.packetbeat@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
-        priority: 200
+        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
@@ -0,0 +1,94 @@
 {
  "version": 3,
  "_meta": {
    "managed_by": "fleet",
    "managed": true
  },
  "description": "Final pipeline for processing all incoming Fleet Agent documents. \n",
  "processors": [
    {
      "date": {
        "description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)",
        "tag": "truncate-subseconds-event-ingested",
        "field": "_ingest.timestamp",
        "target_field": "event.ingested",
        "formats": [
          "ISO8601"
        ],
        "output_format": "date_time_no_millis",
        "ignore_failure": true
      }
    },
    {
      "remove": {
        "description": "Remove any pre-existing untrusted values.",
        "field": [
          "event.agent_id_status",
          "_security"
        ],
        "ignore_missing": true
      }
    },
    {
      "set_security_user": {
        "field": "_security",
        "properties": [
          "authentication_type",
          "username",
          "realm",
          "api_key"
        ]
      }
    },
    {
      "script": {
        "description": "Add event.agent_id_status based on the API key metadata and the agent.id contained in the event.\n",
        "tag": "agent-id-status",
        "source": "boolean is_user_trusted(def ctx, def users) {\n  if (ctx?._security?.username == null) {\n    return false;\n  }\n\n  def user = null;\n  for (def item : users) {\n    if (item?.username == ctx._security.username) {\n      user = item;\n      break;\n    }\n  }\n\n  if (user == null || user?.realm == null || ctx?._security?.realm?.name == null) {\n    return false;\n  }\n\n  if (ctx._security.realm.name != user.realm) {\n    return false;\n  }\n\n  return true;\n}\n\nString verified(def ctx, def params) {\n  // No agent.id field to validate.\n  if (ctx?.agent?.id == null) {\n    return \"missing\";\n  }\n\n  // Check auth metadata from API key.\n  if (ctx?._security?.authentication_type == null\n      // Agents only use API keys.\n      || ctx._security.authentication_type != 'API_KEY'\n      // Verify the API key owner before trusting any metadata it contains.\n      || !is_user_trusted(ctx, params.trusted_users)\n      // Verify the API key has metadata indicating the assigned agent ID.\n      || ctx?._security?.api_key?.metadata?.agent_id == null) {\n    return \"auth_metadata_missing\";\n  }\n\n  // The API key can only be used represent the agent.id it was issued to.\n  if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {\n    // Potential masquerade attempt.\n    return \"mismatch\";\n  }\n\n  return \"verified\";\n}\n\nif (ctx?.event == null) {\n  ctx.event = [:];\n}\n\nctx.event.agent_id_status = verified(ctx, params);",
        "params": {
          "trusted_users": [
            {
              "username": "elastic/fleet-server",
              "realm": "_service_account"
            },
            {
              "username": "cloud-internal-agent-server",
              "realm": "found"
            },
            {
              "username": "elastic",
              "realm": "reserved"
            }
          ]
        }
      }
    },
    {
      "remove": {
        "field": "_security",
        "ignore_missing": true
      }
    },
    { "set":        { "ignore_failure": true,  "field": "event.module", "value": "elastic_agent" } },
    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp"  } },
    { "set":        { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}"  }},
    { "remove":     { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
  ],
  "on_failure": [
    {
      "remove": {
        "field": "_security",
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "append": {
        "field": "error.message",
        "value": [
          "failed in Fleet agent final_pipeline: {{ _ingest.on_failure_message }}"
        ]
      }
    }
  ]
 }
@@ -1,6 +1,8 @@
 {
  "description" : "suricata.dhcp",
  "processors" : [
    { "remove": 	{ "field": "host.hostname",							"ignore_failure": true		} },
    { "remove": 	{ "field": "host.mac", 								"ignore_failure": true		} },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",	"ignore_missing": true		} },
    { "rename": 	{ "field": "message2.app_proto",	"target_field": "network.protocol",	"ignore_missing": true		} },
    { "rename": 	{ "field": "message2.dhcp.assigned_ip",	"target_field": "dhcp.assigned_ip",	"ignore_missing": true		} },
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.fileinfo",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "file"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "file"  						} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.filename", 	"target_field": "file.name",		"ignore_missing": true 	} },
@@ -13,7 +13,7 @@
    { "rename": 	{ "field": "message2.fileinfo.size", 		"target_field": "file.size",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.state", 		"target_field": "file.state",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.fileinfo.stored", 		"target_field": "file.saved",		"ignore_missing": true 	} },
-    { "rename":   { "field": "message2.fileinfo.sha256",   "target_field": "hash.sha256", "ignore_missing": true } },
+    { "rename":   	{ "field": "message2.fileinfo.sha256",   	"target_field": "hash.sha256", 		"ignore_missing": true 	} },
    { "set":		{ "if": "ctx.network?.protocol != null", 	"field": "file.source",	"value": "{{network.protocol}}"  	} },
    { "pipeline": { "name": "common" } }
  ]
@@ -1,12 +1,12 @@
 {
  "description" : "suricata.flow",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "conn"  							} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.state", 		"target_field": "connection.state",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.flow.bytes_toclient", 		"target_field": "server.ip_bytes",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.bytes_toclient", 	"target_field": "server.ip_bytes",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.flow.bytes_toserver", 		"target_field": "client.ip_bytes",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.flow.bytes_toserver", 	"target_field": "client.ip_bytes",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.start", 		"target_field": "connection.start",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.end", 		"target_field": "connection.end",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
@@ -1,15 +1,15 @@
 {
  "description" : "suricata.krb5",
  "processors" : [
-    { "set":      { "field": "dataset",        "value": "kerberos"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "kerberos"  							} },
-    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_proto",		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename":         { "field": "message2.krb5.msg_type",                "target_field": "kerberos.request_type",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.msg_type",		"target_field": "kerberos.request_type",	"ignore_missing": true  } },
-    { "rename":         { "field": "message2.krb5.cname",                "target_field": "kerberos.client",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.cname",		"target_field": "kerberos.client",		"ignore_missing": true  } },
-    { "rename":         { "field": "message2.krb5.realm",                "target_field": "kerberos.realm",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.realm",		"target_field": "kerberos.realm",		"ignore_missing": true  } },
-    { "rename":         { "field": "message2.krb5.sname",                "target_field": "kerberos.service",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.sname",		"target_field": "kerberos.service",		"ignore_missing": true  } },
-    { "rename":         { "field": "message2.krb5.encryption",                "target_field": "kerberos.ticket.cipher",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb5.encryption",		"target_field": "kerberos.ticket.cipher",	"ignore_missing": true  } },
-    { "rename":         { "field": "message2.krb.weak_encryption",                "target_field": "kerberos.weak_encryption",             "ignore_missing": true  } },
+    { "rename":         { "field": "message2.krb.weak_encryption",	"target_field": "kerberos.weak_encryption",	"ignore_missing": true  } },
    { "pipeline": { "name": "common" } }
  ]
-}
+}
@@ -1,7 +1,7 @@
 {
  "description" : "suricata.tls",
  "processors" : [
-    { "set":      	{ "field": "dataset",        			"value": "ssl"  								} },
+    { "set":      	{ "field": "event.dataset",			"value": "ssl"  								} },
    { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
    { "rename":         { "field": "message2.tls.subject",              "target_field": "ssl.certificate.subject",		"ignore_missing": true  } },
@@ -1,36 +1,35 @@
 {
  "description" : "zeek.files",
  "processors" : [
-    { "set": { "field": "event.dataset", "value": "file" } },
+    { "set": 		{ "field": "event.dataset", 		"value": "file" 							} },
-    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "remove":         { "field": ["host"],     								"ignore_failure": true  } },
-    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
-    { "remove":         { "field": "source",                                                            "ignore_missing": true  } },
+    { "remove":         { "field": "source",                                                            	"ignore_missing": true  } },
-    { "rename":         { "field": "message2.rx_hosts.0",         "target_field": "destination.ip",            "ignore_missing": true  } },
+    { "rename":         { "field": "message2.rx_hosts.0",	"target_field": "destination.ip",		"ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.tx_hosts.0", 	"target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tx_hosts.0", 	"target_field": "source.ip",			"ignore_missing": true 	} },
-    { "remove": 	{ "field": "message2.rx_hosts",	"ignore_missing": true 	} },
+    { "remove": 	{ "field": "message2.rx_hosts",								"ignore_missing": true 	} },
-    { "remove":         { "field": "message2.tx_hosts", "ignore_missing": true  } },	        
+    { "remove":         { "field": "message2.tx_hosts", 							"ignore_missing": true  } },	        
