diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 54cae64a9..f388b6bd3 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -259,15 +259,34 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-osquery-manager: + so-logs-osquery-manager-actions: index_sorting: False index_template: index_patterns: - - "logs-osquery*" + - ".logs-osquery_manager.actions*" template: settings: index: number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.actions" + priority: 501 + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-osquery-manager-action.responses: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery_manager.action.responses*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-osquery_manager.action.responses" priority: 501 _meta: package: diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +}