From 888145a2ed8a5bb5d5e6859cacd0c22d1babae4d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:55:43 -0600 Subject: [PATCH 01/69] remove optional integrations from defaults.yaml & soc_elasticsearch.yaml --- salt/elasticsearch/defaults.yaml | 8632 --------------------- salt/elasticsearch/soc_elasticsearch.yaml | 154 +- 2 files changed, 3 insertions(+), 8783 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 9f0d3576c..e7a9a286c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1049,2942 +1049,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-1password_x_item_usages: - index_sorting: false - index_template: - composed_of: - - logs-1password.item_usages@package - - logs-1password.item_usages@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.item_usages@custom - index_patterns: - - logs-1password.item_usages-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.item_usages-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-1password_x_signin_attempts: - index_sorting: false - index_template: - composed_of: - - logs-1password.signin_attempts@package - - logs-1password.signin_attempts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.signin_attempts@custom - index_patterns: - - logs-1password.signin_attempts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.signin_attempts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_access: - index_sorting: false - index_template: - composed_of: - - logs-apache.access@package - - logs-apache.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.access@custom - index_patterns: - - logs-apache.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_error: - index_sorting: false - index_template: - composed_of: - - logs-apache.error@package - - logs-apache.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.error@custom - index_patterns: - - logs-apache.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auditd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-auditd.log@package - - logs-auditd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auditd.log@custom - index_patterns: - - logs-auditd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auditd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auth0_x_logs: - index_sorting: false - index_template: - composed_of: - - logs-auth0.logs@package - - logs-auth0.logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auth0.logs@custom - index_patterns: - - logs-auth0.logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auth0.logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudfront_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudfront_logs@package - - logs-aws.cloudfront_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudfront_logs@custom - index_patterns: - - logs-aws.cloudfront_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudfront_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudtrail: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudtrail@package - - logs-aws.cloudtrail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudtrail@custom - index_patterns: - - logs-aws.cloudtrail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudtrail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudwatch_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudwatch_logs@package - - logs-aws.cloudwatch_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudwatch_logs@custom - index_patterns: - - logs-aws.cloudwatch_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudwatch_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_ec2_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.ec2_logs@package - - logs-aws.ec2_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.ec2_logs@custom - index_patterns: - - logs-aws.ec2_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.ec2_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_elb_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.elb_logs@package - - logs-aws.elb_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.elb_logs@custom - index_patterns: - - logs-aws.elb_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.elb_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.firewall_logs@package - - logs-aws.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.firewall_logs@custom - index_patterns: - - logs-aws.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_guardduty: - index_sorting: false - index_template: - composed_of: - - logs-aws.guardduty@package - - logs-aws.guardduty@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.guardduty@custom - index_patterns: - - logs-aws.guardduty-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.guardduty-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_inspector: - index_sorting: false - index_template: - composed_of: - - logs-aws.inspector@package - - logs-aws.inspector@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.inspector@custom - index_patterns: - - logs-aws.inspector-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.inspector-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_public_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_public_logs@package - - logs-aws.route53_public_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_public_logs@custom - index_patterns: - - logs-aws.route53_public_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_public_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_resolver_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_resolver_logs@package - - logs-aws.route53_resolver_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_resolver_logs@custom - index_patterns: - - logs-aws.route53_resolver_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_resolver_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_s3access: - index_sorting: false - index_template: - composed_of: - - logs-aws.s3access@package - - logs-aws.s3access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.s3access@custom - index_patterns: - - logs-aws.s3access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.s3access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_findings: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_findings@package - - logs-aws.securityhub_findings@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_findings@custom - index_patterns: - - logs-aws.securityhub_findings-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_findings-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_insights: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_insights@package - - logs-aws.securityhub_insights@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_insights@custom - index_patterns: - - logs-aws.securityhub_insights-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_insights-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-aws.vpcflow@package - - logs-aws.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.vpcflow@custom - index_patterns: - - logs-aws.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-aws.waf@package - - logs-aws.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.waf@custom - index_patterns: - - logs-aws.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_activitylogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.activitylogs@package - - logs-azure.activitylogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.activitylogs@custom - index_patterns: - - logs-azure.activitylogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.activitylogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_application_gateway: - index_sorting: false - index_template: - composed_of: - - logs-azure.application_gateway@package - - logs-azure.application_gateway@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.application_gateway@custom - index_patterns: - - logs-azure.application_gateway-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.application_gateway-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_auditlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.auditlogs@package - - logs-azure.auditlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.auditlogs@custom - index_patterns: - - logs-azure.auditlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.auditlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_eventhub: - index_sorting: false - index_template: - composed_of: - - logs-azure.eventhub@package - - logs-azure.eventhub@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.eventhub@custom - index_patterns: - - logs-azure.eventhub-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.eventhub-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-azure.firewall_logs@package - - logs-azure.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.firewall_logs@custom - index_patterns: - - logs-azure.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_identity_protection: - index_sorting: false - index_template: - composed_of: - - logs-azure.identity_protection@package - - logs-azure.identity_protection@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.identity_protection@custom - index_patterns: - - logs-azure.identity_protection-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.identity_protection-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_platformlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.platformlogs@package - - logs-azure.platformlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.platformlogs@custom - index_patterns: - - logs-azure.platformlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.platformlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_provisioning: - index_sorting: false - index_template: - composed_of: - - logs-azure.provisioning@package - - logs-azure.provisioning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.provisioning@custom - index_patterns: - - logs-azure.provisioning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.provisioning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_signinlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.signinlogs@package - - logs-azure.signinlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.signinlogs@custom - index_patterns: - - logs-azure.signinlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.signinlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_springcloudlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.springcloudlogs@package - - logs-azure.springcloudlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.springcloudlogs@custom - index_patterns: - - logs-azure.springcloudlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.springcloudlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-barracuda.waf@package - - logs-barracuda.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-barracuda.waf@custom - index_patterns: - - logs-barracuda.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-barracuda.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_cloudgen_firewall_x_log: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-barracuda_cloudgen_firewall.log@custom - index_patterns: - - "logs-barracuda_cloudgen_firewall.log-*" - template: - settings: - index: - lifecycle: - name: so-logs-barracuda_cloudgen_firewall.log-logs - number_of_replicas: 0 - composed_of: - - "logs-barracuda_cloudgen_firewall.log@package" - - "logs-barracuda_cloudgen_firewall.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-carbonblack_edr_x_log: - index_sorting: false - index_template: - composed_of: - - logs-carbonblack_edr.log@package - - logs-carbonblack_edr.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-carbonblack_edr.log@custom - index_patterns: - - logs-carbonblack_edr.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-carbonblack_edr.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cef_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cef.log@package - - logs-cef.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cef.log@custom - index_patterns: - - logs-cef.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cef.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-checkpoint_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-checkpoint.firewall@package - - logs-checkpoint.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-checkpoint.firewall@custom - index_patterns: - - logs-checkpoint.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-checkpoint.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_asa_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_asa.log@package - - logs-cisco_asa.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_asa.log@custom - index_patterns: - - logs-cisco_asa.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_asa.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.admin@package - - logs-cisco_duo.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.admin@custom - index_patterns: - - logs-cisco_duo.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_auth: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.auth@package - - logs-cisco_duo.auth@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.auth@custom - index_patterns: - - logs-cisco_duo.auth-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.auth-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_offline_enrollment: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.offline_enrollment@package - - logs-cisco_duo.offline_enrollment@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.offline_enrollment@custom - index_patterns: - - logs-cisco_duo.offline_enrollment-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.offline_enrollment-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_summary: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.summary@package - - logs-cisco_duo.summary@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.summary@custom - index_patterns: - - logs-cisco_duo.summary-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.summary-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_telephony: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.telephony@package - - logs-cisco_duo.telephony@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.telephony@custom - index_patterns: - - logs-cisco_duo.telephony-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.telephony-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ftd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ftd.log@package - - logs-cisco_ftd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ftd.log@custom - index_patterns: - - logs-cisco_ftd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ftd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ios_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ios.log@package - - logs-cisco_ios.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ios.log@custom - index_patterns: - - logs-cisco_ios.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ios.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ise_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ise.log@package - - logs-cisco_ise.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ise.log@custom - index_patterns: - - logs-cisco_ise.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ise.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_events: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.events@package - - logs-cisco_meraki.events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.events@custom - index_patterns: - - logs-cisco_meraki.events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.log@package - - logs-cisco_meraki.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.log@custom - index_patterns: - - logs-cisco_meraki.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_secure_email_gateway_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_secure_email_gateway.log@package - - logs-cisco_secure_email_gateway.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cisco_secure_email_gateway.log@custom - index_patterns: - - logs-cisco_secure_email_gateway.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_secure_email_gateway.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_umbrella_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_umbrella.log@package - - logs-cisco_umbrella.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_umbrella.log@custom - index_patterns: - - logs-cisco_umbrella.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_umbrella.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_interface: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.interface@package - - logs-citrix_adc.interface@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.interface@custom - index_patterns: - - logs-citrix_adc.interface-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.interface-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_lbvserver: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.lbvserver@package - - logs-citrix_adc.lbvserver@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.lbvserver@custom - index_patterns: - - logs-citrix_adc.lbvserver-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.lbvserver-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_service: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.service@package - - logs-citrix_adc.service@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.service@custom - index_patterns: - - logs-citrix_adc.service-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.service-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_system: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.system@package - - logs-citrix_adc.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.system@custom - index_patterns: - - logs-citrix_adc.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_vpn: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.vpn@package - - logs-citrix_adc.vpn@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.vpn@custom - index_patterns: - - logs-citrix_adc.vpn-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.vpn-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_waf_x_log: - index_sorting: false - index_template: - composed_of: - - logs-citrix_waf.log@package - - logs-citrix_waf.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_waf.log@custom - index_patterns: - - logs-citrix_waf.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_waf.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.audit@package - - logs-cloudflare.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.audit@custom - index_patterns: - - logs-cloudflare.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_logpull: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.logpull@package - - logs-cloudflare.logpull@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.logpull@custom - index_patterns: - - logs-cloudflare.logpull-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.logpull-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_alert: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.alert-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.alert@package - - logs-crowdstrike.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.alert@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.falcon-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.falcon@package - - logs-crowdstrike.falcon@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.falcon@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_fdr: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.fdr-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.fdr@package - - logs-crowdstrike.fdr@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.fdr@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_host: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.host-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.host@package - - logs-crowdstrike.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.host@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_ai_analyst_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.ai_analyst_alert@package - - logs-darktrace.ai_analyst_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.ai_analyst_alert@custom - index_patterns: - - logs-darktrace.ai_analyst_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.ai_analyst_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_model_breach_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.model_breach_alert@package - - logs-darktrace.model_breach_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.model_breach_alert@custom - index_patterns: - - logs-darktrace.model_breach_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.model_breach_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_system_status_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.system_status_alert@package - - logs-darktrace.system_status_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.system_status_alert@custom - index_patterns: - - logs-darktrace.system_status_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.system_status_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-detections_x_alerts: index_sorting: false index_template: @@ -5230,1478 +2294,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-f5_bigip_x_log: - index_sorting: false - index_template: - composed_of: - - logs-f5_bigip.log@package - - logs-f5_bigip.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-f5_bigip.log@custom - index_patterns: - - logs-f5_bigip.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-f5_bigip.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fim_x_event: - index_sorting: false - index_template: - composed_of: - - logs-fim.event@package - - logs-fim.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fim.event@custom - index_patterns: - - logs-fim.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fim.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fireeye_x_nx: - index_sorting: false - index_template: - composed_of: - - logs-fireeye.nx@package - - logs-fireeye.nx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fireeye.nx@custom - index_patterns: - - logs-fireeye.nx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fireeye.nx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_fortigate_x_log: - index_sorting: false - index_template: - composed_of: - - logs-fortinet_fortigate.log@package - - logs-fortinet_fortigate.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet_fortigate.log@custom - index_patterns: - - logs-fortinet_fortigate.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet_fortigate.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_clientendpoint: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.clientendpoint@package - - logs-fortinet.clientendpoint@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.clientendpoint@custom - index_patterns: - - logs-fortinet.clientendpoint-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.clientendpoint-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.firewall@package - - logs-fortinet.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.firewall@custom - index_patterns: - - logs-fortinet.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimail: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimail@package - - logs-fortinet.fortimail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimail@custom - index_patterns: - - logs-fortinet.fortimail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimanager: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimanager@package - - logs-fortinet.fortimanager@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimanager@custom - index_patterns: - - logs-fortinet.fortimanager-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimanager-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-gcp.audit@package - - logs-gcp.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.audit@custom - index_patterns: - - logs-gcp.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-gcp.dns@package - - logs-gcp.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.dns@custom - index_patterns: - - logs-gcp.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-gcp.firewall@package - - logs-gcp.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.firewall@custom - index_patterns: - - logs-gcp.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_loadbalancing_logs: - index_sorting: false - index_template: - composed_of: - - logs-gcp.loadbalancing_logs@package - - logs-gcp.loadbalancing_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.loadbalancing_logs@custom - index_patterns: - - logs-gcp.loadbalancing_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.loadbalancing_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-gcp.vpcflow@package - - logs-gcp.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.vpcflow@custom - index_patterns: - - logs-gcp.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-github.audit@package - - logs-github.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.audit@custom - index_patterns: - - logs-github.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_code_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.code_scanning@package - - logs-github.code_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.code_scanning@custom - index_patterns: - - logs-github.code_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.code_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_dependabot: - index_sorting: false - index_template: - composed_of: - - logs-github.dependabot@package - - logs-github.dependabot@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.dependabot@custom - index_patterns: - - logs-github.dependabot-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.dependabot-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_issues: - index_sorting: false - index_template: - composed_of: - - logs-github.issues@package - - logs-github.issues@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.issues@custom - index_patterns: - - logs-github.issues-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.issues-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_secret_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.secret_scanning@package - - logs-github.secret_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.secret_scanning@custom - index_patterns: - - logs-github.secret_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.secret_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_access_transparency: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.access_transparency@package - - logs-google_workspace.access_transparency@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.access_transparency@custom - index_patterns: - - logs-google_workspace.access_transparency-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.access_transparency-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.admin@package - - logs-google_workspace.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.admin@custom - index_patterns: - - logs-google_workspace.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.alert@package - - logs-google_workspace.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.alert@custom - index_patterns: - - logs-google_workspace.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_context_aware_access: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.context_aware_access@package - - logs-google_workspace.context_aware_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.context_aware_access@custom - index_patterns: - - logs-google_workspace.context_aware_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.context_aware_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_device: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.device@package - - logs-google_workspace.device@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.device@custom - index_patterns: - - logs-google_workspace.device-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.device-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_drive: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.drive@package - - logs-google_workspace.drive@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.drive@custom - index_patterns: - - logs-google_workspace.drive-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.drive-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_gcp: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.gcp@package - - logs-google_workspace.gcp@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.gcp@custom - index_patterns: - - logs-google_workspace.gcp-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.gcp-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_group_enterprise: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.group_enterprise@package - - logs-google_workspace.group_enterprise@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.group_enterprise@custom - index_patterns: - - logs-google_workspace.group_enterprise-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.group_enterprise-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_groups: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.groups@package - - logs-google_workspace.groups@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.groups@custom - index_patterns: - - logs-google_workspace.groups-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.groups-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_login: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.login@package - - logs-google_workspace.login@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.login@custom - index_patterns: - - logs-google_workspace.login-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.login-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_rules: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.rules@package - - logs-google_workspace.rules@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.rules@custom - index_patterns: - - logs-google_workspace.rules-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.rules-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_saml: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.saml@package - - logs-google_workspace.saml@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.saml@custom - index_patterns: - - logs-google_workspace.saml-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.saml-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_token: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.token@package - - logs-google_workspace.token@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.token@custom - index_patterns: - - logs-google_workspace.token-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.token-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_user_accounts: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.user_accounts@package - - logs-google_workspace.user_accounts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.user_accounts@custom - index_patterns: - - logs-google_workspace.user_accounts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.user_accounts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: @@ -6795,1524 +2387,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-iis_x_access: - index_sorting: false - index_template: - composed_of: - - logs-iis.access@package - - logs-iis.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.access@custom - index_patterns: - - logs-iis.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-iis_x_error: - index_sorting: false - index_template: - composed_of: - - logs-iis.error@package - - logs-iis.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.error@custom - index_patterns: - - logs-iis.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-imperva_cloud_waf_x_event: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-imperva_cloud_waf.event@custom - index_patterns: - - "logs-imperva_cloud_waf.event-*" - template: - settings: - index: - lifecycle: - name: so-logs-imperva_cloud_waf.event-logs - number_of_replicas: 0 - composed_of: - - "logs-imperva_cloud_waf.event@package" - - "logs-imperva_cloud_waf.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_srx_x_log: - index_sorting: false - index_template: - composed_of: - - logs-juniper_srx.log@package - - logs-juniper_srx.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper_srx.log@custom - index_patterns: - - logs-juniper_srx.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper_srx.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_junos: - index_sorting: false - index_template: - composed_of: - - logs-juniper.junos@package - - logs-juniper.junos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.junos@custom - index_patterns: - - logs-juniper.junos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.junos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_netscreen: - index_sorting: false - index_template: - composed_of: - - logs-juniper.netscreen@package - - logs-juniper.netscreen@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.netscreen@custom - index_patterns: - - logs-juniper.netscreen-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.netscreen-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_srx: - index_sorting: false - index_template: - composed_of: - - logs-juniper.srx@package - - logs-juniper.srx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.srx@custom - index_patterns: - - logs-juniper.srx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.srx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-kafka_log_x_generic: - index_sorting: false - index_template: - composed_of: - - logs-kafka_log.generic@package - - logs-kafka_log.generic@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-kafka_log.generic@custom - index_patterns: - - logs-kafka_log.generic-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-kafka_log.generic-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_detailed_shared_folder: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.detailed_shared_folder@package - - logs-lastpass.detailed_shared_folder@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.detailed_shared_folder@custom - index_patterns: - - logs-lastpass.detailed_shared_folder-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.detailed_shared_folder-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_event_report: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.event_report@package - - logs-lastpass.event_report@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.event_report@custom - index_patterns: - - logs-lastpass.event_report-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.event_report-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_user: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.user@package - - logs-lastpass.user@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.user@custom - index_patterns: - - logs-lastpass.user-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.user-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_event: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.event@package - - logs-m365_defender.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.event@custom - index_patterns: - - logs-m365_defender.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_incident: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.incident@package - - logs-m365_defender.incident@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.incident@custom - index_patterns: - - logs-m365_defender.incident-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.incident-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_log: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.log@package - - logs-m365_defender.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.log@custom - index_patterns: - - logs-m365_defender.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_defender_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_defender_endpoint.log@package - - logs-microsoft_defender_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_defender_endpoint.log@custom - index_patterns: - - logs-microsoft_defender_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_defender_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_dhcp_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_dhcp.log@package - - logs-microsoft_dhcp.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_dhcp.log@custom - index_patterns: - - logs-microsoft_dhcp.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_dhcp.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.audit@package - - logs-microsoft_sqlserver.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.audit@custom - index_patterns: - - logs-microsoft_sqlserver.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.log@package - - logs-microsoft_sqlserver.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.log@custom - index_patterns: - - logs-microsoft_sqlserver.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_audit_events: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.audit_events@package - - logs-mimecast.audit_events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.audit_events@custom - index_patterns: - - logs-mimecast.audit_events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.audit_events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_dlp_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.dlp_logs@package - - logs-mimecast.dlp_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.dlp_logs@custom - index_patterns: - - logs-mimecast.dlp_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.dlp_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_siem_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.siem_logs@package - - logs-mimecast.siem_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.siem_logs@custom - index_patterns: - - logs-mimecast.siem_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.siem_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_customer: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_customer@package - - logs-mimecast.threat_intel_malware_customer@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_customer@custom - index_patterns: - - logs-mimecast.threat_intel_malware_customer-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_customer-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_grid: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_grid@package - - logs-mimecast.threat_intel_malware_grid@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_grid@custom - index_patterns: - - logs-mimecast.threat_intel_malware_grid-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_grid-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ap_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ap_logs@package - - logs-mimecast.ttp_ap_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ap_logs@custom - index_patterns: - - logs-mimecast.ttp_ap_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ap_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ip_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ip_logs@package - - logs-mimecast.ttp_ip_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ip_logs@custom - index_patterns: - - logs-mimecast.ttp_ip_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ip_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_url_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_url_logs@package - - logs-mimecast.ttp_url_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_url_logs@custom - index_patterns: - - logs-mimecast.ttp_url_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_url_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_error: - index_sorting: false - index_template: - composed_of: - - logs-mysql.error@package - - logs-mysql.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.error@custom - index_patterns: - - logs-mysql.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_slowlog: - index_sorting: false - index_template: - composed_of: - - logs-mysql.slowlog@package - - logs-mysql.slowlog@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.slowlog@custom - index_patterns: - - logs-mysql.slowlog-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.slowlog-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-netflow_x_log: - index_sorting: false - index_template: - composed_of: - - logs-netflow.log@package - - logs-netflow.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-netflow.log@custom - index_patterns: - - logs-netflow.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-netflow.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_access: - index_sorting: false - index_template: - composed_of: - - logs-nginx.access@package - - logs-nginx.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.access@custom - index_patterns: - - logs-nginx.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_error: - index_sorting: false - index_template: - composed_of: - - logs-nginx.error@package - - logs-nginx.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.error@custom - index_patterns: - - logs-nginx.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-o365_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-o365.audit@package - - logs-o365.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-o365.audit@custom - index_patterns: - - logs-o365.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-o365.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-okta_x_system: - index_sorting: false - index_template: - composed_of: - - logs-okta.system@package - - logs-okta.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-okta.system@custom - index_patterns: - - logs-okta.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-okta.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-osquery-manager-action_x_responses: index_sorting: false index_template: @@ -8349,696 +2423,6 @@ elasticsearch: settings: index: number_of_replicas: 0 - so-logs-panw_x_panos: - index_sorting: false - index_template: - composed_of: - - logs-panw.panos@package - - logs-panw.panos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-panw.panos@custom - index_patterns: - - logs-panw.panos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-panw.panos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pfsense_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pfsense.log@package - - logs-pfsense.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pfsense.log@custom - index_patterns: - - logs-pfsense.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pfsense.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_blocked@package - - logs-proofpoint_tap.clicks_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_blocked@custom - index_patterns: - - logs-proofpoint_tap.clicks_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_permitted: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_permitted@package - - logs-proofpoint_tap.clicks_permitted@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_permitted@custom - index_patterns: - - logs-proofpoint_tap.clicks_permitted-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_permitted-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_blocked@package - - logs-proofpoint_tap.message_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_blocked@custom - index_patterns: - - logs-proofpoint_tap.message_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_delivered: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_delivered@package - - logs-proofpoint_tap.message_delivered@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_delivered@custom - index_patterns: - - logs-proofpoint_tap.message_delivered-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_delivered-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pulse_connect_secure_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pulse_connect_secure.log@package - - logs-pulse_connect_secure.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pulse_connect_secure.log@custom - index_patterns: - - logs-pulse_connect_secure.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pulse_connect_secure.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_activity: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.activity@package - - logs-sentinel_one.activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.activity@custom - index_patterns: - - logs-sentinel_one.activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_agent: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.agent@package - - logs-sentinel_one.agent@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.agent@custom - index_patterns: - - logs-sentinel_one.agent-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.agent-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.alert@package - - logs-sentinel_one.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.alert@custom - index_patterns: - - logs-sentinel_one.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_group: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.group@package - - logs-sentinel_one.group@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.group@custom - index_patterns: - - logs-sentinel_one.group-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.group-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.threat@package - - logs-sentinel_one.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.threat@custom - index_patterns: - - logs-sentinel_one.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snort_x_log: - index_sorting: false - index_template: - composed_of: - - logs-snort.log@package - - logs-snort.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snort.log@custom - index_patterns: - - logs-snort.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snort.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-snyk.audit@package - - logs-snyk.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.audit@custom - index_patterns: - - logs-snyk.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_vulnerabilities: - index_sorting: false - index_template: - composed_of: - - logs-snyk.vulnerabilities@package - - logs-snyk.vulnerabilities@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.vulnerabilities@custom - index_patterns: - - logs-snyk.vulnerabilities-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.vulnerabilities-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-soc: close: 30 delete: 365 @@ -9147,282 +2531,6 @@ elasticsearch: priority: 50 min_age: 30d warm: 7 - so-logs-sonicwall_firewall_x_log: - index_sorting: false - index_template: - composed_of: - - logs-sonicwall_firewall.log@package - - logs-sonicwall_firewall.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sonicwall_firewall.log@custom - index_patterns: - - logs-sonicwall_firewall.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sonicwall_firewall.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.alert@package - - logs-sophos_central.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.alert@custom - index_patterns: - - logs-sophos_central.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_event: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.event@package - - logs-sophos_central.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.event@custom - index_patterns: - - logs-sophos_central.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_utm: - index_sorting: false - index_template: - composed_of: - - logs-sophos.utm@package - - logs-sophos.utm@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.utm@custom - index_patterns: - - logs-sophos.utm-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.utm-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_xg: - index_sorting: false - index_template: - composed_of: - - logs-sophos.xg@package - - logs-sophos.xg@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.xg@custom - index_patterns: - - logs-sophos.xg-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.xg-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-symantec_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-symantec_endpoint.log@package - - logs-symantec_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-symantec_endpoint.log@custom - index_patterns: - - logs-symantec_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-symantec_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-system_x_application: index_sorting: false index_template: @@ -9663,1286 +2771,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-tenable_io_x_asset: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.asset-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.asset-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.asset@package" - - "logs-tenable_io.asset@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.asset@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_plugin: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.plugin-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.plugin-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.plugin@package" - - "logs-tenable_io.plugin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.plugin@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_scan: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.scan-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.scan-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.scan@package" - - "logs-tenable_io.scan@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.scan@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_vulnerability: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.vulnerability-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.vulnerability-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.vulnerability@package" - - "logs-tenable_io.vulnerability@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.vulnerability@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_asset: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.asset@package - - logs-tenable_sc.asset@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.asset@custom - index_patterns: - - logs-tenable_sc.asset-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.asset-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_plugin: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.plugin@package - - logs-tenable_sc.plugin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.plugin@custom - index_patterns: - - logs-tenable_sc.plugin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.plugin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.vulnerability@package - - logs-tenable_sc.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.vulnerability@custom - index_patterns: - - logs-tenable_sc.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malware: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malware@package - - logs-ti_abusech.malware@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malware@custom - index_patterns: - - logs-ti_abusech.malware-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malware-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malwarebazaar: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malwarebazaar@package - - logs-ti_abusech.malwarebazaar@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malwarebazaar@custom - index_patterns: - - logs-ti_abusech.malwarebazaar-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malwarebazaar-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_threatfox: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.threatfox@package - - logs-ti_abusech.threatfox@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.threatfox@custom - index_patterns: - - logs-ti_abusech.threatfox-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.threatfox-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_url: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.url@package - - logs-ti_abusech.url@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.url@custom - index_patterns: - - logs-ti_abusech.url-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.url-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_anomali_x_threatstream: - index_sorting: false - index_template: - composed_of: - - logs-ti_anomali.threatstream@package - - logs-ti_anomali.threatstream@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_anomali.threatstream@custom - index_patterns: - - logs-ti_anomali.threatstream-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_anomali.threatstream-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_cybersixgill_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_cybersixgill.threat@package - - logs-ti_cybersixgill.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_cybersixgill.threat@custom - index_patterns: - - logs-ti_cybersixgill.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_cybersixgill.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat@package - - logs-ti_misp.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat@custom - index_patterns: - - logs-ti_misp.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat_attributes: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat_attributes@package - - logs-ti_misp.threat_attributes@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat_attributes@custom - index_patterns: - - logs-ti_misp.threat_attributes-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat_attributes-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_pulses_subscribed: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.pulses_subscribed@package - - logs-ti_otx.pulses_subscribed@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.pulses_subscribed@custom - index_patterns: - - logs-ti_otx.pulses_subscribed-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.pulses_subscribed-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.threat@package - - logs-ti_otx.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.threat@custom - index_patterns: - - logs-ti_otx.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.alert@package - - logs-ti_rapid7_threat_command.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.alert@custom - index_patterns: - - logs-ti_rapid7_threat_command.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_ioc: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.ioc@package - - logs-ti_rapid7_threat_command.ioc@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.ioc@custom - index_patterns: - - logs-ti_rapid7_threat_command.ioc-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.ioc-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.vulnerability@package - - logs-ti_rapid7_threat_command.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.vulnerability@custom - index_patterns: - - logs-ti_rapid7_threat_command.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_latest_ioc-template: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.latest_ioc-template@package - - logs-ti_recordedfuture.latest_ioc-template@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.latest_ioc-template@custom - index_patterns: - - logs-ti_recordedfuture.latest_ioc-template-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.latest_ioc-template-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.threat@package - - logs-ti_recordedfuture.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.threat@custom - index_patterns: - - logs-ti_recordedfuture.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_threatq_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_threatq.threat@package - - logs-ti_threatq.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_threatq.threat@custom - index_patterns: - - logs-ti_threatq.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_threatq.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-trend_micro_vision_one.alert@package" - - "logs-trend_micro_vision_one.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.alert@custom" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.audit-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.audit@custom" - composed_of: - - "logs-trend_micro_vision_one.audit@package" - - "logs-trend_micro_vision_one.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_detection: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.detection-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.detection@custom" - composed_of: - - "logs-trend_micro_vision_one.detection@package" - - "logs-trend_micro_vision_one.detection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trendmicro_x_deep_security: - index_sorting: False - index_template: - index_patterns: - - "logs-trendmicro.deep_security-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trendmicro.deep_security@custom" - composed_of: - - "logs-trendmicro.deep_security@package" - - "logs-trendmicro.deep_security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-vsphere_x_log: - index_sorting: false - index_template: - composed_of: - - logs-vsphere.log@package - - logs-vsphere.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-vsphere.log@custom - index_patterns: - - logs-vsphere.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-vsphere.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-windows_x_forwarded: index_sorting: false index_template: @@ -11174,466 +3002,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-zscaler_zia_x_alerts: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.alerts@package - - logs-zscaler_zia.alerts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.alerts@custom - index_patterns: - - logs-zscaler_zia.alerts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.alerts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.dns@package - - logs-zscaler_zia.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.dns@custom - index_patterns: - - logs-zscaler_zia.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.firewall@package - - logs-zscaler_zia.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.firewall@custom - index_patterns: - - logs-zscaler_zia.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_tunnel: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.tunnel@package - - logs-zscaler_zia.tunnel@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.tunnel@custom - index_patterns: - - logs-zscaler_zia.tunnel-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.tunnel-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_web: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.web@package - - logs-zscaler_zia.web@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.web@custom - index_patterns: - - logs-zscaler_zia.web-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.web-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_app_connector_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.app_connector_status@package - - logs-zscaler_zpa.app_connector_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.app_connector_status@custom - index_patterns: - - logs-zscaler_zpa.app_connector_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.app_connector_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.audit@package - - logs-zscaler_zpa.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.audit@custom - index_patterns: - - logs-zscaler_zpa.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_browser_access: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.browser_access@package - - logs-zscaler_zpa.browser_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.browser_access@custom - index_patterns: - - logs-zscaler_zpa.browser_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.browser_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_activity: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_activity@package - - logs-zscaler_zpa.user_activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_activity@custom - index_patterns: - - logs-zscaler_zpa.user_activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_status@package - - logs-zscaler_zpa.user_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_status@custom - index_patterns: - - logs-zscaler_zpa.user_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logstash: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 88ea45b89..0d5d0ea28 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -358,160 +358,9 @@ elasticsearch: so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings so-logs-winlog_x_winlog: *indexSettings - so-logs-apache_x_access: *indexSettings - so-logs-apache_x_error: *indexSettings - so-logs-auditd_x_log: *indexSettings - so-logs-aws_x_cloudtrail: *indexSettings - so-logs-aws_x_cloudwatch_logs: *indexSettings - so-logs-aws_x_ec2_logs: *indexSettings - so-logs-aws_x_elb_logs: *indexSettings - so-logs-aws_x_firewall_logs: *indexSettings - so-logs-aws_x_route53_public_logs: *indexSettings - so-logs-aws_x_route53_resolver_logs: *indexSettings - so-logs-aws_x_s3access: *indexSettings - so-logs-aws_x_vpcflow: *indexSettings - so-logs-aws_x_waf: *indexSettings - so-logs-azure_x_activitylogs: *indexSettings - so-logs-azure_x_application_gateway: *indexSettings - so-logs-azure_x_auditlogs: *indexSettings - so-logs-azure_x_eventhub: *indexSettings - so-logs-azure_x_firewall_logs: *indexSettings - so-logs-azure_x_identity_protection: *indexSettings - so-logs-azure_x_platformlogs: *indexSettings - so-logs-azure_x_provisioning: *indexSettings - so-logs-azure_x_signinlogs: *indexSettings - so-logs-azure_x_springcloudlogs: *indexSettings - so-logs-barracuda_x_waf: *indexSettings - so-logs-barracuda_cloudgen_firewall_x_log: *indexSettings - so-logs-cef_x_log: *indexSettings - so-logs-cisco_asa_x_log: *indexSettings - so-logs-cisco_ftd_x_log: *indexSettings - so-logs-cisco_ios_x_log: *indexSettings - so-logs-cisco_ise_x_log: *indexSettings - so-logs-citrix_adc_x_interface: *indexSettings - so-logs-citrix_adc_x_lbvserver: *indexSettings - so-logs-citrix_adc_x_service: *indexSettings - so-logs-citrix_adc_x_system: *indexSettings - so-logs-citrix_adc_x_vpn: *indexSettings - so-logs-citrix_waf_x_log: *indexSettings - so-logs-cloudflare_x_audit: *indexSettings - so-logs-cloudflare_x_logpull: *indexSettings - so-logs-crowdstrike_x_alert: *indexSettings - so-logs-crowdstrike_x_falcon: *indexSettings - so-logs-crowdstrike_x_fdr: *indexSettings - so-logs-crowdstrike_x_host: *indexSettings - so-logs-darktrace_x_ai_analyst_alert: *indexSettings - so-logs-darktrace_x_model_breach_alert: *indexSettings - so-logs-darktrace_x_system_status_alert: *indexSettings so-logs-detections_x_alerts: *indexSettings - so-logs-f5_bigip_x_log: *indexSettings - so-logs-fim_x_event: *indexSettings - so-logs-fortinet_x_clientendpoint: *indexSettings - so-logs-fortinet_x_firewall: *indexSettings - so-logs-fortinet_x_fortimail: *indexSettings - so-logs-fortinet_x_fortimanager: *indexSettings - so-logs-fortinet_x_fortigate: *indexSettings - so-logs-gcp_x_audit: *indexSettings - so-logs-gcp_x_dns: *indexSettings - so-logs-gcp_x_firewall: *indexSettings - so-logs-gcp_x_loadbalancing_logs: *indexSettings - so-logs-gcp_x_vpcflow: *indexSettings - so-logs-github_x_audit: *indexSettings - so-logs-github_x_code_scanning: *indexSettings - so-logs-github_x_dependabot: *indexSettings - so-logs-github_x_issues: *indexSettings - so-logs-github_x_secret_scanning: *indexSettings - so-logs-google_workspace_x_access_transparency: *indexSettings - so-logs-google_workspace_x_admin: *indexSettings - so-logs-google_workspace_x_alert: *indexSettings - so-logs-google_workspace_x_context_aware_access: *indexSettings - so-logs-google_workspace_x_device: *indexSettings - so-logs-google_workspace_x_drive: *indexSettings - so-logs-google_workspace_x_gcp: *indexSettings - so-logs-google_workspace_x_group_enterprise: *indexSettings - so-logs-google_workspace_x_groups: *indexSettings - so-logs-google_workspace_x_login: *indexSettings - so-logs-google_workspace_x_rules: *indexSettings - so-logs-google_workspace_x_saml: *indexSettings - so-logs-google_workspace_x_token: *indexSettings - so-logs-google_workspace_x_user_accounts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-iis_x_access: *indexSettings - so-logs-iis_x_error: *indexSettings - so-logs-imperva_cloud_waf_x_event: *indexSettings - so-logs-juniper_x_junos: *indexSettings - so-logs-juniper_x_netscreen: *indexSettings - so-logs-juniper_x_srx: *indexSettings - so-logs-juniper_srx_x_log: *indexSettings - so-logs-kafka_log_x_generic: *indexSettings - so-logs-lastpass_x_detailed_shared_folder: *indexSettings - so-logs-lastpass_x_event_report: *indexSettings - so-logs-lastpass_x_user: *indexSettings - so-logs-m365_defender_x_event: *indexSettings - so-logs-m365_defender_x_incident: *indexSettings - so-logs-m365_defender_x_log: *indexSettings - so-logs-microsoft_defender_endpoint_x_log: *indexSettings - so-logs-microsoft_dhcp_x_log: *indexSettings - so-logs-microsoft_sqlserver_x_audit: *indexSettings - so-logs-microsoft_sqlserver_x_log: *indexSettings - so-logs-mysql_x_error: *indexSettings - so-logs-mysql_x_slowlog: *indexSettings - so-logs-netflow_x_log: *indexSettings - so-logs-nginx_x_access: *indexSettings - so-logs-nginx_x_error: *indexSettings - so-logs-o365_x_audit: *indexSettings - so-logs-okta_x_system: *indexSettings - so-logs-panw_x_panos: *indexSettings - so-logs-pfsense_x_log: *indexSettings - so-logs-proofpoint_tap_x_clicks_blocked: *indexSettings - so-logs-proofpoint_tap_x_clicks_permitted: *indexSettings - so-logs-proofpoint_tap_x_message_blocked: *indexSettings - so-logs-proofpoint_tap_x_message_delivered: *indexSettings - so-logs-sentinel_one_x_activity: *indexSettings - so-logs-sentinel_one_x_agent: *indexSettings - so-logs-sentinel_one_x_alert: *indexSettings - so-logs-sentinel_one_x_group: *indexSettings - so-logs-sentinel_one_x_threat: *indexSettings - so-logs-sonicwall_firewall_x_log: *indexSettings - so-logs-snort_x_log: *indexSettings - so-logs-symantec_endpoint_x_log: *indexSettings - so-logs-tenable_io_x_asset: *indexSettings - so-logs-tenable_io_x_plugin: *indexSettings - so-logs-tenable_io_x_scan: *indexSettings - so-logs-tenable_io_x_vulnerability: *indexSettings - so-logs-tenable_sc_x_asset: *indexSettings - so-logs-tenable_sc_x_plugin: *indexSettings - so-logs-tenable_sc_x_vulnerability: *indexSettings - so-logs-ti_abusech_x_malware: *indexSettings - so-logs-ti_abusech_x_malwarebazaar: *indexSettings - so-logs-ti_abusech_x_threatfox: *indexSettings - so-logs-ti_abusech_x_url: *indexSettings - so-logs-ti_anomali_x_threatstream: *indexSettings - so-logs-ti_cybersixgill_x_threat: *indexSettings - so-logs-ti_misp_x_threat: *indexSettings - so-logs-ti_misp_x_threat_attributes: *indexSettings - so-logs-ti_otx_x_pulses_subscribed: *indexSettings - so-logs-ti_otx_x_threat: *indexSettings - so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings - so-logs-ti_recordedfuture_x_threat: *indexSettings - so-logs-ti_threatq_x_threat: *indexSettings - so-logs-trend_micro_vision_one_x_alert: *indexSettings - so-logs-trend_micro_vision_one_x_audit: *indexSettings - so-logs-trend_micro_vision_one_x_detection: *indexSettings - so-logs-trendmicro_x_deep_security: *indexSettings - so-logs-zscaler_zia_x_alerts: *indexSettings - so-logs-zscaler_zia_x_dns: *indexSettings - so-logs-zscaler_zia_x_firewall: *indexSettings - so-logs-zscaler_zia_x_tunnel: *indexSettings - so-logs-zscaler_zia_x_web: *indexSettings - so-logs-zscaler_zpa_x_app_connector_status: *indexSettings - so-logs-zscaler_zpa_x_audit: *indexSettings - so-logs-zscaler_zpa_x_browser_access: *indexSettings - so-logs-zscaler_zpa_x_user_activity: *indexSettings - so-logs-zscaler_zpa_x_user_status: *indexSettings - so-logs-1password_x_item_usages: *indexSettings - so-logs-1password_x_signin_attempts: *indexSettings so-logs-osquery-manager-actions: *indexSettings so-logs-osquery-manager-action_x_responses: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings @@ -537,6 +386,9 @@ elasticsearch: so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings so-metrics-nginx_x_stubstatus: *indexSettings + so-metrics-vsphere_x_datastore: *indexSettings + so-metrics-vsphere_x_host: *indexSettings + so-metrics-vsphere_x_virtualmachine: *indexSettings so-case: *indexSettings so-common: *indexSettings so-endgame: *indexSettings From e3b7d82a8f5c3466ff77902f25c78f28c3b9ebba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:56:56 -0600 Subject: [PATCH 02/69] remove all non-core integrations from elasticfleet:packages pillar --- salt/elasticfleet/defaults.yaml | 75 --------------------------------- 1 file changed, 75 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 2f237cac1..41c50a96d 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -32,95 +32,20 @@ elasticfleet: - stderr - stdout packages: - - apache - - auditd - - auth0 - - aws - - azure - - barracuda - - barracuda_cloudgen_firewall - - carbonblack_edr - - cef - - checkpoint - - cisco_asa - - cisco_duo - - cisco_ftd - - cisco_ios - - cisco_ise - - cisco_meraki - - cisco_secure_email_gateway - - cisco_umbrella - - citrix_adc - - citrix_waf - - cloudflare - - crowdstrike - - darktrace - elastic_agent - elasticsearch - endpoint - - f5_bigip - - fim - - fireeye - fleet_server - - fortinet - - fortinet_fortigate - - gcp - - github - - google_workspace - http_endpoint - httpjson - - iis - - imperva_cloud_waf - - journald - - juniper - - juniper_srx - - kafka_log - - lastpass - log - - m365_defender - - microsoft_defender_endpoint - - microsoft_dhcp - - microsoft_sqlserver - - mimecast - - mysql - - netflow - - nginx - - o365 - - okta - osquery_manager - - panw - - pfsense - - proofpoint_tap - - pulse_connect_secure - redis - - sentinel_one - - snort - - snyk - - sonicwall_firewall - - sophos - - sophos_central - - symantec_endpoint - system - tcp - - tenable_io - - tenable_sc - - ti_abusech - - ti_anomali - - ti_cybersixgill - - ti_misp - - ti_otx - - ti_rapid7_threat_command - - ti_recordedfuture - - ti_threatq - - trendmicro - - trend_micro_vision_one - udp - - vsphere - windows - winlog - - zscaler_zia - - zscaler_zpa - - 1password optional_integrations: sublime_platform: enabled_nodes: [] From 4a4c8eace2d15f410bd9a7ea70bcddb9fc07d59a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 18 Dec 2024 10:36:15 -0500 Subject: [PATCH 03/69] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 9c897d2bd..bffab7a84 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -22,6 +22,7 @@ body: - 2.4.90 - 2.4.100 - 2.4.110 + - 2.4.111 - Other (please provide detail below) validations: required: true From ecf094f68494b9114b6692064b3e1b9798f314c6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Dec 2024 16:18:04 -0600 Subject: [PATCH 04/69] WIP: support all es fleet integrations Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 102 ++++++++++++++++ salt/elasticfleet/defaults.yaml | 1 + .../integration-defaults.map.jinja | 78 +++++++++++++ salt/elasticfleet/integration-defaults.yaml | 46 ++++++++ salt/elasticfleet/soc_elasticfleet.yaml | 5 + .../tools/sbin/so-elastic-fleet-common | 9 ++ .../tools/sbin/so-elastic-fleet-package-list | 2 +- .../integration-templates.map.jinja | 110 ++++++++++++++++++ salt/elasticsearch/template.map.jinja | 9 ++ 9 files changed, 361 insertions(+), 1 deletion(-) create mode 100644 salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load create mode 100644 salt/elasticfleet/integration-defaults.map.jinja create mode 100644 salt/elasticfleet/integration-defaults.yaml create mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load new file mode 100644 index 000000000..d94b006ad --- /dev/null +++ b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load @@ -0,0 +1,102 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common + +# Check that /opt/so/state/estemplates.txt exists to signal that Elasticsearch +# has completed its first run of core-only integrations/indices/components/ilm +STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt +INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json +BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json +BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json + +SKIP_SUBSCRIPTION=true +PENDING_UPDATE=false + +version_conversion(){ + version=$1 + echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' +} + +compare_versions() { + version1=$1 + version2=$2 + + # Convert versions to numbers + num1=$(version_conversion "$version1") + num2=$(version_conversion "$version2") + + # Compare using bc + if (( $(echo "$num1 < $num2" | bc -l) )); then + echo "less" + elif (( $(echo "$num1 > $num2" | bc -l) )); then + echo "greater" + else + echo "equal" + fi +} + +if [[ -f $STATE_FILE_SUCCESS ]]; then + if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then + # Package_list contains all NON-beta integrations. + latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) + echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST + rm -f $INSTALLED_PACKAGE_LIST + echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST + + cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + # get package details + package_name=$(echo "$package" | jq -r '.name') + latest_version=$(echo "$package" | jq -r '.latest_version') + installed_version=$(echo "$package" | jq -r '.installed_version') + subscription=$(echo "$package" | jq -r '.subscription') + bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) + + if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + continue + else + if [ -n "$installed_version" ]; then + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is not up to date... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + else + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + fi + done + + if [ $PENDING_UPDATE ]; then + # Run bulk install of packages + # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS + + else + echo "Elastic integrations don't appear to need installation/updating..." + exit 0 + fi + + else + # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. + echo "Elastic Fleet does not appear to be responding... Exiting... " + exit 0 + fi +else + # This message will appear when an update to core integration is made and this script is run at the same time as + # elasticsearch.enabled -> detects change to core index settings -> deletes estemplates.txt + echo "Elasticsearch may not be fully configured yet or is currently updating core index settings." + exit 0 +fi diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 41c50a96d..a0f509136 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -10,6 +10,7 @@ elasticfleet: grid_enrollment: '' defend_filters: enable_auto_configuration: False + subscription_integrations: False logging: zeek: excluded: diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja new file mode 100644 index 000000000..9977856c4 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -0,0 +1,78 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use + this file except in compliance with the Elastic License 2.0. #} + + +{% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} + +{% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set ADDON_INTEGRATION_DEFAULTS = {} %} + +{% for pkg in ADDON_PACKAGE_COMPONENTS %} +{% if pkg.name in CORE_ESFLEET_PACKAGES %} +{# skip core integrations #} +{% elif pkg.name not in CORE_ESFLEET_PACKAGES %} +{# generate defaults for each integration #} +{% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} +{% for pattern in pkg.es_index_patterns %} +{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} +{% set integration_defaults = { + "index_sorting": false, + "index_template": { + "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "data_stream": { + "hidden": false, + "allow_custom_routing": false + }, + "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "index_patterns": [pattern.name], + "priority": 501, + "template": { + "settings": { + "index": { + "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "number_of_replicas": 0 + } + } + } + }, + "policy": { + "phases": { + "cold": { + "actions": { + "set_priority": {"priority": 0} + }, + "min_age": "60d" + }, + "delete": { + "actions": { + "delete": {} + }, + "min_age": "365d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + }, + "set_priority": {"priority": 100} + }, + "min_age": "0ms" + }, + "warm": { + "actions": { + "set_priority": {"priority": 50} + }, + "min_age": "30d" + } + } + } + } %} +{% do ADDON_INTEGRATION_DEFAULTS.update({integration_key: integration_defaults}) %} +{% endfor %} +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml new file mode 100644 index 000000000..98bbd13b7 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.yaml @@ -0,0 +1,46 @@ +so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: + index_sorting: False + index_template: + composed_of: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_COMPLACEHOLDER_templates: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + index_patterns: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" + priority: 501 + template: + settings: + index: + lifecycle: + name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: "60d" + delete: + actions: + delete: {} + min_age: "365d" + hot: + actions: + rollover: + max_age: "30d" + max_primary_shard_size: "50gb" + set_priority: + priority: 100 + min_age: "0ms" + warm: + actions: + set_priority: + priority: 50 + min_age: "30d" \ No newline at end of file diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 0b32628ea..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -40,6 +40,11 @@ elasticfleet: global: True helpLink: elastic-fleet.html advanced: True + subscription_integrations: + description: Enable the installation of integrations that require an Elastic license. + global: True + forcedType: bool + helpLink: elastic-fleet.html server: custom_fqdn: description: Custom FQDN for Agents to connect to. One per line. diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 296e578fc..7e1e4b790 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -97,11 +97,20 @@ elastic_fleet_package_install() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } +elastic_fleet_bulk_package_install() { + BULK_PKG_LIST=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@$1 "localhost:5601/api/fleet/epm/packages/_bulk" +} + elastic_fleet_package_is_installed() { PACKAGE=$1 curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status' } +elastic_fleet_installed_packages() { + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' -H 'Content-Type: application/json' "localhost:5601/api/fleet/epm/packages/installed?perPage=300" +} + elastic_fleet_agent_policy_ids() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].id if [ $? -ne 0 ]; then diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list index 7e68c6e83..a52920a42 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list @@ -10,6 +10,6 @@ SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # List configured package policies -curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages?prerelease=true" -H 'kbn-xsrf: true' | jq echo diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja new file mode 100644 index 000000000..59a9222c5 --- /dev/null +++ b/salt/elasticsearch/integration-templates.map.jinja @@ -0,0 +1,110 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set INTEGRATION_INDEX_SETTINGS = {} %} + + +{% set default_settings = { + 'index_sorting': false, + 'index_template': { + 'data_stream': { + 'allow_custom_routing': false, + 'hidden': false + }, + 'priority': 501, + 'template': { + 'settings': { + 'index': { + 'number_of_replicas': 0 + } + } + } + }, + 'policy': { + 'phases': { + 'cold': { + 'actions': { + 'set_priority': { + 'priority': 0 + } + }, + 'min_age': '60d' + }, + 'delete': { + 'actions': { + 'delete': {} + }, + 'min_age': '365d' + }, + 'hot': { + 'actions': { + 'rollover':{ + 'max_age': '30d', + 'max_primary_shard_size': '50gb' + }, + 'set_priority': { + 'priority': 100 + } + }, + 'min_age': '0ms' + }, + 'warm': { + 'actions': { + 'set_priority': { + 'priority': 50 + } + }, + 'min_age': '30d' + } + } + } +} %} + +{# Create template for each package component from elasticfleet/defaults.yaml #} +{% for package in packages %} + {% for pkg_name, components in package.items() %} + {% if components is not none %} + {% for component in components %} + {% set component_dot = component.replace('_x_', '.') %} + {% set template_name = 'so-logs-' ~ component %} + + {% set template = { + 'index_sorting': default_settings.index_sorting, + 'index_template': { + 'composed_of': [ + 'logs-' ~ component_dot ~ '@package', + 'logs-' ~ component_dot ~ '@custom', + 'so-fleet-_globals-1', + 'so-fleet_agent_id_verification-1' + ], + 'data_stream': default_settings.index_template.data_stream, + 'ignore_missing_component_templates': [ + 'logs-' ~ component_dot ~ '@custom' + ], + 'index_patterns': [ + 'logs-' ~ component_dot ~ '-*' + ], + 'priority': default_settings.index_template.priority, + 'template': { + 'settings': { + 'index': { + 'lifecycle': { + 'name': 'so-logs-' ~ component_dot ~ '-logs' + }, + 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas + } + } + } + }, + 'policy': default_settings.policy + } %} + + {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} + {% endfor %} + {% endif %} + {% endfor %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index 507ea533d..c53349f18 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -14,6 +14,15 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} +{# start generation of integration default index_settings #} +{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} +{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} +{% endfor %} +{% endif %} +{# end generation of integration default index_settings #} + {% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %} {% for index in ES_INDEX_SETTINGS_ORIG.keys() %} {% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %} From cdd4a1ff1fb6b6fc2c7b95651593746713d8b795 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:06:22 -0600 Subject: [PATCH 05/69] fixes addon integration map file Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 66 ++++++- ...o-elastic-fleet-optional-integrations-load | 2 +- salt/elasticsearch/defaults.yaml | 184 ------------------ salt/elasticsearch/enabled.sls | 11 +- .../integration-templates.map.jinja | 110 ----------- salt/elasticsearch/template.map.jinja | 2 +- 6 files changed, 70 insertions(+), 305 deletions(-) rename salt/{elastic-fleet-package-registry/tools => elasticfleet/tools/sbin}/so-elastic-fleet-optional-integrations-load (98%) delete mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 9977856c4..0de400b26 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -10,6 +10,44 @@ {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} +{# Some fleet integrations don't follow the standard naming convention #} +{% set WEIRD_INTEGRATIONS = { + 'awsfirehose.logs': 'awsfirehose', + 'cribl.logs': 'cribl', + 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', + 'azure_application_insights.app_insights': 'azure.app_insights', + 'azure_application_insights.app_state': 'azure.app_state', + 'azure_billing.billing': 'azure.billing', + 'azure_functions.metrics': 'azure.function', + 'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset', + 'azure_metrics.compute_vm': 'azure.compute_vm', + 'azure_metrics.container_instance': 'azure.container_instance', + 'azure_metrics.container_registry': 'azure.container_registry', + 'azure_metrics.container_service': 'azure.container_service', + 'azure_metrics.database_account': 'azure.database_account', + 'azure_metrics.monitor': 'azure.monitor', + 'azure_metrics.storage_account': 'azure.storage_account', + 'azure_openai.metrics': 'azure.open_ai', + 'beat.state': 'beats.stack_monitoring.state', + 'beat.stats': 'beats.stack_monitoring.stats', + 'enterprisesearch.health': 'enterprisesearch.stack_monitoring.health', + 'enterprisesearch.stats': 'enterprisesearch.stack_monitoring.stats', + 'kibana.cluster_actions': 'kibana.stack_monitoring.cluster_actions', + 'kibana.cluster_rules': 'kibana.stack_monitoring.cluster_rules', + 'kibana.node_actions': 'kibana.stack_monitoring.node_actions', + 'kibana.node_rules': 'kibana.stack_monitoring.node_rules', + 'kibana.stats': 'kibana.stack_monitoring.stats', + 'kibana.status': 'kibana.stack_monitoring.status', + 'logstash.node_cel': 'logstash.stack_monitoring.node', + 'logstash.node_stats': 'logstash.stack_monitoring.node_stats', + 'synthetics.browser': 'synthetics-browser', + 'synthetics.browser_network': 'synthetics-browser.network', + 'synthetics.browser_screenshot': 'synthetics-browser.screenshot', + 'synthetics.http': 'synthetics-http', + 'synthetics.icmp': 'synthetics-icmp', + 'synthetics.tcp': 'synthetics-tcp' + } %} + {% for pkg in ADDON_PACKAGE_COMPONENTS %} {% if pkg.name in CORE_ESFLEET_PACKAGES %} {# skip core integrations #} @@ -17,22 +55,36 @@ {# generate defaults for each integration #} {% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} {% for pattern in pkg.es_index_patterns %} -{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} -{% set integration_defaults = { +{% if "metrics-" in pattern.name %} +{% set integration_type = "metrics-" %} +{% elif "logs-" in pattern.name %} +{% set integration_type = "logs-" %} +{% else %} +{% set integration_type = "" %} +{% endif %} +{% set component_name = pkg.name ~ "." ~ pattern.title %} +{# fix weirdly named components #} +{% if component_name in WEIRD_INTEGRATIONS %} +{% set component_name = WEIRD_INTEGRATIONS[component_name] %} +{% endif %} +{% set integration_key = "so-" ~ integration_type ~ component_name %} + +{# Default integration settings #} +{% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { - "hidden": false, - "allow_custom_routing": false + "allow_custom_routing": false, + "hidden": false }, - "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "ignore_missing_component_templates": [integration_type ~ component_name ~ "@custom"], "index_patterns": [pattern.name], "priority": 501, "template": { "settings": { "index": { - "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "lifecycle": {"name": "so-" ~ integration_type ~ component_name ~ "-logs"}, "number_of_replicas": 0 } } diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load similarity index 98% rename from salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load rename to salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index d94b006ad..5fa14c5fc 100644 --- a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -78,7 +78,7 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ $PENDING_UPDATE ]; then # Run bulk install of packages - # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e7a9a286c..32d9c431e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3297,190 +3297,6 @@ elasticsearch: index: mode: time_series number_of_replicas: 0 - so-metrics-nginx_x_stubstatus: - index_sorting: false - index_template: - composed_of: - - metrics-nginx.stubstatus@package - - metrics-nginx.stubstatus@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-nginx.stubstatus@custom - index_patterns: - - metrics-nginx.stubstatus-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-nginx.stubstatus-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_datastore: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.datastore@package - - metrics-vsphere.datastore@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.datastore@custom - index_patterns: - - metrics-vsphere.datastore-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.datastore-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_host: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.host@package - - metrics-vsphere.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.host@custom - index_patterns: - - metrics-vsphere.host-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.host-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_virtualmachine: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.virtualmachine@package - - metrics-vsphere.virtualmachine@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.virtualmachine@custom - index_patterns: - - metrics-vsphere.virtualmachine-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.virtualmachine-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-redis: index_sorting: false index_template: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 48280c506..fb3f877df 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -151,7 +151,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endfor %} {% endif %} -{% if GLOBALS.role in GLOBALS.manager_roles %} +{% if GLOBALS.role in GLOBALS.manager_roles %} so-es-cluster-settings: cmd.run: - name: /usr/sbin/so-elasticsearch-cluster-settings @@ -160,7 +160,7 @@ so-es-cluster-settings: - require: - docker_container: so-elasticsearch - file: elasticsearch_sbin_jinja -{% endif %} +{% endif %} so-elasticsearch-ilm-policy-load: cmd.run: @@ -172,6 +172,13 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script +configure-addon-fleet-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja deleted file mode 100644 index 59a9222c5..000000000 --- a/salt/elasticsearch/integration-templates.map.jinja +++ /dev/null @@ -1,110 +0,0 @@ -{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at - https://securityonion.net/license; you may not use this file except in compliance with the - Elastic License 2.0. #} - -{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} -{% set INTEGRATION_INDEX_SETTINGS = {} %} - - -{% set default_settings = { - 'index_sorting': false, - 'index_template': { - 'data_stream': { - 'allow_custom_routing': false, - 'hidden': false - }, - 'priority': 501, - 'template': { - 'settings': { - 'index': { - 'number_of_replicas': 0 - } - } - } - }, - 'policy': { - 'phases': { - 'cold': { - 'actions': { - 'set_priority': { - 'priority': 0 - } - }, - 'min_age': '60d' - }, - 'delete': { - 'actions': { - 'delete': {} - }, - 'min_age': '365d' - }, - 'hot': { - 'actions': { - 'rollover':{ - 'max_age': '30d', - 'max_primary_shard_size': '50gb' - }, - 'set_priority': { - 'priority': 100 - } - }, - 'min_age': '0ms' - }, - 'warm': { - 'actions': { - 'set_priority': { - 'priority': 50 - } - }, - 'min_age': '30d' - } - } - } -} %} - -{# Create template for each package component from elasticfleet/defaults.yaml #} -{% for package in packages %} - {% for pkg_name, components in package.items() %} - {% if components is not none %} - {% for component in components %} - {% set component_dot = component.replace('_x_', '.') %} - {% set template_name = 'so-logs-' ~ component %} - - {% set template = { - 'index_sorting': default_settings.index_sorting, - 'index_template': { - 'composed_of': [ - 'logs-' ~ component_dot ~ '@package', - 'logs-' ~ component_dot ~ '@custom', - 'so-fleet-_globals-1', - 'so-fleet_agent_id_verification-1' - ], - 'data_stream': default_settings.index_template.data_stream, - 'ignore_missing_component_templates': [ - 'logs-' ~ component_dot ~ '@custom' - ], - 'index_patterns': [ - 'logs-' ~ component_dot ~ '-*' - ], - 'priority': default_settings.index_template.priority, - 'template': { - 'settings': { - 'index': { - 'lifecycle': { - 'name': 'so-logs-' ~ component_dot ~ '-logs' - }, - 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas - } - } - } - }, - 'policy': default_settings.policy - } %} - - {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} - {% endfor %} - {% endif %} - {% endfor %} -{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index c53349f18..c1ff2cb24 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -15,7 +15,7 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} {# start generation of integration default index_settings #} -{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% if salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') %} {% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} {% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} {% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} From 9fe3f6042fec1b65aeaa8809dc4fc1a352434e26 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 10:44:22 -0600 Subject: [PATCH 06/69] Remove individual integrations ip mappings component template. Replaced with global mappings Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 2 +- .../logs-1password.item_usages@custom.json | 36 ------------------ ...logs-1password.signin_attempts@custom.json | 36 ------------------ .../logs-apache.access@custom.json | 36 ------------------ .../logs-apache.error@custom.json | 36 ------------------ .../elastic-agent/logs-auditd.log@custom.json | 36 ------------------ .../elastic-agent/logs-auth0.logs@custom.json | 36 ------------------ .../logs-aws.cloudfront_logs@custom.json | 36 ------------------ .../logs-aws.cloudtrail@custom.json | 36 ------------------ .../logs-aws.cloudwatch_logs@custom.json | 36 ------------------ .../logs-aws.ec2_logs@custom.json | 36 ------------------ .../logs-aws.elb_logs@custom.json | 36 ------------------ .../logs-aws.firewall_logs@custom.json | 36 ------------------ .../logs-aws.guardduty@custom.json | 36 ------------------ .../logs-aws.inspector@custom.json | 36 ------------------ .../logs-aws.route53_public_logs@custom.json | 36 ------------------ ...logs-aws.route53_resolver_logs@custom.json | 36 ------------------ .../logs-aws.s3access@custom.json | 36 ------------------ .../logs-aws.securityhub_findings@custom.json | 36 ------------------ .../logs-aws.securityhub_insights@custom.json | 36 ------------------ .../logs-aws.vpcflow@custom.json | 36 ------------------ .../elastic-agent/logs-aws.waf@custom.json | 36 ------------------ .../logs-azure.activitylogs@custom.json | 36 ------------------ ...logs-azure.application_gateway@custom.json | 36 ------------------ .../logs-azure.auditlogs@custom.json | 36 ------------------ .../logs-azure.eventhub@custom.json | 36 ------------------ .../logs-azure.firewall_logs@custom.json | 36 ------------------ ...logs-azure.identity_protection@custom.json | 36 ------------------ .../logs-azure.platformlogs@custom.json | 36 ------------------ .../logs-azure.provisioning@custom.json | 36 ------------------ .../logs-azure.signinlogs@custom.json | 36 ------------------ .../logs-azure.springcloudlogs@custom.json | 36 ------------------ .../logs-barracuda.waf@custom.json | 36 ------------------ ...arracuda_cloudgen_firewall.log@custom.json | 36 ------------------ .../logs-carbonblack_edr.log@custom.json | 36 ------------------ .../elastic-agent/logs-cef.log@custom.json | 36 ------------------ .../logs-checkpoint.firewall@custom.json | 36 ------------------ .../logs-cisco_asa.log@custom.json | 36 ------------------ .../logs-cisco_duo.admin@custom.json | 36 ------------------ .../logs-cisco_duo.auth@custom.json | 36 ------------------ ...s-cisco_duo.offline_enrollment@custom.json | 36 ------------------ .../logs-cisco_duo.summary@custom.json | 36 ------------------ .../logs-cisco_duo.telephony@custom.json | 36 ------------------ .../logs-cisco_ftd.log@custom.json | 36 ------------------ .../logs-cisco_ios.log@custom.json | 36 ------------------ .../logs-cisco_ise.log@custom.json | 36 ------------------ .../logs-cisco_meraki.events@custom.json | 36 ------------------ .../logs-cisco_meraki.log@custom.json | 36 ------------------ ...cisco_secure_email_gateway.log@custom.json | 36 ------------------ .../logs-cisco_umbrella.log@custom.json | 36 ------------------ .../logs-citrix_adc.interface@custom.json | 36 ------------------ .../logs-citrix_adc.lbvserver@custom.json | 36 ------------------ .../logs-citrix_adc.service@custom.json | 36 ------------------ .../logs-citrix_adc.system@custom.json | 36 ------------------ .../logs-citrix_adc.vpn@custom.json | 36 ------------------ .../logs-citrix_waf.log@custom.json | 36 ------------------ .../logs-cloudflare.audit@custom.json | 36 ------------------ .../logs-cloudflare.logpull@custom.json | 36 ------------------ .../logs-crowdstrike.alert@custom.json | 36 ------------------ .../logs-crowdstrike.falcon@custom.json | 36 ------------------ .../logs-crowdstrike.fdr@custom.json | 36 ------------------ .../logs-crowdstrike.host@custom.json | 36 ------------------ ...ogs-darktrace.ai_analyst_alert@custom.json | 36 ------------------ ...s-darktrace.model_breach_alert@custom.json | 36 ------------------ ...-darktrace.system_status_alert@custom.json | 36 ------------------ .../logs-f5_bigip.log@custom.json | 36 ------------------ .../elastic-agent/logs-fim.event@custom.json | 36 ------------------ .../elastic-agent/logs-fireeye.nx@custom.json | 36 ------------------ .../logs-fortinet.clientendpoint@custom.json | 36 ------------------ .../logs-fortinet.firewall@custom.json | 36 ------------------ .../logs-fortinet.fortimail@custom.json | 36 ------------------ .../logs-fortinet.fortimanager@custom.json | 36 ------------------ .../logs-fortinet_fortigate.log@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.audit@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.dns@custom.json | 36 ------------------ .../logs-gcp.firewall@custom.json | 36 ------------------ .../logs-gcp.loadbalancing_logs@custom.json | 36 ------------------ .../logs-gcp.vpcflow@custom.json | 36 ------------------ .../logs-github.audit@custom.json | 36 ------------------ .../logs-github.code_scanning@custom.json | 36 ------------------ .../logs-github.dependabot@custom.json | 36 ------------------ .../logs-github.issues@custom.json | 36 ------------------ .../logs-github.secret_scanning@custom.json | 36 ------------------ ..._workspace.access_transparency@custom.json | 36 ------------------ .../logs-google_workspace.admin@custom.json | 36 ------------------ .../logs-google_workspace.alert@custom.json | 36 ------------------ ...workspace.context_aware_access@custom.json | 36 ------------------ .../logs-google_workspace.device@custom.json | 36 ------------------ .../logs-google_workspace.drive@custom.json | 36 ------------------ .../logs-google_workspace.gcp@custom.json | 36 ------------------ ...gle_workspace.group_enterprise@custom.json | 36 ------------------ .../logs-google_workspace.groups@custom.json | 36 ------------------ .../logs-google_workspace.login@custom.json | 36 ------------------ .../logs-google_workspace.rules@custom.json | 36 ------------------ .../logs-google_workspace.saml@custom.json | 36 ------------------ .../logs-google_workspace.token@custom.json | 36 ------------------ ...google_workspace.user_accounts@custom.json | 36 ------------------ .../elastic-agent/logs-iis.access@custom.json | 36 ------------------ .../elastic-agent/logs-iis.error@custom.json | 36 ------------------ .../logs-imperva_cloud_waf.event@custom.json | 36 ------------------ .../logs-juniper.junos@custom.json | 36 ------------------ .../logs-juniper.netscreen@custom.json | 36 ------------------ .../logs-juniper.srx@custom.json | 36 ------------------ .../logs-juniper_srx.log@custom.json | 36 ------------------ .../logs-kafka_log.generic@custom.json | 36 ------------------ ...astpass.detailed_shared_folder@custom.json | 36 ------------------ .../logs-lastpass.event_report@custom.json | 36 ------------------ .../logs-lastpass.user@custom.json | 36 ------------------ .../logs-m365_defender.event@custom.json | 36 ------------------ .../logs-m365_defender.incident@custom.json | 36 ------------------ .../logs-m365_defender.log@custom.json | 36 ------------------ ...icrosoft_defender_endpoint.log@custom.json | 36 ------------------ .../logs-microsoft_dhcp.log@custom.json | 36 ------------------ ...logs-microsoft_sqlserver.audit@custom.json | 36 ------------------ .../logs-microsoft_sqlserver.log@custom.json | 36 ------------------ .../logs-mimecast.audit_events@custom.json | 36 ------------------ .../logs-mimecast.dlp_logs@custom.json | 36 ------------------ .../logs-mimecast.siem_logs@custom.json | 36 ------------------ ....threat_intel_malware_customer@custom.json | 36 ------------------ ...cast.threat_intel_malware_grid@custom.json | 36 ------------------ .../logs-mimecast.ttp_ap_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_ip_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_url_logs@custom.json | 36 ------------------ .../logs-mysql.error@custom.json | 36 ------------------ .../logs-mysql.slowlog@custom.json | 36 ------------------ .../logs-netflow.log@custom.json | 36 ------------------ .../logs-nginx.access@custom.json | 36 ------------------ .../logs-nginx.error@custom.json | 36 ------------------ .../elastic-agent/logs-o365.audit@custom.json | 36 ------------------ .../logs-okta.system@custom.json | 36 ------------------ .../elastic-agent/logs-panw.panos@custom.json | 36 ------------------ .../logs-pfsense.log@custom.json | 36 ------------------ ...-proofpoint_tap.clicks_blocked@custom.json | 36 ------------------ ...roofpoint_tap.clicks_permitted@custom.json | 36 ------------------ ...proofpoint_tap.message_blocked@custom.json | 36 ------------------ ...oofpoint_tap.message_delivered@custom.json | 36 ------------------ .../logs-pulse_connect_secure.log@custom.json | 36 ------------------ .../logs-sentinel_one.activity@custom.json | 36 ------------------ .../logs-sentinel_one.agent@custom.json | 36 ------------------ .../logs-sentinel_one.alert@custom.json | 36 ------------------ .../logs-sentinel_one.group@custom.json | 36 ------------------ .../logs-sentinel_one.threat@custom.json | 36 ------------------ .../elastic-agent/logs-snort.log@custom.json | 36 ------------------ .../elastic-agent/logs-snyk.audit@custom.json | 36 ------------------ .../logs-snyk.vulnerabilities@custom.json | 36 ------------------ .../logs-sonicwall_firewall.log@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.utm@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.xg@custom.json | 36 ------------------ .../logs-sophos_central.alert@custom.json | 36 ------------------ .../logs-sophos_central.event@custom.json | 36 ------------------ .../logs-symantec_endpoint.log@custom.json | 36 ------------------ .../logs-tenable_io.asset@custom.json | 36 ------------------ .../logs-tenable_io.plugin@custom.json | 36 ------------------ .../logs-tenable_io.scan@custom.json | 36 ------------------ .../logs-tenable_io.vulnerability@custom.json | 36 ------------------ .../logs-tenable_sc.asset@custom.json | 36 ------------------ .../logs-tenable_sc.plugin@custom.json | 36 ------------------ .../logs-tenable_sc.vulnerability@custom.json | 36 ------------------ .../logs-ti_abusech.malware@custom.json | 36 ------------------ .../logs-ti_abusech.malwarebazaar@custom.json | 36 ------------------ .../logs-ti_abusech.threatfox@custom.json | 36 ------------------ .../logs-ti_abusech.url@custom.json | 36 ------------------ .../logs-ti_anomali.threatstream@custom.json | 36 ------------------ .../logs-ti_cybersixgill.threat@custom.json | 36 ------------------ .../logs-ti_misp.threat@custom.json | 36 ------------------ ...logs-ti_misp.threat_attributes@custom.json | 36 ------------------ .../logs-ti_opencti.indicator@custom.json | 36 ------------------ .../logs-ti_otx.pulses_subscribed@custom.json | 36 ------------------ .../logs-ti_otx.threat@custom.json | 36 ------------------ ...ti_rapid7_threat_command.alert@custom.json | 36 ------------------ ...s-ti_rapid7_threat_command.ioc@custom.json | 36 ------------------ ...7_threat_command.vulnerability@custom.json | 36 ------------------ ...rdedfuture.latest_ioc-template@custom.json | 36 ------------------ .../logs-ti_recordedfuture.threat@custom.json | 36 ------------------ .../logs-ti_threatq.threat@custom.json | 36 ------------------ ...s-trend_micro_vision_one.alert@custom.json | 36 ------------------ ...s-trend_micro_vision_one.audit@custom.json | 36 ------------------ ...end_micro_vision_one.detection@custom.json | 36 ------------------ .../logs-trendmicro.deep_security@custom.json | 36 ------------------ .../logs-vsphere.log@custom.json | 36 ------------------ .../logs-zscaler_zia.alerts@custom.json | 36 ------------------ .../logs-zscaler_zia.dns@custom.json | 36 ------------------ .../logs-zscaler_zia.firewall@custom.json | 36 ------------------ .../logs-zscaler_zia.tunnel@custom.json | 36 ------------------ .../logs-zscaler_zia.web@custom.json | 36 ------------------ ...caler_zpa.app_connector_status@custom.json | 36 ------------------ .../logs-zscaler_zpa.audit@custom.json | 36 ------------------ ...ogs-zscaler_zpa.browser_access@custom.json | 36 ------------------ ...logs-zscaler_zpa.user_activity@custom.json | 36 ------------------ .../logs-zscaler_zpa.user_status@custom.json | 36 ------------------ .../so-fleet_integrations.ip_mappings.json | 37 +++++++++++++++++++ 191 files changed, 38 insertions(+), 6805 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 0de400b26..cd88748b5 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json new file mode 100644 index 000000000..3777e670c --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json @@ -0,0 +1,37 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } + } + \ No newline at end of file From 0d49dee46e33ae35648e5f5d4476e8fd539cd2ec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:22:51 -0600 Subject: [PATCH 07/69] update version to foxtrot Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 580cd0c49..452820224 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.120 \ No newline at end of file +2.4.0-foxtrot \ No newline at end of file From 3d3f0460fad532c1a5e207fabe3f327dd4ea167b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:42:16 -0600 Subject: [PATCH 08/69] move addon integration script run to elasticfleet state Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/enabled.sls | 4 ++++ salt/elasticsearch/enabled.sls | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index f91074b39..5a52f3a41 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -151,6 +151,10 @@ so-elastic-fleet-integration-upgrade: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-upgrade +so-elastic-fleet-addon-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} so-elastic-defend-manage-filters-file-watch: cmd.run: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index fb3f877df..4ed4b1b98 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -172,13 +172,6 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script -configure-addon-fleet-integrations: - cmd.run: - - name: /usr/sbin/so-elastic-fleet-optional-integrations-load - - cwd: /opt/so - - require: - - docker_container: so-elasticsearch - so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt From a21535b0a2cf09eb1c587f3dde2c26cdddcda646 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 21:33:07 -0600 Subject: [PATCH 09/69] run elasticsearch state to sync templates Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/manager/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc0c7aca4..d48463737 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -527,6 +527,10 @@ post_to_2.4.111() { post_to_2.4.120() { update_elasticsearch_index_settings + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.120 } @@ -736,6 +740,8 @@ up_to_2.4.120() { # New Grid Integration added this release rm -f /opt/so/state/eaintegrations.txt + + INSTALLEDVERSION=2.4.120 } From dab56f0882b4c3b01266a6268a147197d7eeff67 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:24:59 -0600 Subject: [PATCH 10/69] update fleet-optional-integrations-load Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 54 +++++++++++-------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 5fa14c5fc..6d87b958c 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -13,11 +13,16 @@ STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +BULK_INSTALL_OUTPUT=/opt/so/state/esfleet_bulk_install_results.json PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json SKIP_SUBSCRIPTION=true PENDING_UPDATE=false +# Integrations which are included in the package registry, but excluded from automatic installation via this script. +# Requiring some level of manual Elastic Stack configuration before installation +EXCLUDED_INTEGRATIONS=('apm') + version_conversion(){ version=$1 echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' @@ -43,13 +48,13 @@ compare_versions() { if [[ -f $STATE_FILE_SUCCESS ]]; then if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then - # Package_list contains all NON-beta integrations. + # Package_list contains all integrations beta / non-beta. latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST rm -f $INSTALLED_PACKAGE_LIST echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST - cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + while read -r package; do # get package details package_name=$(echo "$package" | jq -r '.name') latest_version=$(echo "$package" | jq -r '.latest_version') @@ -57,28 +62,35 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then subscription=$(echo "$package" | jq -r '.subscription') bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) - if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then - # pass over integrations that require non-basic elastic license - continue - else - if [ -n "$installed_version" ]; then - results=$(compare_versions "$latest_version" "$installed_version") - if [ $results == "greater" ]; then - echo "$package_name is not up to date... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi + if [[ ! "${EXCLUDED_INTEGRATIONS[@]}" =~ "$package_name" ]]; then + if $SKIP_SUBSCRIPTION && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + echo "$package_name integration requires an Elastic license of $subscription or greater... skipping" + continue else - echo "$package_name is not installed... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi - fi - done + if [[ "$installed_version" == "null" || -z "$installed_version" ]]; then + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - if [ $PENDING_UPDATE ]; then + PENDING_UPDATE=true + else + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is at version $installed_version latest version is $latest_version... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + + PENDING_UPDATE=true + fi + fi + fi + else + echo "Skipping $package_name..." + fi + done <<< "$(jq -c '.packages[]' "$INSTALLED_PACKAGE_LIST")" + + if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages - elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) From 6331298eac1b17b7374bd5784de8202d3cb6ebd7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 21 Jan 2025 10:49:54 -0600 Subject: [PATCH 11/69] remove individual @custom mappings. Moved over to so-fleet_integrations.ip_mappings-1 --- .../integration-defaults.map.jinja | 2 +- salt/elasticfleet/integration-defaults.yaml | 46 ------------------- salt/elasticsearch/defaults.yaml | 33 ++++++++++++- ...udflare_logpush.access_request@custom.json | 36 --------------- .../logs-cloudflare_logpush.audit@custom.json | 36 --------------- .../logs-cloudflare_logpush.casb@custom.json | 36 --------------- ...udflare_logpush.device_posture@custom.json | 36 --------------- .../logs-cloudflare_logpush.dns@custom.json | 36 --------------- ...loudflare_logpush.dns_firewall@custom.json | 36 --------------- ...udflare_logpush.firewall_event@custom.json | 36 --------------- ...cloudflare_logpush.gateway_dns@custom.json | 36 --------------- ...loudflare_logpush.gateway_http@custom.json | 36 --------------- ...dflare_logpush.gateway_network@custom.json | 36 --------------- ...loudflare_logpush.http_request@custom.json | 36 --------------- ...s-cloudflare_logpush.magic_ids@custom.json | 36 --------------- ...-cloudflare_logpush.nel_report@custom.json | 36 --------------- ...lare_logpush.network_analytics@custom.json | 36 --------------- ...dflare_logpush.network_session@custom.json | 36 --------------- ...oudflare_logpush.sinkhole_http@custom.json | 36 --------------- ...udflare_logpush.spectrum_event@custom.json | 36 --------------- ...oudflare_logpush.workers_trace@custom.json | 36 --------------- .../logs-elastic_agent.apm_server@custom.json | 36 --------------- .../logs-elastic_agent.auditbeat@custom.json | 36 --------------- .../logs-elastic_agent.cloudbeat@custom.json | 36 --------------- ...lastic_agent.endpoint_security@custom.json | 36 --------------- .../logs-elastic_agent.filebeat@custom.json | 36 --------------- ...ogs-elastic_agent.fleet_server@custom.json | 36 --------------- .../logs-elastic_agent.heartbeat@custom.json | 36 --------------- .../logs-elastic_agent.metricbeat@custom.json | 36 --------------- ...logs-elastic_agent.osquerybeat@custom.json | 36 --------------- .../logs-elastic_agent.packetbeat@custom.json | 36 --------------- .../logs-elastic_agent@custom.json | 43 ----------------- .../logs-endpoint.alerts@custom.json | 36 --------------- ...endpoint.diagnostic.collection@custom.json | 43 ----------------- .../logs-endpoint.events.api@custom.json | 36 --------------- .../logs-endpoint.events.file@custom.json | 36 --------------- .../logs-endpoint.events.library@custom.json | 36 --------------- .../logs-endpoint.events.network@custom.json | 36 --------------- .../logs-endpoint.events.process@custom.json | 36 --------------- .../logs-endpoint.events.registry@custom.json | 36 --------------- .../logs-endpoint.events.security@custom.json | 36 --------------- .../logs-http_endpoint.generic@custom.json | 36 --------------- .../logs-httpjson.generic@custom.json | 36 --------------- .../logs-system.application@custom.json | 36 --------------- .../logs-system.auth@custom.json | 36 --------------- .../logs-system.security@custom.json | 36 --------------- .../logs-system.system@custom.json | 36 --------------- .../logs-windows.forwarded@custom.json | 36 --------------- .../logs-windows.powershell@custom.json | 36 --------------- ...windows.powershell_operational@custom.json | 36 --------------- ...ogs-windows.sysmon_operational@custom.json | 36 --------------- .../logs-winlog.winlog@custom.json | 36 --------------- ... so-fleet_integrations.ip_mappings-1.json} | 0 53 files changed, 32 insertions(+), 1827 deletions(-) delete mode 100644 salt/elasticfleet/integration-defaults.yaml delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json rename salt/elasticsearch/templates/component/elastic-agent/{so-fleet_integrations.ip_mappings.json => so-fleet_integrations.ip_mappings-1.json} (100%) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index cd88748b5..09710a43c 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings-1", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml deleted file mode 100644 index 98bbd13b7..000000000 --- a/salt/elasticfleet/integration-defaults.yaml +++ /dev/null @@ -1,46 +0,0 @@ -so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: - index_sorting: False - index_template: - composed_of: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_COMPLACEHOLDER_templates: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - index_patterns: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" - priority: 501 - template: - settings: - index: - lifecycle: - name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: "60d" - delete: - actions: - delete: {} - min_age: "365d" - hot: - actions: - rollover: - max_age: "30d" - max_primary_shard_size: "50gb" - set_priority: - priority: 100 - min_age: "0ms" - warm: - actions: - set_priority: - priority: 50 - min_age: "30d" \ No newline at end of file diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 32d9c431e..d39935485 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1119,6 +1119,7 @@ elasticsearch: - event-mappings - logs-elastic_agent@package - logs-elastic_agent@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1182,6 +1183,7 @@ elasticsearch: composed_of: - logs-elastic_agent.apm_server@package - logs-elastic_agent.apm_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1245,6 +1247,7 @@ elasticsearch: composed_of: - logs-elastic_agent.auditbeat@package - logs-elastic_agent.auditbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1308,6 +1311,7 @@ elasticsearch: composed_of: - logs-elastic_agent.cloudbeat@package - logs-elastic_agent.cloudbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1369,6 +1373,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.endpoint_security@package - logs-elastic_agent.endpoint_security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1427,6 +1432,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.filebeat@package - logs-elastic_agent.filebeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1485,6 +1491,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.fleet_server@package - logs-elastic_agent.fleet_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1539,6 +1546,7 @@ elasticsearch: composed_of: - logs-elastic_agent.heartbeat@package - logs-elastic_agent.heartbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1600,6 +1608,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.metricbeat@package - logs-elastic_agent.metricbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1658,6 +1667,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.osquerybeat@package - logs-elastic_agent.osquerybeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1715,6 +1725,7 @@ elasticsearch: composed_of: - logs-elastic_agent.packetbeat@package - logs-elastic_agent.packetbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1779,6 +1790,7 @@ elasticsearch: - event-mappings - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1837,6 +1849,7 @@ elasticsearch: - event-mappings - logs-endpoint.diagnostic.collection@custom - logs-endpoint.diagnostic.collection@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1895,6 +1908,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1953,6 +1967,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2011,6 +2026,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2069,6 +2085,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2127,6 +2144,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2185,6 +2203,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2243,6 +2262,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2300,13 +2320,13 @@ elasticsearch: composed_of: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2347,6 +2367,7 @@ elasticsearch: composed_of: - logs-httpjson.generic@package - logs-httpjson.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2538,6 +2559,7 @@ elasticsearch: - event-mappings - logs-system.application@package - logs-system.application@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2586,6 +2608,7 @@ elasticsearch: - event-mappings - logs-system.auth@package - logs-system.auth@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2634,6 +2657,7 @@ elasticsearch: - event-mappings - logs-system.security@package - logs-system.security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2730,6 +2754,7 @@ elasticsearch: - event-mappings - logs-system.system@package - logs-system.system@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2777,6 +2802,7 @@ elasticsearch: composed_of: - logs-windows.forwarded@package - logs-windows.forwarded@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2823,6 +2849,7 @@ elasticsearch: composed_of: - logs-windows.powershell@package - logs-windows.powershell@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2869,6 +2896,7 @@ elasticsearch: composed_of: - logs-windows.powershell_operational@package - logs-windows.powershell_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2915,6 +2943,7 @@ elasticsearch: composed_of: - logs-windows.sysmon_operational@package - logs-windows.sysmon_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2961,13 +2990,13 @@ elasticsearch: composed_of: - logs-winlog.winlog@package - logs-winlog.winlog@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json deleted file mode 100644 index d8d14a5a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json deleted file mode 100644 index 5bbe3c1fa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json similarity index 100% rename from salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json From d779f7ae7f60c72108a27f0a66ebf447237ce538 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 10:13:01 -0600 Subject: [PATCH 12/69] add back missing component for http_endpoint_x_generic & winlog_x_winglog --- salt/elasticsearch/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d39935485..77a5be232 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2327,6 +2327,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2997,6 +2998,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* From 81ac1ebc08382d4a55b21a7066cc17be48c9308e Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:12:09 -0600 Subject: [PATCH 13/69] fixes merging local pillar /global overrides for generated index templates --- salt/elasticfleet/integration-defaults.map.jinja | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 09710a43c..30eda7081 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -67,7 +67,10 @@ {% if component_name in WEIRD_INTEGRATIONS %} {% set component_name = WEIRD_INTEGRATIONS[component_name] %} {% endif %} -{% set integration_key = "so-" ~ integration_type ~ component_name %} +{# component_name_x maintains the functionality of merging local pillar changes with generated 'defaults' via SOC UI #} +{% set component_name_x = component_name.replace(".","_x_") %} +{# pillar overrides/merge expects the key names to follow the naming in elasticsearch/defaults.yaml eg. so-logs-1password_x_item_usages . The _x_ is replaced later on in elasticsearch/template.map.jinja #} +{% set integration_key = "so-" ~ integration_type ~ component_name_x %} {# Default integration settings #} {% set integration_defaults = { From e0039a08ef435df402c0364f172dd9d4f02d5338 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:57:26 -0600 Subject: [PATCH 14/69] fix forcedType typo --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..48b8b2e27 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -166,7 +166,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True From 9738ef382c4c4cc3d4a24a584981e1103fcf72ef Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 08:12:02 -0500 Subject: [PATCH 15/69] Upgrade Elastic to 8.17.1 --- .../integrations/elastic-defend/elastic-defend-endpoints.json | 2 +- salt/elasticsearch/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 15f08a151..0348a0198 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.14.0" + "version": "8.17.0" }, "enabled": true, "policy_id": "endpoints-initial", diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 77a5be232..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.14.3 + version: 8.17.1 index_clean: true config: action: From 5b8f8fb62f0dfbf7ce5692351a36f2a3250e0ba8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:47:22 -0600 Subject: [PATCH 16/69] add/remove es annotations/defaults automagically Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/soc_elasticsearch.yaml | 6 +++ salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 48b8b2e27..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file From 97a3f130c8957e19cd6e833d6aa1532dbb8d18e3 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 15:32:39 -0500 Subject: [PATCH 17/69] Update Elastic --- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index fb8c31040..bef0bf931 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.59.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.45.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.59.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.59.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.45.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.64.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.3.6\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.64.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.64.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.3.6\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] From a373d96c3c7b46ef56475dd0f6f674ec16ebfc6d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:03 -0600 Subject: [PATCH 18/69] run managed_soc_annotations.sls from manager state --- salt/manager/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c4b2ad136..8de5d097a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -14,6 +14,7 @@ include: - manager.sync_es_users - manager.elasticsearch - manager.kibana + - manager.managed_soc_annotations repo_log_dir: file.directory: From 38b0276458261c9c1049d8e49b40c4f2d919d02c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:18 -0600 Subject: [PATCH 19/69] remove reference to deleted file --- salt/elasticfleet/integration-defaults.map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..6d31cc71f 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} From e994f3a220203a5fc4f3d04a65344c0faba859c4 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 14:48:50 -0500 Subject: [PATCH 20/69] Fix commits --- salt/elasticsearch/soc_elasticsearch.yaml | 8 ++- salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ salt/manager/tools/sbin/soup | 18 ++++++- 3 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: @@ -166,7 +172,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c0a6a4359..b6cf38799 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -406,6 +406,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111 [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120 + [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130 true } @@ -429,6 +430,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 true } @@ -538,6 +540,11 @@ post_to_2.4.120() { POSTVERSION=2.4.120 } +post_to_2.4.130() { + echo "Nothing to apply" + POSTVERSION=2.4.130 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -717,8 +724,8 @@ up_to_2.4.90() { } up_to_2.4.100() { - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade + echo "Nothing to do for 2.4.100" + INSTALLEDVERSION=2.4.100 } @@ -749,6 +756,13 @@ up_to_2.4.120() { INSTALLEDVERSION=2.4.120 } +up_to_2.4.130() { + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade + + INSTALLEDVERSION=2.4.130 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls From 49ab0751c0665436624b46a029f27510d4c21719 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 15:01:21 -0500 Subject: [PATCH 21/69] Remove uneeded import --- salt/elasticfleet/integration-defaults.map.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..a60eaae60 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} @@ -130,4 +129,4 @@ {% endfor %} {% endif %} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} From d74b69d84d5933a57479152f5143963a39224f86 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 16:34:33 -0600 Subject: [PATCH 22/69] add additional weird_integration --- salt/elasticfleet/integration-defaults.map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 6d31cc71f..008efb615 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -12,6 +12,7 @@ {# Some fleet integrations don't follow the standard naming convention #} {% set WEIRD_INTEGRATIONS = { 'awsfirehose.logs': 'awsfirehose', + 'awsfirehose.metrics': 'aws.cloudwatch', 'cribl.logs': 'cribl', 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', 'azure_application_insights.app_insights': 'azure.app_insights', From dd17ee7665326c41dc4c52ac46e6848230d5ee1b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 6 Feb 2025 22:04:25 -0600 Subject: [PATCH 23/69] fix defining custom logstash pipelines when kafka is enabled --- salt/logstash/map.jinja | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index da2bc341a..95ec6b85d 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -33,9 +33,18 @@ {# Append Kafka input pipeline when Kafka is enabled #} {% if GLOBALS.pipeline == 'KAFKA' %} -{% do LOGSTASH_MERGED.defined_pipelines.search.remove('so/0900_input_redis.conf.jinja') %} -{% do LOGSTASH_MERGED.defined_pipelines.search.append('so/0800_input_kafka.conf.jinja') %} -{% do LOGSTASH_MERGED.defined_pipelines.manager.append('so/0800_input_kafka.conf.jinja') %} +{% if 'so/0900_input_redis.conf.jinja' in LOGSTASH_MERGED.defined_pipelines.search %} +{% do LOGSTASH_MERGED.defined_pipelines.search.remove('so/0900_input_redis.conf.jinja') %} +{% endif %} +{% if 'so/0800_input_kafka.conf.jinja' not in LOGSTASH_MERGED.defined_pipelines.search %} +{% do LOGSTASH_MERGED.defined_pipelines.search.append('so/0800_input_kafka.conf.jinja') %} +{% endif %} +{% if 'so/0800_input_kafka.conf.jinja' not in LOGSTASH_MERGED.defined_pipelines.manager %} +{% do LOGSTASH_MERGED.defined_pipelines.manager.append('so/0800_input_kafka.conf.jinja') %} +{% endif %} +{% if 'so/9999_output_redis.conf.jinja' in LOGSTASH_MERGED.defined_pipelines.manager %} +{% do LOGSTASH_MERGED.defined_pipelines.manager.remove('so/9999_output_redis.conf.jinja') %} +{% endif %} {# Disable logstash on manager & receiver nodes unless it has an override configured #} {% if not KAFKA_LOGSTASH %} {% if GLOBALS.role in ['so-manager', 'so-receiver'] and GLOBALS.hostname not in KAFKA_LOGSTASH %} From 9bde70a8e2db52b2bac842427187249e3ac972f0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 7 Feb 2025 15:19:40 -0600 Subject: [PATCH 24/69] zeek.software typo Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/zeek.software | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.software b/salt/elasticsearch/files/ingest/zeek.software index f5d3d1013..11298ba0b 100644 --- a/salt/elasticsearch/files/ingest/zeek.software +++ b/salt/elasticsearch/files/ingest/zeek.software @@ -11,7 +11,7 @@ { "dot_expander": { "field": "version.minor2", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version.minor2", "target_field": "software.version.minor2", "ignore_missing": true } }, { "dot_expander": { "field": "version.minor3", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.minor3", "target_field": "version.minor3", "ignore_missing": true } }, + { "rename": { "field": "message2.version.minor3", "target_field": "software.version.minor3", "ignore_missing": true } }, { "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version.addl", "target_field": "software.version.additional_info", "ignore_missing": true } }, { "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } }, From 3b69ff9fc9ff552470b92b7c82287ac3fed9bbb0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 29 Jan 2025 14:02:45 -0600 Subject: [PATCH 25/69] integration policy update --- salt/manager/tools/sbin/soup | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index b6cf38799..89255f839 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -534,14 +534,16 @@ post_to_2.4.120() { # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' rollover_index "logs-suricata.alerts-so" - # Sync the newly generated index templates for elasticfleet integrations - salt-call state.apply elasticsearch queue=True - POSTVERSION=2.4.120 } post_to_2.4.130() { - echo "Nothing to apply" + # Integrations policies need to be updated + rm -f /opt/so/state/eaintegrations.txt + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.130 } @@ -725,7 +727,7 @@ up_to_2.4.90() { up_to_2.4.100() { echo "Nothing to do for 2.4.100" - + INSTALLEDVERSION=2.4.100 } From 33f145a40b28f4430a11d4f5826c64f343a348b0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Feb 2025 08:58:36 -0600 Subject: [PATCH 26/69] ensure network packet capture integration data has event.module:network_traffic --- salt/elasticsearch/files/ingest/global@custom | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 085afd23c..4c522374e 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -8,7 +8,9 @@ "processors": [ { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, @@ -22,6 +24,6 @@ { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } ] } From fb0cd436d352fb4d4a19913b695058ea0f4c7855 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 11 Feb 2025 11:23:04 -0600 Subject: [PATCH 27/69] ES 8.17.2 TODO: Check import-evtx-logs.json for updated pipeline versions Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..c91a2df6f 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.1 + version: 8.17.2 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 90b75b8c4..2de3853df 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.10.4" + discardCorruptObjects: "8.17.2" telemetry: enabled: False security: From 69be367acf9e5e1fe717f53b0f16c4a58b47bfe2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 Feb 2025 09:09:38 -0500 Subject: [PATCH 28/69] 2.4.120 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.120-20250212.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.120-20250212.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 57a07e53c..b619315c8 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.111-20241217 ISO image released on 2024/12/18 +### 2.4.120-20250212 ISO image released on 2025/02/12 ### Download and Verify -2.4.111-20241217 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.111-20241217.iso +2.4.120-20250212 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso -MD5: 767823D75EB76A6DC6132F799FD0E720 -SHA1: 0A7B6918FE5D4BC89EE3F2E03B4F8F4D6255141D -SHA256: 394BFCED9B5EAA0788E2D04806231B3A170839394AAF8DD23B4CE0EB9D6EF727 +MD5: 3FF09F50AB1C9318CF0862DE9816102D +SHA1: 197AFA5A85C5CF95D0289FCD21BED7615FB8DB5C +SHA256: A59D94B09EEB39D8C2B6D0808792EC479B13D96FA7B32C3BEEFB6709C93F6692 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.111-20241217.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.111-20241217.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.111-20241217.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.111-20241217.iso.sig securityonion-2.4.111-20241217.iso +gpg --verify securityonion-2.4.120-20250212.iso.sig securityonion-2.4.120-20250212.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 17 Dec 2024 04:33:10 PM EST using RSA key ID FE507013 +gpg: Signature made Tue 11 Feb 2025 05:26:33 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.120-20250212.iso.sig b/sigs/securityonion-2.4.120-20250212.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..54975b60f44194d090c272e8b2fe80787e193136 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%xnvnE(n25PT3| zxBgIY69wlG0KVioE&3AKkVe#p$X<5@f$y9nh1_<9jX(4`<#>M&k(GryS56IJ(OIpl1U$(L)HsdKwg>?`+d!`3L- zb1CbfNd3;o)7kBx%8k0x2B3;4$YVGS+Jl6IjEXgz;6%8x%8@U`bELq@rPUJdRsCr( z))g$8Xbzu}Mw`Jqp+9LYPL3W%)hY=aAMniI^$;0iX}o*|#cdV)k`_;b2-1NbJBHt7 ztx^c-=cZ}dzOec-=%HKzFsFBJ4Cr) zWIoaWr`?4+@iy>5VQyo+VS{VDAjy4c5U!Sb8D_RatU8Kvbw6H72bFat!}}<2mfrt9 zj(06Zz?xa|ohL*dUT;1tAyud+H|{9?wg-ry7yGh;h3JiC+@7BbQlcPL$nf}s-xk}; EC@!B4<^TWy literal 0 HcmV?d00001 From 16c332ad2e3baa1fe3805507d6329f7473ad0164 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 Feb 2025 11:27:43 -0500 Subject: [PATCH 29/69] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 580cd0c49..04d2c4735 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.120 \ No newline at end of file +2.4.130 From d2ac6ec10fa1dc67d3034540aea331a84734cdc0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 Feb 2025 11:29:07 -0500 Subject: [PATCH 30/69] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 0b8d5e6b9..9583ac99a 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -24,6 +24,7 @@ body: - 2.4.110 - 2.4.111 - 2.4.120 + - 2.4.130 - Other (please provide detail below) validations: required: true From 40cb3a53aea8110068ae38bd98103cef33d5ade3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 13:18:08 -0600 Subject: [PATCH 31/69] Revert ES 8.17.2 upgrade -> 8.17.1 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c91a2df6f..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.2 + version: 8.17.1 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 2de3853df..6cc4d123a 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.2" + discardCorruptObjects: "8.17.1" telemetry: enabled: False security: From 09c7b31918f3d04af26c627bb74dfda0692ae9da Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 16:33:56 -0600 Subject: [PATCH 32/69] update pfsense pipeline version. Remove unused component templates --- .../files/ingest/logs-pfsense.log-1.16.0 | 389 ------------------ ...nse.log-1.19.1 => logs-pfsense.log-1.20.2} | 53 ++- ...icata => logs-pfsense.log-1.20.2-suricata} | 0 .../logs-elastic_agent@package.json | 383 ----------------- ...ndpoint.diagnostic.collection@package.json | 132 ------ ...ics-fleet_server.agent_status@package.json | 201 --------- ...s-fleet_server.agent_versions@package.json | 102 ----- 7 files changed, 26 insertions(+), 1234 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.19.1 => logs-pfsense.log-1.20.2} (90%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.16.0-suricata => logs-pfsense.log-1.20.2-suricata} (100%) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 deleted file mode 100644 index f53abb0e3..000000000 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 +++ /dev/null @@ -1,389 +0,0 @@ -{ - "description": "Pipeline for PFsense", - "processors": [ - { - "set": { - "field": "ecs.version", - "value": "8.10.0" - } - }, - { - "set": { - "field": "observer.vendor", - "value": "netgate" - } - }, - { - "set": { - "field": "observer.type", - "value": "firewall" - } - }, - { - "rename": { - "field": "message", - "target_field": "event.original" - } - }, - { - "set": { - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", - "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" - } - }, - { - "grok": { - "description": "Parse syslog header", - "field": "event.original", - "patterns": [ - "^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}" - ], - "pattern_definitions": { - "ECS_SYSLOG_PRI": "<%{NONNEGINT:log.syslog.priority:long}>(\\d )?", - "TIMESTAMP": "(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})", - "BSD_TIMESTAMP_FORMAT": "%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{BSD_PROCNAME}|%{SPACE}%{OBSERVER}%{SPACE}%{BSD_PROCNAME})(\\[%{POSINT:process.pid:long}\\])?:", - "BSD_PROCNAME": "(?:\\b%{NAME:process.name}|\\(%{NAME:process.name}\\))", - "NAME": "[[[:alnum:]]_-]+", - "SYSLOG_TIMESTAMP_FORMAT": "%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|%{META})", - "TIMESTAMP_ISO8601": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?", - "OBSERVER": "(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})", - "PROCESS": "(\\(%{DATA:process.name}\\)|(?:%{UNIXPATH}*/)?%{BASEPATH:process.name})", - "BASEPATH": "[[[:alnum:]]_%!$@:.,+~-]+", - "META": "\\[[^\\]]*\\]" - } - } - }, - { - "date": { - "if": "ctx._tmp.timestamp8601 != null", - "field": "_tmp.timestamp8601", - "target_field": "@timestamp", - "formats": [ - "ISO8601" - ] - } - }, - { - "date": { - "if": "ctx.event?.timezone != null && ctx._tmp?.timestamp != null", - "field": "_tmp.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "timezone": "{{ event.timezone }}" - } - }, - { - "grok": { - "description": "Set Event Provider", - "field": "process.name", - "patterns": [ - "^%{HYPHENATED_WORDS:event.provider}" - ], - "pattern_definitions": { - "HYPHENATED_WORDS": "\\b[A-Za-z0-9_]+(-[A-Za-z_]+)*\\b" - } - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-firewall", - "if": "ctx.event.provider == 'filterlog'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-openvpn", - "if": "ctx.event.provider == 'openvpn'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-ipsec", - "if": "ctx.event.provider == 'charon'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-dhcp", - "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-unbound", - "if": "ctx.event.provider == 'unbound'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-haproxy", - "if": "ctx.event.provider == 'haproxy'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-php-fpm", - "if": "ctx.event.provider == 'php-fpm'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-squid", - "if": "ctx.event.provider == 'squid'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", - "if": "ctx.event.provider == 'suricata'" - } - }, - { - "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" - } - }, - { - "append": { - "field": "event.category", - "value": "network", - "if": "ctx.network != null" - } - }, - { - "convert": { - "field": "source.address", - "target_field": "source.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "convert": { - "field": "destination.address", - "target_field": "destination.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "set": { - "field": "network.type", - "value": "ipv6", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\":\")" - } - }, - { - "set": { - "field": "network.type", - "value": "ipv4", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\".\")" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ] - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "community_id": { - "target_field": "network.community_id", - "ignore_failure": true - } - }, - { - "grok": { - "field": "observer.ingress.interface.name", - "patterns": [ - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ], - "ignore_missing": true, - "ignore_failure": true - } - }, - { - "set": { - "field": "network.vlan.id", - "copy_from": "observer.ingress.vlan.id", - "ignore_empty_value": true - } - }, - { - "append": { - "field": "related.ip", - "value": "{{destination.ip}}", - "allow_duplicates": false, - "if": "ctx.destination?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.nat.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.nat?.ip != null" - } - }, - { - "append": { - "field": "related.hosts", - "value": "{{destination.domain}}", - "if": "ctx.destination?.domain != null" - } - }, - { - "append": { - "field": "related.user", - "value": "{{user.name}}", - "if": "ctx.user?.name != null" - } - }, - { - "set": { - "field": "network.direction", - "value": "{{network.direction}}bound", - "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" - } - }, - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "script": { - "lang": "painless", - "description": "This script processor iterates over the whole document to remove fields with null values.", - "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v == null || (v instanceof String && v == \"-\"));\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n" - } - }, - { - "remove": { - "field": "event.original", - "if": "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "pipeline": { - "name": "logs-pfsense.log@custom", - "ignore_missing_pipeline": true - } - } - ], - "on_failure": [ - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "set": { - "field": "event.kind", - "value": "pipeline_error" - } - }, - { - "append": { - "field": "error.message", - "value": "{{{ _ingest.on_failure_message }}}" - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 similarity index 90% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 6166f6b55..d4861a35b 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -36,7 +36,7 @@ { "set": { "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", + "value": "{{{_tmp.tz_offset}}}", "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" } }, @@ -83,7 +83,7 @@ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], - "timezone": "{{ event.timezone }}" + "timezone": "{{{ event.timezone }}}" } }, { @@ -100,61 +100,67 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-firewall", + "name": "logs-pfsense.log-1.20.2-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-openvpn", + "name": "logs-pfsense.log-1.20.2-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-ipsec", + "name": "logs-pfsense.log-1.20.2-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-dhcp", + "name": "logs-pfsense.log-1.20.2-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-unbound", + "name": "logs-pfsense.log-1.20.2-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-haproxy", + "name": "logs-pfsense.log-1.20.2-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-php-fpm", + "name": "logs-pfsense.log-1.20.2-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-squid", + "name": "logs-pfsense.log-1.20.2-squid", "if": "ctx.event.provider == 'squid'" } }, + { + "pipeline": { + "name": "logs-pfsense.log-1.20.2-snort", + "if": "ctx.event.provider == 'snort'" + } + }, { "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", + "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" } }, { @@ -288,7 +294,7 @@ { "append": { "field": "related.ip", - "value": "{{destination.ip}}", + "value": "{{{destination.ip}}}", "allow_duplicates": false, "if": "ctx.destination?.ip != null" } @@ -296,7 +302,7 @@ { "append": { "field": "related.ip", - "value": "{{source.ip}}", + "value": "{{{source.ip}}}", "allow_duplicates": false, "if": "ctx.source?.ip != null" } @@ -304,7 +310,7 @@ { "append": { "field": "related.ip", - "value": "{{source.nat.ip}}", + "value": "{{{source.nat.ip}}}", "allow_duplicates": false, "if": "ctx.source?.nat?.ip != null" } @@ -312,21 +318,21 @@ { "append": { "field": "related.hosts", - "value": "{{destination.domain}}", + "value": "{{{destination.domain}}}", "if": "ctx.destination?.domain != null" } }, { "append": { "field": "related.user", - "value": "{{user.name}}", + "value": "{{{user.name}}}", "if": "ctx.user?.name != null" } }, { "set": { "field": "network.direction", - "value": "{{network.direction}}bound", + "value": "{{{network.direction}}}bound", "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" } }, @@ -403,12 +409,5 @@ "value": "{{{ _ingest.on_failure_message }}}" } } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json deleted file mode 100644 index efd85bb4b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ /dev/null @@ -1,383 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent-1.20.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version", - "component.id", - "component.type", - "component.binary", - "component.state", - "component.old_state", - "unit.id", - "unit.type", - "unit.state", - "unit.old_state" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "component": { - "properties": { - "binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "unit": { - "properties": { - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json deleted file mode 100644 index bf60f2543..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs-endpoint.collection-diagnostic" - }, - "codec": "best_compression", - "default_pipeline": "logs-endpoint.diagnostic.collection-8.10.2", - "mapping": { - "total_fields": { - "limit": "10000" - }, - "ignore_malformed": "true" - }, - "query": { - "default_field": [ - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "event": { - "properties": { - "severity": { - "type": "long" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json deleted file mode 100644 index 8fc83f9cb..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_status-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agents": { - "properties": { - "offline": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "total": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "updating": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "inactive": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "healthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unenrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "enrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy_reason": { - "properties": { - "output": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "input": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "other": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - }, - "upgrading_step": { - "properties": { - "rollback": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "requested": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "restarting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "downloading": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "scheduled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "extracting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "replacing": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "failed": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "watching": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json deleted file mode 100644 index af3323ee9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_versions-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agent": { - "properties": { - "count": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "version": { - "time_series_dimension": true, - "type": "keyword" - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} From c711ffe6c5cba43ca64b782575dc09e27bb14e91 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:44:56 -0600 Subject: [PATCH 33/69] keep pipeline "managed" metadata --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index d4861a35b..78a65b444 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -1,5 +1,12 @@ { "description": "Pipeline for PFsense", + "_meta": { + "package": { + "name": "pfsense" + }, + "managed_by": "fleet", + "managed": true + }, "processors": [ { "set": { @@ -153,7 +160,7 @@ } }, { - "pipeline": { + "pipeline": { "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } From 03b76cbcf5ede6b1f590227ee414469edd4d1aec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:51:50 -0600 Subject: [PATCH 34/69] remove state files --- salt/manager/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 89255f839..85da8bbd9 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -538,8 +538,8 @@ post_to_2.4.120() { } post_to_2.4.130() { - # Integrations policies need to be updated - rm -f /opt/so/state/eaintegrations.txt + # Integrations policies need to be updated, along with ingest pipelines & index templates. + rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True From 8568c372f6e82f8ba508644155e8704fa8e1cd41 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:21:31 -0600 Subject: [PATCH 35/69] disable fleet apm --- salt/kibana/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 6cc4d123a..d0ba37e7b 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -35,3 +35,5 @@ kibana: hostname: localhost fleet: registryUrl: "" + apm: + enabled: false From 85dcfbf36877e3cc4a56fe67bef5cc0ffb3280ba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:27:36 -0600 Subject: [PATCH 36/69] update kibana default space --- salt/kibana/tools/sbin_jinja/so-kibana-space-defaults | 2 +- salt/manager/tools/sbin/soup | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults index 6e4959194..4a2b5902c 100755 --- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults +++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","siem","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 85da8bbd9..3bcef79ef 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -544,6 +544,11 @@ post_to_2.4.130() { # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True + # Update kibana default space + salt-call state.apply kibana.config queue=True + echo "Updating Kibana default space" + /usr/sbin/so-kibana-space-defaults + POSTVERSION=2.4.130 } From 12f0195f292f7e44f007e1b1f85da6e8fba3db08 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:28:23 -0600 Subject: [PATCH 37/69] pfsense integration - keep suricata events --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 78a65b444..d12a03149 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -167,7 +167,7 @@ }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\", \"suricata\"].contains(ctx.event?.provider)" } }, { From 3530bff320522e6c255b77bfd55e9301346bc9fa Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:29:27 -0600 Subject: [PATCH 38/69] always update package components state file to ensure index templates are created with any available integration components --- .../sbin/so-elastic-fleet-optional-integrations-load | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 6d87b958c..dface5a72 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -91,15 +91,12 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT - - # Write out file for generating index/component/ilm templates - latest_installed_package_list=$(elastic_fleet_installed_packages) - echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS - else echo "Elastic integrations don't appear to need installation/updating..." - exit 0 fi + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS else # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. From 235a8e3934ff26f27c07057d3829648d5efd46cb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:30:51 -0600 Subject: [PATCH 39/69] update index templates for endpoint integration --- salt/elasticsearch/defaults.yaml | 215 ++++++++++++++++++++++++++++--- 1 file changed, 196 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..3eafa5e3d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1783,13 +1783,131 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_actions: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.actions@package + - .logs-endpoint.actions@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.actions@custom + index_patterns: + - logs-endpoint.actions-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_action_x_responses: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.action.responses@package + - .logs-endpoint.action.responses@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.action.responses@custom + index_patterns: + - logs-endpoint.action.responses-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-endpoint_x_alerts: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - logs-endpoint.alerts@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1846,9 +1964,9 @@ elasticsearch: index_sorting: false index_template: composed_of: + - .logs-endpoint.diagnostic.collection@package + - .logs-endpoint.diagnostic.collection@custom - event-mappings - - logs-endpoint.diagnostic.collection@custom - - logs-endpoint.diagnostic.collection@package - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1856,7 +1974,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-endpoint.diagnostic.collection@custom + - .logs-endpoint.diagnostic.collection@custom index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 @@ -1905,9 +2023,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - logs-endpoint.events.api@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1964,9 +2082,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - logs-endpoint.events.file@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2023,9 +2141,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - logs-endpoint.events.library@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2082,9 +2200,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - logs-endpoint.events.network@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2141,9 +2259,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - logs-endpoint.events.process@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2200,9 +2318,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - logs-endpoint.events.registry@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2259,9 +2377,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - logs-endpoint.events.security@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2314,6 +2432,65 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_heartbeat: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.heartbeat@package + - .logs-endpoint.heartbeat@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.heartbeat@custom + index_patterns: + - .logs-endpoint.heartbeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.heartbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: From c1c72ddd9b507e5c27d630edf31f26d5e7f95b40 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:39:54 -0600 Subject: [PATCH 40/69] update global@custom pipeline ignore null/empty string values --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 4c522374e..57d0e5d20 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 21ed1439e2b4ebff2b7c3f3138d8fcf93909e4e9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:40:18 -0600 Subject: [PATCH 41/69] update udp integration policy --- .../integrations/grid-nodes_general/syslog-udp-514.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json index ad32a6964..22821dea8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json @@ -11,7 +11,7 @@ "udp-udp": { "enabled": true, "streams": { - "udp.generic": { + "udp.udp": { "enabled": true, "vars": { "listen_address": "0.0.0.0", @@ -20,11 +20,13 @@ "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, - "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", + "processors": "- add_fields:\n target: event\n fields: \n module: syslog", "tags": [ "syslog" ], - "syslog_options": "field: message\n#format: auto\n#timezone: Local" + "syslog_options": "field: message\n#format: auto\n#timezone: Local\n", + "preserve_original_event": false, + "custom": "" } } } From 5c3e28535a4a2519cf5d4d23663287d450217adc Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 18 Feb 2025 11:46:45 -0500 Subject: [PATCH 42/69] FIX: Add TLSv1.3 to nginx config #14252 --- salt/nginx/etc/nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 3168a5986..af8312a84 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -103,7 +103,7 @@ http { ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; } {%- endif %} @@ -144,7 +144,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location / { allow all; sendfile on; @@ -177,7 +177,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ GLOBALS.manager }}:9822; From 7dd64380cc59840bda921a55e9ed4ccff3bf513d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 11:48:00 -0500 Subject: [PATCH 43/69] Enable TLSv1.3 and use consistent ciphers across listeners --- salt/nginx/etc/nginx.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 3168a5986..dd4842930 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -101,9 +101,8 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; - ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; } {%- endif %} @@ -144,7 +143,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location / { allow all; sendfile on; @@ -177,7 +176,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ GLOBALS.manager }}:9822; From 1be8de7acbc08b9df04aec9dea0a3f3b9458eba5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 11:16:57 -0600 Subject: [PATCH 44/69] must use null check --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 57d0e5d20..e11a0be72 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 19593cd771905d097932bc070160d9b26151f9f2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:17:50 -0500 Subject: [PATCH 45/69] use consistent ciphers across listeners --- salt/nginx/etc/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index dd4842930..069e55cdb 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -101,6 +101,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; } @@ -142,6 +143,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; location / { @@ -175,6 +177,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; From b25b6f7bf2e45080b22f45e1ba2e3714985b69b4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:37:25 -0500 Subject: [PATCH 46/69] Support CLI changing of a user's password without disabling existing auth settings for that user --- salt/manager/tools/sbin/so-user | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index e6ac9eb1f..e6cf661dc 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -46,10 +46,11 @@ function usage() { Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - password: Updates a user's password and disables MFA + password: Updates a user's password and disables MFA, SSO, etc Required parameters: --email Optional parameters: + --password-only (only updates the password, does not disable MFA or SSO) --skip-sync (defers the Elastic sync until the next scheduled time) profile: Updates a user's profile information @@ -119,6 +120,8 @@ while [[ $# -gt 0 ]]; do note=$(echo $1 | sed 's/"/\\"/g') shift ;; + --password-only) + passwordOnly=1 --skip-sync) SKIP_SYNC=1 ;; @@ -236,6 +239,11 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" + + if [[ $passwordOnly -eq 1 ]]; then + return + fi + # Deactivate MFA echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs" From 23ab8983f72485a38f26f145c52c125f1793c51a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:41:41 -0500 Subject: [PATCH 47/69] Revert "Support CLI changing of a user's password without disabling existing auth settings for that user" This reverts commit b25b6f7bf2e45080b22f45e1ba2e3714985b69b4. --- salt/manager/tools/sbin/so-user | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index e6cf661dc..e6ac9eb1f 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -46,11 +46,10 @@ function usage() { Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - password: Updates a user's password and disables MFA, SSO, etc + password: Updates a user's password and disables MFA Required parameters: --email Optional parameters: - --password-only (only updates the password, does not disable MFA or SSO) --skip-sync (defers the Elastic sync until the next scheduled time) profile: Updates a user's profile information @@ -120,8 +119,6 @@ while [[ $# -gt 0 ]]; do note=$(echo $1 | sed 's/"/\\"/g') shift ;; - --password-only) - passwordOnly=1 --skip-sync) SKIP_SYNC=1 ;; @@ -239,11 +236,6 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" - - if [[ $passwordOnly -eq 1 ]]; then - return - fi - # Deactivate MFA echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs" From 2b7ebf08cbcd2c87a9a5233692ba7caf19b8fb55 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:18:08 -0600 Subject: [PATCH 48/69] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 452820224..04d2c4735 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot \ No newline at end of file +2.4.130 From f991d8a10a05986183b6197cc2ee662b25518f95 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 14:37:20 -0600 Subject: [PATCH 49/69] Update .gitleaks.toml --- .github/.gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml index 21a047959..2111ed7bc 100644 --- a/.github/.gitleaks.toml +++ b/.github/.gitleaks.toml @@ -536,7 +536,7 @@ secretGroup = 4 [allowlist] description = "global allow lists" -regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password'''] +regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password''', '''integration_key\s=\s"so-logs-"'''] paths = [ '''gitleaks.toml''', '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''', From 45c66b93d7f3057006d0e5148ae849175f9abc22 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 19 Feb 2025 09:23:48 -0600 Subject: [PATCH 50/69] make sure only a non-empty file is loaded Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/template.map.jinja | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index c1ff2cb24..aa90cb81b 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -16,10 +16,13 @@ {# start generation of integration default index_settings #} {% if salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') %} -{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} -{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} -{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} -{% endfor %} +{% set check_package_components = salt['file.stats']('/opt/so/state/esfleet_package_components.json') %} +{% if check_package_components.size > 1 %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} +{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} +{% endfor %} +{% endif%} {% endif %} {# end generation of integration default index_settings #} From 64f6a2d81efd39469a01c8a33e4053a536dfce9d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 19 Feb 2025 10:38:37 -0600 Subject: [PATCH 51/69] re-enable security (siem) in default kibana space --- salt/kibana/tools/sbin_jinja/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults index 4a2b5902c..a22aba066 100755 --- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults +++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","siem","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From c6d72d31cb8b1d0458ef2601c6b03eb8a8945f1a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 19 Feb 2025 16:16:38 -0500 Subject: [PATCH 52/69] Update Elastic Defend JSON --- .../elastic-defend-endpoints.json | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 0348a0198..87870c7bc 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -3,25 +3,30 @@ "namespace": "default", "description": "", "package": { - "name": "endpoint", - "title": "Elastic Defend", - "version": "8.17.0" + "name": "endpoint", + "title": "Elastic Defend", + "version": "8.17.0", + "requires_root": true }, "enabled": true, "policy_id": "endpoints-initial", - "inputs": [{ - "type": "ENDPOINT_INTEGRATION_CONFIG", + "vars": {}, + "inputs": [ + { + "type": "endpoint", "enabled": true, - "streams": [], "config": { - "_config": { - "value": { - "type": "endpoint", - "endpointConfig": { - "preset": "DataCollection" - } - } + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "DataCollection" + } } - } - }] -} + } + }, + "streams": [] + } + ] + } + \ No newline at end of file From 499d473b9d9682e3a295ff2a86f8c64c2626f6d3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 10:06:59 -0600 Subject: [PATCH 53/69] set metrics indices to 0 replicas --- .../templates/component/elastic-agent/metrics@custom.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json new file mode 100644 index 000000000..6826af601 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json @@ -0,0 +1,7 @@ +{ + "template": { + "settings": { + "number_of_replicas": 0 + } + } + } \ No newline at end of file From 7c2118f2f6df830576d3e2ac90d0a19a19b79d75 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 11:07:50 -0500 Subject: [PATCH 54/69] Create LICENSE --- LICENSE | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..77329e94a --- /dev/null +++ b/LICENSE @@ -0,0 +1,53 @@ +Elastic License 2.0 (ELv2) + +Acceptance + + By using the software, you agree to all of the terms and conditions below. + +Copyright License + + The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below. + +Limitations + + You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software. + + You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key. + + You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law. + +Patents + + The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company. + +Notices + + You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. + + If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software. + +No Other Rights + + These terms do not imply any licenses other than those expressly granted in these terms. + +Termination + + If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently. + +No Liability + + As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim. + +Definitions + + The licensor is the entity offering these terms, and the software is the software the licensor makes available under these terms, including any portion of it. + + you refers to the individual or entity agreeing to these terms. + + your company is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. control means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect. + + your licenses are all the licenses granted to you for the software under these terms. + + use means anything you do with the software requiring one of your licenses. + + trademark means trademarks, service marks, and similar rights. From c9b41e2eb1ea233c1007b09681ad63dc110132d4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 10:11:34 -0600 Subject: [PATCH 55/69] formatting Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../component/elastic-agent/metrics@custom.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json index 6826af601..5b459147b 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json +++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json @@ -1,7 +1,7 @@ { - "template": { - "settings": { - "number_of_replicas": 0 - } + "template": { + "settings": { + "number_of_replicas": 0 } - } \ No newline at end of file + } +} \ No newline at end of file From 25dfc182a98d7c9d19c3f3597eaab3e2c05268d0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:18:02 -0500 Subject: [PATCH 56/69] Delete .github/ISSUE_TEMPLATE --- .github/ISSUE_TEMPLATE | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE diff --git a/.github/ISSUE_TEMPLATE b/.github/ISSUE_TEMPLATE deleted file mode 100644 index e02405f16..000000000 --- a/.github/ISSUE_TEMPLATE +++ /dev/null @@ -1,12 +0,0 @@ -PLEASE STOP AND READ THIS INFORMATION! - -If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead: -https://securityonion.net/discuss - -If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue. - -If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following: -- duplicated the issue on a fresh installation of the latest version -- provide information about your system and how you installed Security Onion -- include relevant log files -- include reproduction steps From 2be53849806e4e3aab144e2740b744fdd273f53a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:19:08 -0500 Subject: [PATCH 57/69] Create config.yml --- .github/ISSUE_TEMPLATE/config.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/config.yml diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..5758e82cf --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: false +contact_links: + - name: Security Onion Discussions + url: https://securityonion.com/discussions + about: Please ask and answer questions here From 5dc9200ee70be46f48e9d0349f79533931840973 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:19:22 -0500 Subject: [PATCH 58/69] Add files via upload --- .github/ISSUE_TEMPLATE/bug_report.md | 38 ++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000..43b490b49 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: This option is for experienced community members to report a confirmed, reproducible bug +title: '' +labels: '' +assignees: '' + +--- +PLEASE STOP AND READ THIS INFORMATION! + +If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum at https://securityonion.net/discuss. + +If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum at https://securityonion.net/discuss to start a conversation about it instead of creating an issue. + +If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following: +- duplicated the issue on a fresh installation of the latest version +- provide information about your system and how you installed Security Onion +- include relevant log files +- include reproduction steps + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. From 3b6344e7f0163a4e27c71a7bd27eab1edbd61299 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 12:42:30 -0600 Subject: [PATCH 59/69] add back settings previously defined when overwritting logs-elastic_agent@package and logs-endpoint.diagnostics.collection@package --- salt/elasticsearch/defaults.yaml | 66 ++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 82a75bf6b..673739952 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1146,15 +1146,65 @@ elasticsearch: name: elastic_agent settings: index: + codec: best_compression lifecycle: name: so-logs-elastic_agent-logs mapping: total_fields: limit: 5000 + ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc + query: + default_field: + - cloud.account.id + - cloud.availability_zone + - cloud.instance.id + - cloud.instance.name + - cloud.machine.type + - cloud.provider + - cloud.region + - cloud.project.id + - cloud.image.id + - container.id + - container.image.name + - container.name + - host.architecture + - host.hostname + - host.id + - host.mac + - host.name + - host.os.family + - host.os.kernel + - host.os.name + - host.os.platform + - host.os.version + - host.os.build + - host.os.codename + - host.type + - ecs.version + - agent.build.original + - agent.ephemeral_id + - agent.id + - agent.name + - agent.type + - agent.version + - log.level + - message + - elastic_agent.id + - elastic_agent.process + - elastic_agent.version + - component.id + - component.type + - component.binary + - component.state + - component.old_state + - unit.id + - unit.type + - unit.state + - unit.old_state policy: _meta: managed: true @@ -1988,15 +2038,31 @@ elasticsearch: template: settings: index: + codec: best_compression lifecycle: name: so-logs-endpoint.diagnostic.collection-logs mapping: total_fields: limit: 5000 + ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc + query: + default_field: + - ecs.version + - event.action + - event.category + - event.code + - event.dataset + - event.hash + - event.id + - event.kind + - event.module + - event.outcome + - event.provider + - event.type policy: _meta: managed: true From df350b5a56464e4c628536c14270f8b67664e6a2 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 14:20:09 -0600 Subject: [PATCH 60/69] ES 8.17.2 --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 673739952..c3957361a 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.1 + version: 8.17.2 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index d0ba37e7b..a4be3787f 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.1" + discardCorruptObjects: "8.17.2" telemetry: enabled: False security: From 69b559fb26d9b35a906844579467352be98ec5da Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 17:11:28 -0600 Subject: [PATCH 61/69] ES 8.17.2 pipeline version updates --- .../grid-nodes_general/import-evtx-logs.json | 2 +- ...nse.log-1.20.2 => logs-pfsense.log-1.21.0} | 28 +++++++++---------- ...icata => logs-pfsense.log-1.21.0-suricata} | 0 3 files changed, 15 insertions(+), 15 deletions(-) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.20.2 => logs-pfsense.log-1.21.0} (94%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.20.2-suricata => logs-pfsense.log-1.21.0-suricata} (100%) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index bef0bf931..bb79891b6 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.64.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.3.6\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.64.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.64.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.3.6\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.66.1\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.4.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.66.1\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.66.1\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.4.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 similarity index 94% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 index d12a03149..7c4f2575f 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 @@ -1,17 +1,17 @@ { "description": "Pipeline for PFsense", "_meta": { + "managed_by": "fleet", + "managed": true, "package": { "name": "pfsense" - }, - "managed_by": "fleet", - "managed": true + } }, "processors": [ { "set": { "field": "ecs.version", - "value": "8.11.0" + "value": "8.17.0" } }, { @@ -107,61 +107,61 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-firewall", + "name": "logs-pfsense.log-1.21.0-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-openvpn", + "name": "logs-pfsense.log-1.21.0-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-ipsec", + "name": "logs-pfsense.log-1.21.0-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-dhcp", + "name": "logs-pfsense.log-1.21.0-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-unbound", + "name": "logs-pfsense.log-1.21.0-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-haproxy", + "name": "logs-pfsense.log-1.21.0-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-php-fpm", + "name": "logs-pfsense.log-1.21.0-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-squid", + "name": "logs-pfsense.log-1.21.0-squid", "if": "ctx.event.provider == 'squid'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-snort", + "name": "logs-pfsense.log-1.21.0-snort", "if": "ctx.event.provider == 'snort'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-suricata", + "name": "logs-pfsense.log-1.21.0-suricata", "if": "ctx.event.provider == 'suricata'" } }, diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0-suricata From 66a2ec7e2131a31325242fec493781eb6e13211f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 Feb 2025 08:38:40 -0500 Subject: [PATCH 62/69] ES upgrade errors to ignore --- salt/common/tools/sbin/so-log-check | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 91417171c..b9bc76f9f 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -126,6 +126,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available" # Typical error when making a query before ES has finished loading all indices + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup fi if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then @@ -152,6 +153,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal" # false positive (Open Canary logging out blank IP addresses) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule" # false positive (rule sync log line includes rule name which can contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') fi if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then @@ -213,6 +215,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors" # Detections: Not an actual error EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager" # SOC log: before fields.status was changed to fields.licenseStatus EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal" # docker container getting recycled fi RESULT=0 From 22f3865602b79e9a7668553b52b2d6f121977f08 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 21 Feb 2025 09:32:36 -0500 Subject: [PATCH 63/69] Dont upgrade integrations during pre-phase --- salt/manager/tools/sbin/soup | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f1b09280e..2db86ce9b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -757,10 +757,6 @@ up_to_2.4.120() { mkdir -p /opt/so/saltstack/local/pillar/versionlock touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls - # New Grid Integration added this release - rm -f /opt/so/state/eaintegrations.txt - - INSTALLEDVERSION=2.4.120 } From c1282e77a00b59ff765fe93257aa8391b7521c02 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 21 Feb 2025 14:02:22 -0600 Subject: [PATCH 64/69] move removal of eaintegrations.txt to up_to_2.4.130 --- salt/manager/tools/sbin/soup | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 2db86ce9b..544eefc17 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -540,11 +540,6 @@ post_to_2.4.120() { } post_to_2.4.130() { - # Integrations policies need to be updated, along with ingest pipelines & index templates. - rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt - - # Sync the newly generated index templates for elasticfleet integrations - salt-call state.apply elasticsearch queue=True # Update kibana default space salt-call state.apply kibana.config queue=True @@ -765,6 +760,9 @@ up_to_2.4.130() { # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade + # Integrations policies need to be updated + rm -f /opt/so/state/eaintegrations.txt + INSTALLEDVERSION=2.4.130 } From 7155ccaf962ab99272f3533fbb2288f5f5a6fd6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 Feb 2025 17:10:39 -0500 Subject: [PATCH 65/69] ensure override for nmcli exists in /etc --- salt/manager/tools/sbin/soup | 3 +++ setup/so-functions | 15 ++++++--------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 544eefc17..5da116e05 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -763,6 +763,9 @@ up_to_2.4.130() { # Integrations policies need to be updated rm -f /opt/so/state/eaintegrations.txt + # Ensure override exists to allow nmcli access to other devices + touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf + INSTALLEDVERSION=2.4.130 } diff --git a/setup/so-functions b/setup/so-functions index fa7e8a043..5c4da25ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -167,17 +167,14 @@ check_manager_connection() { } check_network_manager_conf() { - local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" - local nmconf="/etc/NetworkManager/NetworkManager.conf" + local gmdconf="/etc/NetworkManager/conf.d/10-globally-managed-devices.conf" local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d" - if test -f "$gmdconf" && ! test -f "${gmdconf}.bak"; then - { - mv "$gmdconf" "${gmdconf}.bak" - touch "$gmdconf" - systemctl restart NetworkManager - } >> "$setup_log" 2>&1 - fi + { + [[ -f $gmdconf ]] && mv "$gmdconf" "${gmdconf}.bak" + touch "$gmdconf" + systemctl restart NetworkManager + } >> "$setup_log" 2>&1 if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 From 6d0350793db4fe29d879036f122da6453147b0aa Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sun, 23 Feb 2025 14:02:17 -0500 Subject: [PATCH 66/69] Remove old defend json --- salt/manager/tools/sbin/soup | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5da116e05..27123c660 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -533,9 +533,6 @@ post_to_2.4.120() { # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' rollover_index "logs-suricata.alerts-so" - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - POSTVERSION=2.4.120 } @@ -546,6 +543,9 @@ post_to_2.4.130() { echo "Updating Kibana default space" /usr/sbin/so-kibana-space-defaults + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers + POSTVERSION=2.4.130 } @@ -757,12 +757,12 @@ up_to_2.4.120() { } up_to_2.4.130() { + # Remove any old Elastic Defend config files + rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json + # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade - # Integrations policies need to be updated - rm -f /opt/so/state/eaintegrations.txt - # Ensure override exists to allow nmcli access to other devices touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf From 3f2b0973af3aeb86d8adae58ea2a49d013b0e71d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 08:59:59 -0600 Subject: [PATCH 67/69] manually create unused logs-soc@package for successful elasticsearch templates load --- .../component/elastic-agent/logs-soc@package.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json new file mode 100644 index 000000000..bf3c4f649 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json @@ -0,0 +1,7 @@ +{ + "package": { + "name": "log" + }, + "managed_by": "fleet", + "managed": true +} \ No newline at end of file From d7c06e5ff4622b5c370baacd4f20b3baf06d6d0b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 09:02:56 -0600 Subject: [PATCH 68/69] run elasticsearch state, right before completing soup to ensure templates for optional integrations are loaded --- salt/manager/tools/sbin/soup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 27123c660..a6c9b7693 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -537,6 +537,10 @@ post_to_2.4.120() { } post_to_2.4.130() { + # Optional integrations are loaded AFTER initial successful load of core ES templates (/opt/so/state/estemplates.txt) + # Dynamic templates are created in elasticsearch.enabled for every optional integration based on output of so-elastic-fleet-optional-integrations-load script + echo "Ensuring Elasticsearch templates are up to date after updating package registry" + salt-call state.apply elasticsearch queue=True # Update kibana default space salt-call state.apply kibana.config queue=True From e2772e899e8d53d48f070242f008eb565a47509d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 10:24:11 -0600 Subject: [PATCH 69/69] component template missing metadata field --- .../templates/component/elastic-agent/logs-soc@package.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json index bf3c4f649..a2ad15b79 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json @@ -1,7 +1,10 @@ { + "template": {}, + "_meta": { "package": { "name": "log" }, "managed_by": "fleet", "managed": true + } } \ No newline at end of file