    { "rename": 	{ "field": "message2.conn_uids", 	"target_field": "log.id.uid",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.source", 		"target_field": "file.source",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.source", 		"target_field": "file.source",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.depth",	 	"target_field": "file.depth",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.depth",	 	"target_field": "file.depth",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.analyzers", 	"target_field": "file.analyzer",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.mime_type", 	"target_field": "file.mime_type",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.filename", 	"target_field": "file.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.filename", 	"target_field": "file.name",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.duration", 	"target_field": "event.duration",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.local_orig",	"target_field": "file.local_orig",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "file.is_orig",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "file.is_orig",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.seen_bytes", 	"target_field": "file.bytes.seen",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.total_bytes", 	"target_field": "file.bytes.total",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.missing_bytes", 	"target_field": "file.bytes.missing",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.missing_bytes", 	"target_field": "file.bytes.missing",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.overflow_bytes",	"target_field": "file.bytes.overflow",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.overflow_bytes",	"target_field": "file.bytes.overflow",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.timedout",		"target_field": "file.timed_out",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.parent_fuid",	"target_field": "log.id.parent_fuid",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.md5",		"target_field": "hash.md5",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.sha1",		"target_field": "hash.sha1",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "file.extracted.cutoff",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",		"ignore_missing": true 	} },
    { "set":            { "field": "dataset",                   "value": "file"                                                 } },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-    "analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.apm_server-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-    "analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,510 +1,339 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "decision_id",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "container": {
-              "trim"
+                "properties": {
-            ],
+                  "image": {
-            "tokenizer": "keyword"
+                    "properties": {
-          }
+                      "name": {
-        },
+                        "ignore_above": 1024,
-        "char_filter": {
+                        "type": "keyword"
-          "whitespace_no_way": {
+                      }
-            "type": "pattern_replace",
+                    }
-            "pattern": "(\\s)+",
+                  },
-            "replacement": "$1"
+                  "name": {
-          }
+                    "ignore_above": 1024,
-        },
+                    "type": "keyword"
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "id": {
-            "type": "pattern_capture",
+                    "ignore_above": 1024,
-            "preserve_original": true,
+                    "type": "keyword"
-            "patterns": [
+                  }
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
            "path_tokenizer": {
              "type": "path_hierarchy",
              "delimiter": "\\"
            }
          }
        },
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.domain",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
-              }
+              },
-            },
+              "agent": {
-            "instance": {
+                "properties": {
-              "properties": {
+                  "build": {
-                "name": {
+                    "properties": {
-                  "ignore_above": 1024,
+                      "original": {
-                  "type": "keyword"
+                        "ignore_above": 1024,
-,
+                        "type": "keyword"
-"fields": {
+                      }
-"security": {
+                    }
-"type": "text",
+                  },
-"analyzer": "es_security_analyzer"}
+                  "name": {
-}
+                    "ignore_above": 1024,
-                },
+                    "type": "keyword"
-                "id": {
+                  },
-                  "ignore_above": 1024,
+                  "id": {
-                  "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "keyword"
-"fields": {
+                  },
-"security": {
+                  "ephemeral_id": {
-"type": "text",
+                    "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                    "type": "keyword"
-}
+                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
-              }
+              },
-            },
+              "log": {
-            "provider": {
+                "properties": {
-              "ignore_above": 1024,
+                  "level": {
-              "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "keyword"
-"fields": {
+                  }
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
-              }
+              },
-            },
+              "elastic_agent": {
-            "project": {
+                "properties": {
-              "properties": {
+                  "process": {
-                "id": {
+                    "ignore_above": 1024,
-                  "ignore_above": 1024,
+                    "type": "keyword"
-                  "type": "keyword"
+                  },
-,
+                  "id": {
-"fields": {
+                    "ignore_above": 1024,
-"security": {
+                    "type": "keyword"
-"type": "text",
+                  },
-"analyzer": "es_security_analyzer"}
+                  "version": {
-}
+                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
-              }
+              },
-            },
+              "message": {
-            "region": {
+                "type": "match_only_text"
-              "ignore_above": 1024,
+              },
-              "type": "keyword"
+              "cloud": {
-,
+                "properties": {
-"fields": {
+                  "availability_zone": {
-"security": {
+                    "ignore_above": 1024,
-"type": "text",
+                    "type": "keyword"
-"analyzer": "es_security_analyzer"}
+                  },
-}
+                  "image": {
-            },
+                    "properties": {
-            "account": {
+                      "id": {
-              "properties": {
+                        "ignore_above": 1024,
-                "id": {
+                        "type": "keyword"
-                  "ignore_above": 1024,
+                      }
-                  "type": "keyword"
+                    }
-,
+                  },
-"fields": {
+                  "instance": {
-"security": {
+                    "properties": {
-"type": "text",
+                      "name": {
-"analyzer": "es_security_analyzer"}
+                        "ignore_above": 1024,
-}
+                        "type": "keyword"
-                }
+                      },
-              }
+                      "id": {
-            }
+                        "ignore_above": 1024,
-          }
+                        "type": "keyword"
-        },
+                      }
-        "container": {
+                    }
-          "properties": {
+                  },
-            "image": {
+                  "provider": {
-              "properties": {
+                    "ignore_above": 1024,
-                "name": {
+                    "type": "keyword"
-                  "ignore_above": 1024,
+                  },
-                  "type": "keyword"
+                  "machine": {
-,
+                    "properties": {
-"fields": {
+                      "type": {
-"security": {
+                        "ignore_above": 1024,
-"type": "text",
+                        "type": "keyword"
-"analyzer": "es_security_analyzer"}
+                      }
-}
+                    }
-                }
+                  },
-              }
+                  "project": {
-            },
+                    "properties": {
-            "name": {
+                      "id": {
-              "ignore_above": 1024,
+                        "ignore_above": 1024,
-              "type": "keyword"
+                        "type": "keyword"
-,
+                      }
-"fields": {
+                    }
-"security": {
+                  },
-"type": "text",
+                  "region": {
-"analyzer": "es_security_analyzer"}
+                    "ignore_above": 1024,
-}
+                    "type": "keyword"
-            },
+                  },
-            "id": {
+                  "account": {
-              "ignore_above": 1024,
+                    "properties": {
-              "type": "keyword"
+                      "id": {
-,
+                        "ignore_above": 1024,
-"fields": {
+                        "type": "keyword"
-"security": {
+                      }
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
-                },
+                }
-                "family": {
+              },
-                  "ignore_above": 1024,
+              "result": {
-                  "type": "keyword"
+                "type": "object"
-,
+              },
-"fields": {
+              "input": {
-"security": {
+                "type": "object"
-"type": "text",
+              },
-"analyzer": "es_security_analyzer"}
+              "@timestamp": {
-}
+                "type": "date"
-                },
+              },
-                "version": {
+              "ecs": {
-                  "ignore_above": 1024,
+                "properties": {
-                  "type": "keyword"
+                  "version": {
-,
+                    "ignore_above": 1024,
-"fields": {
+                    "type": "keyword"
-"security": {
+                  }
-"type": "text",
+                }
-"analyzer": "es_security_analyzer"}
+              },
-}
+              "decision_id": {
-                },
+                "type": "text"
-                "platform": {
+              },
-                  "ignore_above": 1024,
+              "data_stream": {
-                  "type": "keyword"
+                "properties": {
-,
