From cf19c8f8c2fa88adf5deb26ee1c466e332622f0e Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 5 Sep 2023 13:43:41 +0000 Subject: [PATCH] Remove templates --- .../logs-elastic_agent.apm_server@custom.json | 12 - ...logs-elastic_agent.apm_server@package.json | 329 --- .../logs-elastic_agent.auditbeat@custom.json | 12 - .../logs-elastic_agent.auditbeat@package.json | 329 --- .../logs-elastic_agent.cloudbeat@custom.json | 12 - .../logs-elastic_agent.cloudbeat@package.json | 339 --- ...lastic_agent.endpoint_security@custom.json | 12 - ...astic_agent.endpoint_security@package.json | 329 --- .../logs-elastic_agent.filebeat@custom.json | 12 - .../logs-elastic_agent.filebeat@package.json | 329 --- ...ogs-elastic_agent.fleet_server@custom.json | 12 - ...gs-elastic_agent.fleet_server@package.json | 329 --- .../logs-elastic_agent.heartbeat@custom.json | 12 - .../logs-elastic_agent.heartbeat@package.json | 329 --- .../logs-elastic_agent.metricbeat@custom.json | 12 - ...logs-elastic_agent.metricbeat@package.json | 329 --- ...logs-elastic_agent.osquerybeat@custom.json | 12 - ...ogs-elastic_agent.osquerybeat@package.json | 329 --- .../logs-elastic_agent.packetbeat@custom.json | 12 - ...logs-elastic_agent.packetbeat@package.json | 322 --- .../logs-system.application@custom.json | 12 - .../logs-system.application@package.json | 952 ------ .../logs-system.auth@custom.json | 12 - .../logs-system.auth@package.json | 530 ---- .../logs-system.security@custom.json | 12 - .../logs-system.security@package.json | 1840 ------------ .../logs-system.syslog@custom.json | 12 - .../logs-system.syslog@package.json | 327 --- .../logs-system.system@custom.json | 12 - .../logs-system.system@package.json | 986 ------- .../logs-windows.forwarded@custom.json | 12 - .../logs-windows.forwarded@package.json | 2544 ----------------- .../logs-windows.powershell@custom.json | 12 - .../logs-windows.powershell@package.json | 1335 --------- ...windows.powershell_operational@custom.json | 12 - ...indows.powershell_operational@package.json | 1334 --------- ...ogs-windows.sysmon_operational@custom.json | 12 - ...gs-windows.sysmon_operational@package.json | 1752 ------------ 38 files changed, 15121 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json deleted file mode 100644 index 919763caa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.apm_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json deleted file mode 100644 index 175ad4431..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.auditbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json deleted file mode 100644 index a96480471..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ /dev/null @@ -1,339 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.cloudbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "decision_id", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "match_only_text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "result": { - "type": "object" - }, - "input": { - "type": "object" - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "decision_id": { - "type": "text" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json deleted file mode 100644 index 5f16d18de..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.endpoint_security-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json deleted file mode 100644 index f5b1ab12a..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.filebeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json deleted file mode 100644 index a61d9f7a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.fleet_server-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json deleted file mode 100644 index d7e244dc2..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.heartbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json deleted file mode 100644 index 7b0c81283..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.metricbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json deleted file mode 100644 index 2a6780e69..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ /dev/null @@ -1,329 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.osquerybeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json deleted file mode 100644 index 973427be1..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ /dev/null @@ -1,322 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent.packetbeat-1.7.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json deleted file mode 100644 index 05741a4f0..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@package.json +++ /dev/null @@ -1,952 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.application-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.code", - "event.original", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.application" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json deleted file mode 100644 index 51e707850..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@package.json +++ /dev/null @@ -1,530 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.auth-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "error.message", - "group.id", - "group.name", - "message", - "process.name", - "related.hosts", - "related.user", - "source.as.organization.name", - "source.geo.city_name", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.region_iso_code", - "source.geo.region_name", - "user.effective.name", - "user.id", - "user.name", - "system.auth.ssh.method", - "system.auth.ssh.signature", - "system.auth.ssh.event", - "system.auth.sudo.error", - "system.auth.sudo.tty", - "system.auth.sudo.pwd", - "system.auth.sudo.user", - "system.auth.sudo.command", - "system.auth.useradd.home", - "system.auth.useradd.shell", - "version" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "geo": { - "properties": { - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "port": { - "type": "long" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "@timestamp": { - "type": "date" - }, - "system": { - "properties": { - "auth": { - "properties": { - "ssh": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_ip": { - "type": "ip" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sudo": { - "properties": { - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "useradd": { - "properties": { - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "home": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.auth" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json deleted file mode 100644 index a74cd4a70..