From 3c50072690be00918e17e6d887a33609ca11a3ad Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 18:51:57 +0000 Subject: [PATCH 1/4] Add Elastic Agent component templates --- .../logs-elastic_agent.apm_server@custom.json | 12 + ...logs-elastic_agent.apm_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.auditbeat@custom.json | 12 + .../logs-elastic_agent.auditbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.cloudbeat@custom.json | 12 + .../logs-elastic_agent.cloudbeat@package.json | 692 ++++++++++++++++++ ...lastic_agent.endpoint_security@custom.json | 12 + ...astic_agent.endpoint_security@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.filebeat@custom.json | 12 + .../logs-elastic_agent.filebeat@package.json | 681 +++++++++++++++++ ...ogs-elastic_agent.fleet_server@custom.json | 12 + ...gs-elastic_agent.fleet_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.heartbeat@custom.json | 12 + .../logs-elastic_agent.heartbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.metricbeat@custom.json | 12 + ...logs-elastic_agent.metricbeat@package.json | 681 +++++++++++++++++ ...logs-elastic_agent.osquerybeat@custom.json | 12 + ...ogs-elastic_agent.osquerybeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.packetbeat@custom.json | 12 + ...logs-elastic_agent.packetbeat@package.json | 674 +++++++++++++++++ .../logs-elastic_agent@custom.json | 12 + .../logs-elastic_agent@package.json | 681 +++++++++++++++++ 22 files changed, 7627 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..85ba08239 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,692 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..22fef0fb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..591717165 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,674 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} From eeffded248a2c9dc684b184258749275e8a7ebe4 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 21:23:04 +0000 Subject: [PATCH 2/4] Remove duplicate security subfield configuration from component templates --- ...logs-elastic_agent.apm_server@package.json | 186 +---------------- .../logs-elastic_agent.auditbeat@package.json | 186 +---------------- .../logs-elastic_agent.cloudbeat@package.json | 192 +----------------- ...astic_agent.endpoint_security@package.json | 186 +---------------- .../logs-elastic_agent.filebeat@package.json | 186 +---------------- ...gs-elastic_agent.fleet_server@package.json | 186 +---------------- .../logs-elastic_agent.heartbeat@package.json | 186 +---------------- ...logs-elastic_agent.metricbeat@package.json | 186 +---------------- ...ogs-elastic_agent.osquerybeat@package.json | 186 +---------------- ...logs-elastic_agent.packetbeat@package.json | 186 +---------------- .../logs-elastic_agent@package.json | 188 +---------------- 11 files changed, 56 insertions(+), 1998 deletions(-) diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json index bcd76b848..9fd8c928f 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json index bcd76b848..9fd8c928f 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json index 85ba08239..c4874ed3c 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -97,12 +97,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -115,12 +109,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -135,12 +123,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -151,12 +133,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -169,12 +145,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -187,12 +157,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -207,12 +171,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -225,12 +183,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -243,12 +195,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -267,12 +213,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -285,12 +225,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -301,12 +235,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -327,12 +255,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -347,12 +269,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -380,12 +296,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -398,12 +308,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -414,12 +318,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -430,18 +328,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -455,12 +351,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -471,12 +361,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -487,12 +371,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -505,12 +383,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -527,12 +399,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -543,12 +409,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -559,12 +419,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -575,12 +429,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -591,12 +439,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -611,12 +453,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -627,12 +463,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -643,12 +473,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { @@ -671,12 +495,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json index 22fef0fb5..f353ac542 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json index 591717165..9e593d3f8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json index bcd76b848..7df3309b1 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -39,7 +39,7 @@ } } }, - "index": { + "index": { "lifecycle": { "name": "logs" }, @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { From b39a5061ca20c578b00f4a35cdb05e3098a4c0bb Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 21:26:43 +0000 Subject: [PATCH 3/4] Load Elastic Agent component templates (managed by Security Onion) --- .../tools/sbin/so-elasticsearch-templates-load | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index e341c3d40..cb727a5d3 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,9 +1,7 @@ #!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. {%- set mainint = salt['pillar.get']('host:mainint') %} @@ -44,6 +42,11 @@ cd ${ELASTICSEARCH_TEMPLATES}/component/ecs echo "Loading ECS component templates..." for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done +cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent + +echo "Loading Elastic Agent component templates..." +for i in *; do TEMPLATE=${i::-5}; echo "so-$TEMPLATE"; so-elasticsearch-query _component_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done + # Load SO-specific component templates cd ${ELASTICSEARCH_TEMPLATES}/component/so From 86d60e444d483c170e4039a716d593b11e337dcf Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 8 Sep 2022 00:20:22 +0000 Subject: [PATCH 4/4] Add Elastic Agent index/template configuration to defaults file --- salt/elasticsearch/defaults.yaml | 374 +++++++++++++++++++++++++++++++ 1 file changed, 374 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 830d1372c..6fa356c61 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -60,6 +60,380 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: + so-logs-elastic_agent.apm_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.apm_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.apm_server@package" + - "so-logs-elastic_agent.apm_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.auditbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.auditbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.auditbeat@package" + - "so-logs-elastic_agent.auditbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.cloudbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.cloudbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.cloudbeat@package" + - "so-logs-elastic_agent.cloudbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.endpoint_security: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.endpoint_security-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.endpoint_security@package" + - "so-logs-elastic_agent.endpoint_security@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.filebeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.filebeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.filebeat@package" + - "so-logs-elastic_agent.filebeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.fleet_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.fleet_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.fleet_server@package" + - "so-logs-elastic_agent.fleet_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.heartbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.heartbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.heartbeat@package" + - "so-logs-elastic_agent.heartbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent@package" + - "so-logs-elastic_agent@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.metricbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.metricbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.metricbeat@package" + - "so-logs-elastic_agent.metricbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.osquerybeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.osquerybeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.osquerybeat@package" + - "so-logs-elastic_agent.osquerybeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.packetbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.packetbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.packetbeat@package" + - "so-logs-elastic_agent.packetbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false so-aws: warm: 7 close: 30