+                  "namespace": {
-"fields": {
+                    "type": "constant_keyword"
-"security": {
+                  },
-"type": "text",
+                  "type": {
-"analyzer": "es_security_analyzer"}
+                    "type": "constant_keyword"
-}
+                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "ignore_above": 1024,
          "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.filebeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
-                },
+                }
-                "family": {
+              },
-                  "ignore_above": 1024,
+              "container": {
-                  "type": "keyword"
+                "properties": {
-,
+                  "image": {
-"fields": {
+                    "properties": {
-"security": {
+                      "name": {
-"type": "text",
+                        "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                        "type": "keyword"
-}
+                      }
-                },
+                    }
-                "version": {
+                  },
-                  "ignore_above": 1024,
+                  "name": {
-                  "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "keyword"
-"fields": {
+                  },
-"security": {
+                  "id": {
-"type": "text",
+                    "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                    "type": "keyword"
-}
+                  }
-                },
+                }
-                "platform": {
+              },
-                  "ignore_above": 1024,
+              "agent": {
-                  "type": "keyword"
+                "properties": {
-,
+                  "build": {
-"fields": {
+                    "properties": {
-"security": {
+                      "original": {
-"type": "text",
+                        "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                        "type": "keyword"
-}
+                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "message": {
                "type": "text"
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "message": {
          "type": "text"
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,329 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,498 +1,322 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
-"analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "cloud": {
-              "trim"
+                "properties": {
-            ],
+                  "availability_zone": {
-            "tokenizer": "keyword"
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-        "char_filter": {
+                  "image": {
-          "whitespace_no_way": {
+                    "properties": {
-            "type": "pattern_replace",
+                      "id": {
-            "pattern": "(\\s)+",
+                        "ignore_above": 1024,
-            "replacement": "$1"
+                        "type": "keyword"
-          }
+                      }
-        },
+                    }
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "instance": {
-            "type": "pattern_capture",
+                    "properties": {
-            "preserve_original": true,
+                      "name": {
-            "patterns": [
+                        "ignore_above": 1024,
-              "((?:[^\\\\]*\\\\)*)(.*)",
+                        "type": "keyword"
-              "((?:[^/]*/)*)(.*)"
+                      },
-            ]
+                      "id": {
-          }
+                        "ignore_above": 1024,
-        },
+                        "type": "keyword"
-        "tokenizer": {
+                      }
-            "path_tokenizer": {
+                    }
-              "type": "path_hierarchy",
+                  },
-              "delimiter": "\\"
+                  "provider": {
-            }
+                    "ignore_above": 1024,
-          }
+                    "type": "keyword"
-        },
+                  },
-      "index": {
+                  "machine": {
-        "lifecycle": {
+                    "properties": {
-          "name": "logs"
+                      "type": {
-        },
+                        "ignore_above": 1024,
-        "codec": "best_compression",
+                        "type": "keyword"
-        "mapping": {
+                      }
-          "total_fields": {
+                    }
-            "limit": "10000"
+                  },
-          }
+                  "project": {
-        },
+                    "properties": {
-        "query": {
+                      "id": {
-          "default_field": [
+                        "ignore_above": 1024,
-            "cloud.account.id",
+                        "type": "keyword"
-            "cloud.availability_zone",
+                      }
-            "cloud.instance.id",
+                    }
-            "cloud.instance.name",
+                  },
-            "cloud.machine.type",
+                  "region": {
-            "cloud.provider",
+                    "ignore_above": 1024,
-            "cloud.region",
+                    "type": "keyword"
-            "cloud.project.id",
+                  },
-            "cloud.image.id",
+                  "account": {
-            "container.id",
+                    "properties": {
-            "container.image.name",
+                      "id": {
-            "container.name",
+                        "ignore_above": 1024,
-            "host.architecture",
+                        "type": "keyword"
-            "host.domain",
+                      }
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "agent": {
                "properties": {
                  "build": {
                    "properties": {
                      "original": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ephemeral_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "log": {
                "properties": {
                  "level": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "elastic_agent": {
                "properties": {
                  "process": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
              },
              "message": {
                "type": "text"
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -1,505 +1,382 @@
-{
+        {"template": {
-  "template": {
+          "settings": {
-    "settings": {
+            "index": {
- "analysis": {
+              "lifecycle": {
-        "analyzer": {
+                "name": "logs"
-          "es_security_analyzer": {
+              },
-            "type": "custom",
+              "codec": "best_compression",
-            "char_filter": [
+              "default_pipeline": "logs-elastic_agent-1.7.0",
-              "whitespace_no_way"
+              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "ecs.version",
                  "agent.build.original",
                  "agent.ephemeral_id",
                  "agent.id",
                  "agent.name",
                  "agent.type",
                  "agent.version",
                  "log.level",
                  "message",
                  "elastic_agent.id",
                  "elastic_agent.process",
                  "elastic_agent.version",
                  "component.id",
                  "component.type",
                  "component.binary",
                  "component.state",
                  "component.old_state",
                  "unit.id",
                  "unit.type",
                  "unit.state",
                  "unit.old_state"
                ]
              }
            }
          },
          "mappings": {
            "dynamic": false,
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
-            "filter": [
+            "properties": {
-              "lowercase",
+              "container": {
-              "trim"
+                "properties": {
-            ],
+                  "image": {
-            "tokenizer": "keyword"
+                    "properties": {
-          }
+                      "name": {
-        },
+                        "ignore_above": 1024,
-        "char_filter": {
+                        "type": "keyword"
-          "whitespace_no_way": {
+                      }
-            "type": "pattern_replace",
+                    }
-            "pattern": "(\\s)+",
+                  },
-            "replacement": "$1"
+                  "name": {
-          }
+                    "ignore_above": 1024,
-        },
+                    "type": "keyword"
-        "filter": {
+                  },
-          "path_hierarchy_pattern_filter": {
+                  "id": {
-            "type": "pattern_capture",
+                    "ignore_above": 1024,
-            "preserve_original": true,
+                    "type": "keyword"
-            "patterns": [
+                  }
              "((?:[^\\\\]*\\\\)*)(.*)",
              "((?:[^/]*/)*)(.*)"
            ]
          }
        },
        "tokenizer": {
            "path_tokenizer": {
              "type": "path_hierarchy",
              "delimiter": "\\"
            }
          }
        },
     "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.domain",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "log.level",
            "message",
            "elastic_agent.id",
            "elastic_agent.process",
            "elastic_agent.version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic": false,
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
-              }
+              },
-            },
+              "agent": {
-            "instance": {
+                "properties": {
-              "properties": {
+                  "build": {
-                "name": {
+                    "properties": {
-                  "ignore_above": 1024,
+                      "original": {
-                  "type": "keyword"
+                        "ignore_above": 1024,
-,
+                        "type": "keyword"
-"fields": {
+                      }
-"security": {
+                    }
-"type": "text",
+                  },
-"analyzer": "es_security_analyzer"}
+                  "name": {
-}
+                    "ignore_above": 1024,
-                },
+                    "type": "keyword"
-                "id": {
+                  },
-                  "ignore_above": 1024,
+                  "id": {
-                  "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "keyword"
-"fields": {
+                  },
-"security": {
+                  "ephemeral_id": {
-"type": "text",
+                    "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                    "type": "keyword"
-}
+                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
-              }
+              },
-            },
+              "log": {
-            "provider": {
+                "properties": {
-              "ignore_above": 1024,
+                  "level": {
-              "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "keyword"
-"fields": {
+                  }
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                }
-              }
+              },
-            },
+              "elastic_agent": {
-            "project": {
+                "properties": {
-              "properties": {
+                  "process": {
-                "id": {
+                    "ignore_above": 1024,
-                  "ignore_above": 1024,
+                    "type": "keyword"
-                  "type": "keyword"
+                  },
-,
+                  "id": {
-"fields": {
+                    "ignore_above": 1024,
-"security": {
+                    "type": "keyword"
-"type": "text",
+                  },
-"analyzer": "es_security_analyzer"}
+                  "version": {
-}
+                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "snapshot": {
                    "type": "boolean"
                  }
                }
-              }
+              },
-            },
+              "message": {
-            "region": {
+                "type": "text"
-              "ignore_above": 1024,
+              },
-              "type": "keyword"
+              "cloud": {
-,
+                "properties": {
-"fields": {
+                  "availability_zone": {
-"security": {
+                    "ignore_above": 1024,
-"type": "text",
+                    "type": "keyword"
-"analyzer": "es_security_analyzer"}
+                  },
-}
+                  "image": {
-            },
+                    "properties": {
-            "account": {
+                      "id": {
-              "properties": {
+                        "ignore_above": 1024,
-                "id": {
+                        "type": "keyword"
-                  "ignore_above": 1024,
+                      }
-                  "type": "keyword"
+                    }
-,
+                  },
-"fields": {
+                  "instance": {
-"security": {
+                    "properties": {
-"type": "text",
+                      "name": {
-"analyzer": "es_security_analyzer"}
+                        "ignore_above": 1024,
-}
+                        "type": "keyword"
-                }
+                      },
-              }
+                      "id": {
-            }
+                        "ignore_above": 1024,
-          }
+                        "type": "keyword"
-        },
+                      }
-        "container": {
+                    }
-          "properties": {
+                  },
-            "image": {
+                  "provider": {
-              "properties": {
+                    "ignore_above": 1024,
-                "name": {
+                    "type": "keyword"
-                  "ignore_above": 1024,
+                  },
-                  "type": "keyword"
+                  "machine": {
-,
+                    "properties": {
-"fields": {
+                      "type": {
-"security": {
+                        "ignore_above": 1024,
-"type": "text",
+                        "type": "keyword"
-"analyzer": "es_security_analyzer"}
+                      }
-}
+                    }
-                }
+                  },
-              }
+                  "project": {
-            },
+                    "properties": {
-            "name": {
+                      "id": {
-              "ignore_above": 1024,
+                        "ignore_above": 1024,
-              "type": "keyword"
+                        "type": "keyword"
-,
+                      }
-"fields": {
+                    }
-"security": {
+                  },
-"type": "text",
+                  "region": {
-"analyzer": "es_security_analyzer"}
+                    "ignore_above": 1024,
-}
+                    "type": "keyword"
-            },
+                  },
-            "id": {
+                  "account": {
-              "ignore_above": 1024,
+                    "properties": {
-              "type": "keyword"
+                      "id": {
-,
+                        "ignore_above": 1024,
-"fields": {
+                        "type": "keyword"
-"security": {
+                      }
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "labels": {
              "type": "object"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "log": {
          "properties": {
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"},
                    "text": {
                      "type": "text"
                    }
                  }
-                },
+                }
-                "family": {
+              },
-                  "ignore_above": 1024,
+              "component": {
-                  "type": "keyword"
+                "properties": {
-,
+                  "binary": {
-"fields": {
+                    "ignore_above": 1024,
-"security": {
+                    "type": "keyword"
-"type": "text",
+                  },
-"analyzer": "es_security_analyzer"}
+                  "old_state": {
-}
+                    "ignore_above": 1024,
-                },
+                    "type": "keyword"
-                "version": {
+                  },
-                  "ignore_above": 1024,
+                  "id": {
-                  "type": "keyword"
+                    "ignore_above": 1024,
-,
+                    "type": "wildcard"
-"fields": {
+                  },
-"security": {
+                  "state": {
-"type": "text",
+                    "ignore_above": 1024,
-"analyzer": "es_security_analyzer"}
+                    "type": "keyword"
-}
+                  },
-                },
+                  "type": {
-                "platform": {
+                    "ignore_above": 1024,
-                  "ignore_above": 1024,
+                    "type": "keyword"
-                  "type": "keyword"
+                  }
-,
+                }
-"fields": {
+              },
-"security": {
+              "unit": {
-"type": "text",
+                "properties": {
-"analyzer": "es_security_analyzer"}
+                  "old_state": {
-}
+                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "wildcard"
                  },
                  "state": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "ecs": {
                "properties": {
                  "version": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "event": {
                "properties": {
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            }
          }
        },
-        "elastic_agent": {
+        "_meta": {
-          "properties": {
+          "package": {
-            "process": {
+            "name": "elastic_agent"
-              "ignore_above": 1024,
+          },
-              "type": "keyword"
+          "managed_by": "fleet",
-,
+          "managed": true
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
 ,
 "fields": {
 "security": {
 "type": "text",
 "analyzer": "es_security_analyzer"}
 }
            },
            "snapshot": {
              "type": "boolean"
            }
          }
        },
        "event": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "message": {
          "type": "text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,91 @@
 {"template": {
    "mappings": {
      "properties": {
        "completed_at": {
          "type": "date"
        },
        "action_response": {
          "properties": {
            "osquery": {
              "properties": {
                "count": {
                  "type": "long"
                }
              }
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "agent_id": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "action_id": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "count": {
          "type": "long"
        },
        "started_at": {
          "type": "date"
        },
        "action_input_type": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "error": {
          "type": "text",
          "fields": {
            "keyword": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "agent_id_status": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingested": {
              "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
              "type": "date"
            }
          }
        },
        "action_data": {
          "properties": {
            "saved_query_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "query": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ecs_mapping": {
              "type": "object",
              "enabled": false
            },
            "platform": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
@@ -0,0 +1,110 @@
 {"template": {
    "mappings": {
      "properties": {
        "pack_name": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "metadata": {
          "type": "object",
          "enabled": false
        },
        "data": {
          "properties": {
            "query": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "pack_id": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "input_type": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "pack_prebuilt": {
          "type": "boolean"
        },
        "type": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "queries": {
          "properties": {
            "action_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "saved_query_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "saved_query_prebuilt": {
              "type": "boolean"
            },
            "query": {
              "type": "text"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ecs_mapping": {
              "type": "object",
              "enabled": false
            },
            "platform": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "agents": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "agents": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "@timestamp": {
          "type": "date"
        },
        "action_id": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "user_id": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "expiration": {
          "type": "date"
        },
        "event": {
          "properties": {
            "agent_id_status": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingested": {
              "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
              "type": "date"
            }
          }
        },
        "agent_ids": {
          "ignore_above": 1024,
          "type": "keyword"
        }
      }
    }
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,952 @@
        {"template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": "logs"
              },
              "codec": "best_compression",
              "default_pipeline": "logs-system.application-1.6.4",
              "mapping": {
                "total_fields": {
                  "limit": "10000"
                }
              },
              "query": {
                "default_field": [
                  "cloud.account.id",
                  "cloud.availability_zone",
                  "cloud.instance.id",
                  "cloud.instance.name",
                  "cloud.machine.type",
                  "cloud.provider",
                  "cloud.region",
                  "cloud.project.id",
                  "cloud.image.id",
                  "container.id",
                  "container.image.name",
                  "container.name",
                  "host.architecture",
                  "host.hostname",
                  "host.id",
                  "host.mac",
                  "host.name",
                  "host.os.family",
                  "host.os.kernel",
                  "host.os.name",
                  "host.os.platform",
                  "host.os.version",
                  "host.os.build",
                  "host.os.codename",
                  "host.type",
                  "event.code",
                  "event.original",
                  "error.message",
                  "message",
                  "winlog.api",
                  "winlog.activity_id",
                  "winlog.computer_name",
                  "winlog.event_data.AuthenticationPackageName",
                  "winlog.event_data.Binary",
                  "winlog.event_data.BitlockerUserInputTime",
                  "winlog.event_data.BootMode",
                  "winlog.event_data.BootType",
                  "winlog.event_data.BuildVersion",
                  "winlog.event_data.Company",
                  "winlog.event_data.CorruptionActionState",
                  "winlog.event_data.CreationUtcTime",
                  "winlog.event_data.Description",
                  "winlog.event_data.Detail",
                  "winlog.event_data.DeviceName",
                  "winlog.event_data.DeviceNameLength",
                  "winlog.event_data.DeviceTime",
                  "winlog.event_data.DeviceVersionMajor",
                  "winlog.event_data.DeviceVersionMinor",
                  "winlog.event_data.DriveName",
                  "winlog.event_data.DriverName",
                  "winlog.event_data.DriverNameLength",
                  "winlog.event_data.DwordVal",
                  "winlog.event_data.EntryCount",
                  "winlog.event_data.ExtraInfo",
                  "winlog.event_data.FailureName",
                  "winlog.event_data.FailureNameLength",
                  "winlog.event_data.FileVersion",
                  "winlog.event_data.FinalStatus",
                  "winlog.event_data.Group",
                  "winlog.event_data.IdleImplementation",
                  "winlog.event_data.IdleStateCount",
                  "winlog.event_data.ImpersonationLevel",
                  "winlog.event_data.IntegrityLevel",
                  "winlog.event_data.IpAddress",
                  "winlog.event_data.IpPort",
                  "winlog.event_data.KeyLength",
                  "winlog.event_data.LastBootGood",
                  "winlog.event_data.LastShutdownGood",
                  "winlog.event_data.LmPackageName",
                  "winlog.event_data.LogonGuid",
                  "winlog.event_data.LogonId",
                  "winlog.event_data.LogonProcessName",
                  "winlog.event_data.LogonType",
                  "winlog.event_data.MajorVersion",
                  "winlog.event_data.MaximumPerformancePercent",
                  "winlog.event_data.MemberName",
                  "winlog.event_data.MemberSid",
                  "winlog.event_data.MinimumPerformancePercent",
                  "winlog.event_data.MinimumThrottlePercent",
                  "winlog.event_data.MinorVersion",
                  "winlog.event_data.NewProcessId",
                  "winlog.event_data.NewProcessName",
                  "winlog.event_data.NewSchemeGuid",
                  "winlog.event_data.NewTime",
                  "winlog.event_data.NominalFrequency",
                  "winlog.event_data.Number",
                  "winlog.event_data.OldSchemeGuid",
                  "winlog.event_data.OldTime",
                  "winlog.event_data.OriginalFileName",
                  "winlog.event_data.Path",
                  "winlog.event_data.PerformanceImplementation",
                  "winlog.event_data.PreviousCreationUtcTime",
                  "winlog.event_data.PreviousTime",
                  "winlog.event_data.PrivilegeList",
                  "winlog.event_data.ProcessId",
                  "winlog.event_data.ProcessName",
                  "winlog.event_data.ProcessPath",
                  "winlog.event_data.ProcessPid",
                  "winlog.event_data.Product",
                  "winlog.event_data.PuaCount",
                  "winlog.event_data.PuaPolicyId",
                  "winlog.event_data.QfeVersion",
                  "winlog.event_data.Reason",
                  "winlog.event_data.SchemaVersion",
                  "winlog.event_data.ScriptBlockText",
                  "winlog.event_data.ServiceName",
                  "winlog.event_data.ServiceVersion",
                  "winlog.event_data.ShutdownActionType",
                  "winlog.event_data.ShutdownEventCode",
                  "winlog.event_data.ShutdownReason",
                  "winlog.event_data.Signature",
                  "winlog.event_data.SignatureStatus",
                  "winlog.event_data.Signed",
                  "winlog.event_data.StartTime",
                  "winlog.event_data.State",
                  "winlog.event_data.Status",
                  "winlog.event_data.StopTime",
                  "winlog.event_data.SubjectDomainName",
                  "winlog.event_data.SubjectLogonId",
                  "winlog.event_data.SubjectUserName",
                  "winlog.event_data.SubjectUserSid",
                  "winlog.event_data.TSId",
                  "winlog.event_data.TargetDomainName",
                  "winlog.event_data.TargetInfo",
                  "winlog.event_data.TargetLogonGuid",
                  "winlog.event_data.TargetLogonId",
                  "winlog.event_data.TargetServerName",
                  "winlog.event_data.TargetUserName",
                  "winlog.event_data.TargetUserSid",
                  "winlog.event_data.TerminalSessionId",
                  "winlog.event_data.TokenElevationType",
                  "winlog.event_data.TransmittedServices",
                  "winlog.event_data.UserSid",
                  "winlog.event_data.Version",
                  "winlog.event_data.Workstation",
                  "winlog.event_data.param1",
                  "winlog.event_data.param2",
                  "winlog.event_data.param3",
                  "winlog.event_data.param4",
                  "winlog.event_data.param5",
                  "winlog.event_data.param6",
                  "winlog.event_data.param7",
                  "winlog.event_data.param8",
                  "winlog.event_id",
                  "winlog.keywords",
                  "winlog.channel",
                  "winlog.record_id",
                  "winlog.related_activity_id",
                  "winlog.opcode",
                  "winlog.provider_guid",
                  "winlog.provider_name",
                  "winlog.task",
                  "winlog.user.identifier",
                  "winlog.user.name",
                  "winlog.user.domain",
                  "winlog.user.type"
                ]
              }
            }
          },
          "mappings": {
            "dynamic_templates": [
              {
                "container.labels": {
                  "path_match": "container.labels.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              },
              {
                "winlog.user_data": {
                  "path_match": "winlog.user_data.*",
                  "mapping": {
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "properties": {
              "cloud": {
                "properties": {
                  "availability_zone": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "image": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "instance": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "provider": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "machine": {
                    "properties": {
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "project": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "region": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "account": {
                    "properties": {
                      "id": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "container": {
                "properties": {
                  "image": {
                    "properties": {
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "winlog": {
                "properties": {
                  "related_activity_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "computer_name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "process": {
                    "properties": {
                      "pid": {
                        "type": "long"
                      },
                      "thread": {
                        "properties": {
                          "id": {
                            "type": "long"
                          }
                        }
                      }
                    }
                  },
                  "keywords": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "channel": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "event_data": {
                    "properties": {
                      "SignatureStatus": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OriginalFileName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BootMode": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Product": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetLogonGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FileVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "StopTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Status": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "CorruptionActionState": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "KeyLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PreviousCreationUtcTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetInfo": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ServiceVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectUserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PerformanceImplementation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetUserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Group": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Description": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownActionType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DwordVal": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessPid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceVersionMajor": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ScriptBlockText": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TransmittedServices": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MaximumPerformancePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FinalStatus": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IdleStateCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MajorVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Path": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SchemaVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TokenElevationType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinorVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectLogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IdleImplementation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessPath": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "QfeVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceVersionMinor": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OldTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IpAddress": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Company": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PuaPolicyId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IntegrityLevel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LastShutdownGood": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "IpPort": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriverNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LmPackageName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "UserSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LastBootGood": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PuaCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Signed": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "StartTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownEventCode": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FailureNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ServiceName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PreviousTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "State": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BootType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Binary": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ImpersonationLevel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MemberName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetUserName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Detail": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TerminalSessionId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MemberSid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriverName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DeviceNameLength": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "OldSchemeGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "CreationUtcTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Reason": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ShutdownReason": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetServerName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Number": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BuildVersion": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectDomainName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinimumPerformancePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonProcessName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TSId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetDomainName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "PrivilegeList": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param7": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param8": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param5": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param6": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "DriveName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewProcessId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "LogonType": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ExtraInfo": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param3": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param4": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param1": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "param2": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "TargetLogonId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Workstation": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "SubjectUserName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "FailureName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NewSchemeGuid": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "Signature": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "MinimumThrottlePercent": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "ProcessId": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "EntryCount": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "BitlockerUserInputTime": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "AuthenticationPackageName": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "NominalFrequency": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "opcode": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "version": {
                    "type": "long"
                  },
                  "record_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "event_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "task": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "provider_guid": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "activity_id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "api": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "provider_name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "user": {
                    "properties": {
                      "identifier": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "domain": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "type": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              "data_stream": {
                "properties": {
                  "namespace": {
                    "type": "constant_keyword"
                  },
                  "type": {
                    "type": "constant_keyword"
                  },
                  "dataset": {
                    "type": "constant_keyword"
                  }
                }
              },
              "host": {
                "properties": {
                  "hostname": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "os": {
                    "properties": {
                      "build": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "kernel": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "codename": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "name": {
                        "ignore_above": 1024,
                        "type": "keyword",
                        "fields": {
                          "text": {
                            "type": "text"
                          }
                        }
                      },
                      "family": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "version": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      },
                      "platform": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "domain": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ip": {
                    "type": "ip"
                  },
                  "containerized": {
                    "type": "boolean"
                  },
                  "name": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "id": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "type": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "mac": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "architecture": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "event": {
                "properties": {
                  "ingested": {
                    "type": "date"
                  },
                  "code": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "original": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "created": {
                    "type": "date"
                  },
                  "module": {
                    "type": "constant_keyword",
                    "value": "system"
                  },
                  "dataset": {
                    "type": "constant_keyword",
                    "value": "system.application"
                  }
                }
              },
              "error": {
                "properties": {
                  "message": {
                    "type": "match_only_text"
                  }
                }
              },
              "message": {
                "type": "match_only_text"
              }
            }
          }
        },
        "_meta": {
          "package": {
            "name": "system"
          },
          "managed_by": "fleet",
          "managed": true
        }
      }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,530 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.auth-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.os.full",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.outcome",
            "event.provider",
            "event.type",
            "ecs.version",
            "error.message",
            "group.id",
            "group.name",
            "message",
            "process.name",
            "related.hosts",
            "related.user",
            "source.as.organization.name",
            "source.geo.city_name",
            "source.geo.continent_name",
            "source.geo.country_iso_code",
            "source.geo.country_name",
            "source.geo.region_iso_code",
            "source.geo.region_name",
            "user.effective.name",
            "user.id",
            "user.name",
            "system.auth.ssh.method",
            "system.auth.ssh.signature",
            "system.auth.ssh.event",
            "system.auth.sudo.error",
            "system.auth.sudo.tty",
            "system.auth.sudo.pwd",
            "system.auth.sudo.user",
            "system.auth.sudo.command",
            "system.auth.useradd.home",
            "system.auth.useradd.shell",
            "version"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "process": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pid": {
              "type": "long"
            }
          }
        },
        "source": {
          "properties": {
            "geo": {
              "properties": {
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "port": {
              "type": "long"
            },
            "ip": {
              "type": "ip"
            }
          }
        },
        "error": {
          "properties": {
            "message": {
              "type": "match_only_text"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        },
        "version": {
          "ignore_above": 1024,
          "type": "keyword"
        },
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "system": {
          "properties": {
            "auth": {
              "properties": {
                "ssh": {
                  "properties": {
                    "method": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "dropped_ip": {
                      "type": "ip"
                    },
                    "signature": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "event": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "sudo": {
                  "properties": {
                    "tty": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "error": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "pwd": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "user": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "command": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "useradd": {
                  "properties": {
                    "shell": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "home": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            }
          }
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "related": {
          "properties": {
            "hosts": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "user": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword",
              "value": "logs"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.auth"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "user": {
          "properties": {
            "effective": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "group": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,327 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.syslog-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.os.full",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.outcome",
            "event.provider",
            "event.type",
            "ecs.version",
            "message",
            "process.name"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "process": {
          "properties": {
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pid": {
              "type": "long"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword",
              "value": "logs"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.syslog"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,986 @@
 {
  "template": {
    "settings": {
      "index": {
        "lifecycle": {
          "name": "logs"
        },
        "codec": "best_compression",
        "default_pipeline": "logs-system.system-1.6.4",
        "mapping": {
          "total_fields": {
            "limit": "10000"
          }
        },
        "query": {
          "default_field": [
            "cloud.account.id",
            "cloud.availability_zone",
            "cloud.instance.id",
            "cloud.instance.name",
            "cloud.machine.type",
            "cloud.provider",
            "cloud.region",
            "cloud.project.id",
            "cloud.image.id",
            "container.id",
            "container.image.name",
            "container.name",
            "host.architecture",
            "host.hostname",
            "host.id",
            "host.mac",
            "host.name",
            "host.os.family",
            "host.os.kernel",
            "host.os.name",
            "host.os.platform",
            "host.os.version",
            "host.os.build",
            "host.os.codename",
            "host.type",
            "event.action",
            "event.category",
            "event.code",
            "event.kind",
            "event.original",
            "event.outcome",
            "event.provider",
            "event.type",
            "error.message",
            "message",
            "winlog.api",
            "winlog.activity_id",
            "winlog.computer_name",
            "winlog.event_data.AuthenticationPackageName",
            "winlog.event_data.Binary",
            "winlog.event_data.BitlockerUserInputTime",
            "winlog.event_data.BootMode",
            "winlog.event_data.BootType",
            "winlog.event_data.BuildVersion",
            "winlog.event_data.Company",
            "winlog.event_data.CorruptionActionState",
            "winlog.event_data.CreationUtcTime",
            "winlog.event_data.Description",
            "winlog.event_data.Detail",
            "winlog.event_data.DeviceName",
            "winlog.event_data.DeviceNameLength",
            "winlog.event_data.DeviceTime",
            "winlog.event_data.DeviceVersionMajor",
            "winlog.event_data.DeviceVersionMinor",
            "winlog.event_data.DriveName",
            "winlog.event_data.DriverName",
            "winlog.event_data.DriverNameLength",
            "winlog.event_data.DwordVal",
            "winlog.event_data.EntryCount",
            "winlog.event_data.ExtraInfo",
            "winlog.event_data.FailureName",
            "winlog.event_data.FailureNameLength",
            "winlog.event_data.FileVersion",
            "winlog.event_data.FinalStatus",
            "winlog.event_data.Group",
            "winlog.event_data.IdleImplementation",
            "winlog.event_data.IdleStateCount",
            "winlog.event_data.ImpersonationLevel",
            "winlog.event_data.IntegrityLevel",
            "winlog.event_data.IpAddress",
            "winlog.event_data.IpPort",
            "winlog.event_data.KeyLength",
            "winlog.event_data.LastBootGood",
            "winlog.event_data.LastShutdownGood",
            "winlog.event_data.LmPackageName",
            "winlog.event_data.LogonGuid",
            "winlog.event_data.LogonId",
            "winlog.event_data.LogonProcessName",
            "winlog.event_data.LogonType",
            "winlog.event_data.MajorVersion",
            "winlog.event_data.MaximumPerformancePercent",
            "winlog.event_data.MemberName",
            "winlog.event_data.MemberSid",
            "winlog.event_data.MinimumPerformancePercent",
            "winlog.event_data.MinimumThrottlePercent",
            "winlog.event_data.MinorVersion",
            "winlog.event_data.NewProcessId",
            "winlog.event_data.NewProcessName",
            "winlog.event_data.NewSchemeGuid",
            "winlog.event_data.NewTime",
            "winlog.event_data.NominalFrequency",
            "winlog.event_data.Number",
            "winlog.event_data.OldSchemeGuid",
            "winlog.event_data.OldTime",
            "winlog.event_data.OriginalFileName",
            "winlog.event_data.Path",
            "winlog.event_data.PerformanceImplementation",
            "winlog.event_data.PreviousCreationUtcTime",
            "winlog.event_data.PreviousTime",
            "winlog.event_data.PrivilegeList",
            "winlog.event_data.ProcessId",
            "winlog.event_data.ProcessName",
            "winlog.event_data.ProcessPath",
            "winlog.event_data.ProcessPid",
            "winlog.event_data.Product",
            "winlog.event_data.PuaCount",
            "winlog.event_data.PuaPolicyId",
            "winlog.event_data.QfeVersion",
            "winlog.event_data.Reason",
            "winlog.event_data.SchemaVersion",
            "winlog.event_data.ScriptBlockText",
            "winlog.event_data.ServiceName",
            "winlog.event_data.ServiceVersion",
            "winlog.event_data.ShutdownActionType",
            "winlog.event_data.ShutdownEventCode",
            "winlog.event_data.ShutdownReason",
            "winlog.event_data.Signature",
            "winlog.event_data.SignatureStatus",
            "winlog.event_data.Signed",
            "winlog.event_data.StartTime",
            "winlog.event_data.State",
            "winlog.event_data.Status",
            "winlog.event_data.StopTime",
            "winlog.event_data.SubjectDomainName",
            "winlog.event_data.SubjectLogonId",
            "winlog.event_data.SubjectUserName",
            "winlog.event_data.SubjectUserSid",
            "winlog.event_data.TSId",
            "winlog.event_data.TargetDomainName",
            "winlog.event_data.TargetInfo",
            "winlog.event_data.TargetLogonGuid",
            "winlog.event_data.TargetLogonId",
            "winlog.event_data.TargetServerName",
            "winlog.event_data.TargetUserName",
            "winlog.event_data.TargetUserSid",
            "winlog.event_data.TerminalSessionId",
            "winlog.event_data.TokenElevationType",
            "winlog.event_data.TransmittedServices",
            "winlog.event_data.UserSid",
            "winlog.event_data.Version",
            "winlog.event_data.Workstation",
            "winlog.event_data.param1",
            "winlog.event_data.param2",
            "winlog.event_data.param3",
            "winlog.event_data.param4",
            "winlog.event_data.param5",
            "winlog.event_data.param6",
            "winlog.event_data.param7",
            "winlog.event_data.param8",
            "winlog.event_id",
            "winlog.keywords",
            "winlog.channel",
            "winlog.record_id",
            "winlog.related_activity_id",
            "winlog.opcode",
            "winlog.provider_guid",
            "winlog.provider_name",
            "winlog.task",
            "winlog.user.identifier",
            "winlog.user.name",
            "winlog.user.domain",
            "winlog.user.type"
          ]
        }
      }
    },
    "mappings": {
      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        },
        {
          "winlog.user_data": {
            "path_match": "winlog.user_data.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }
      ],
      "properties": {
        "cloud": {
          "properties": {
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "instance": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "winlog": {
          "properties": {
            "related_activity_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "computer_name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "process": {
              "properties": {
                "pid": {
                  "type": "long"
                },
                "thread": {
                  "properties": {
                    "id": {
                      "type": "long"
                    }
                  }
                }
              }
            },
            "keywords": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "channel": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "event_data": {
              "properties": {
                "SignatureStatus": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OriginalFileName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BootMode": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Product": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetLogonGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FileVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "StopTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Status": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "CorruptionActionState": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "KeyLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PreviousCreationUtcTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetInfo": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ServiceVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectUserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PerformanceImplementation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetUserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Group": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Description": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownActionType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DwordVal": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessPid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceVersionMajor": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ScriptBlockText": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TransmittedServices": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MaximumPerformancePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FinalStatus": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IdleStateCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MajorVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Path": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SchemaVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TokenElevationType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinorVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectLogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IdleImplementation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessPath": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "QfeVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceVersionMinor": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OldTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IpAddress": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Company": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PuaPolicyId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IntegrityLevel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LastShutdownGood": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "IpPort": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriverNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LmPackageName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "UserSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LastBootGood": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PuaCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Signed": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "StartTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownEventCode": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FailureNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ServiceName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PreviousTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "State": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BootType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Binary": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ImpersonationLevel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MemberName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetUserName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Detail": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TerminalSessionId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MemberSid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriverName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DeviceNameLength": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "OldSchemeGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "CreationUtcTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Reason": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ShutdownReason": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetServerName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Number": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BuildVersion": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectDomainName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinimumPerformancePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonProcessName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TSId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetDomainName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "PrivilegeList": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param7": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param8": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param5": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param6": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "DriveName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewProcessId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "LogonType": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ExtraInfo": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param3": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param4": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param1": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "param2": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "TargetLogonId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Workstation": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "SubjectUserName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "FailureName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NewSchemeGuid": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "Signature": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "MinimumThrottlePercent": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ProcessId": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "EntryCount": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "BitlockerUserInputTime": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "AuthenticationPackageName": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "NominalFrequency": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "opcode": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "type": "long"
            },
            "record_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "event_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "task": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider_guid": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "activity_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "api": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider_name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "identifier": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "data_stream": {
          "properties": {
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            },
            "dataset": {
              "type": "constant_keyword"
            }
          }
        },
        "host": {
          "properties": {
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "build": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "codename": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword",
                  "fields": {
                    "text": {
                      "type": "text"
                    }
                  }
                },
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "event": {
          "properties": {
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "original": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "type": "constant_keyword",
              "value": "system"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "sequence": {
              "type": "long"
            },
            "ingested": {
              "type": "date"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "dataset": {
              "type": "constant_keyword",
              "value": "system.system"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "error": {
          "properties": {
            "message": {
              "type": "match_only_text"
            }
          }
        },
        "message": {
          "type": "match_only_text"
        }
      }
    }
  },
  "_meta": {
    "package": {
      "name": "system"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
@@ -0,0 +1,12 @@
 {
  "template": {
    "settings": {}
  },
  "_meta": {
    "package": {
      "name": "elastic_agent"
    },
    "managed_by": "fleet",
    "managed": true
  }
 }
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`### An ISO will be available starting in RC1.`
`@@ -7,6 +7,6 @@`



	`. /usr/sbin/so-common`	`. /usr/sbin/so-elastic-fleet-common`

	`/usr/sbin/so-restart elastic-fleet $1`	`/usr/sbin/so-restart elastic-fleet $1`