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@package.json +++ /dev/null @@ -1,1840 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.security-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "ecs.version", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.parent.executable", - "process.parent.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.effective.domain", - "user.effective.id", - "user.effective.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "user.target.domain", - "user.target.id", - "user.changes.name", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.channel", - "winlog.computer_name", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessList", - "winlog.event_data.AccessListDescription", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.ResourceAttributes", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.level", - "winlog.outcome", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.time_created", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ResourceAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessListDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessList": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.security" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "changes": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json deleted file mode 100644 index 30576a635..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.syslog@package.json +++ /dev/null @@ -1,327 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.syslog-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.os.full", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "ecs.version", - "message", - "process.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword", - "value": "logs" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.syslog" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json deleted file mode 100644 index 068e6846b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json +++ /dev/null @@ -1,986 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-system.system-1.6.4", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.original", - "event.outcome", - "event.provider", - "event.type", - "error.message", - "message", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "system" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "system.system" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "message": { - "type": "match_only_text" - } - } - }, - "message": { - "type": "match_only_text" - } - } - } - }, - "_meta": { - "package": { - "name": "system" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json deleted file mode 100644 index 967641107..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@package.json +++ /dev/null @@ -1,2544 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.forwarded-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.file.path", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.hash.md5", - "process.parent.hash.sha1", - "process.parent.hash.sha256", - "process.parent.hash.sha512", - "process.parent.name", - "process.parent.pe.architecture", - "process.parent.pe.company", - "process.parent.pe.description", - "process.parent.pe.file_version", - "process.parent.pe.imphash", - "process.parent.pe.original_file_name", - "process.parent.pe.product", - "process.parent.title", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.logon.type", - "winlog.logon.id", - "winlog.logon.failure.reason", - "winlog.logon.failure.status", - "winlog.logon.failure.sub_status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.level", - "winlog.outcome", - "winlog.trustAttribute", - "winlog.trustDirection", - "winlog.trustType", - "winlog.computerObject.domain", - "winlog.computerObject.id", - "winlog.computerObject.name", - "winlog.event_data.AccessGranted", - "winlog.event_data.AccessMask", - "winlog.event_data.AccessMaskDescription", - "winlog.event_data.AccessRemoved", - "winlog.event_data.AccountDomain", - "winlog.event_data.AccountExpires", - "winlog.event_data.AccountName", - "winlog.event_data.AllowedToDelegateTo", - "winlog.event_data.AuditPolicyChanges", - "winlog.event_data.AuditPolicyChangesDescription", - "winlog.event_data.AuditSourceName", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallerProcessId", - "winlog.event_data.CallerProcessName", - "winlog.event_data.Category", - "winlog.event_data.CategoryId", - "winlog.event_data.ClientAddress", - "winlog.event_data.ClientInfo", - "winlog.event_data.ClientName", - "winlog.event_data.CommandLine", - "winlog.event_data.Company", - "winlog.event_data.ComputerAccountChange", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CrashOnAuditFailValue", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DisplayName", - "winlog.event_data.DnsHostName", - "winlog.event_data.DomainBehaviorVersion", - "winlog.event_data.DomainName", - "winlog.event_data.DomainPolicyChanged", - "winlog.event_data.DomainSid", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.Dummy", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventSourceId", - "winlog.event_data.EventType", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FailureReason", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.GroupTypeChange", - "winlog.event_data.HandleId", - "winlog.event_data.HomeDirectory", - "winlog.event_data.HomePath", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KerberosPolicyChange", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonHours", - "winlog.event_data.LogonId", - "winlog.event_data.LogonID", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MachineAccountQuota", - "winlog.event_data.MajorVersion", - "winlog.event_data.MandatoryLabel", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.MixedDomainMode", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewSd", - "winlog.event_data.NewSdDacl0", - "winlog.event_data.NewSdDacl1", - "winlog.event_data.NewSdDacl2", - "winlog.event_data.NewSdSacl0", - "winlog.event_data.NewSdSacl1", - "winlog.event_data.NewSdSacl2", - "winlog.event_data.NewTargetUserName", - "winlog.event_data.NewTime", - "winlog.event_data.NewUACList", - "winlog.event_data.NewUacValue", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.ObjectName", - "winlog.event_data.ObjectServer", - "winlog.event_data.ObjectType", - "winlog.event_data.OemInformation", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldSd", - "winlog.event_data.OldSdDacl0", - "winlog.event_data.OldSdDacl1", - "winlog.event_data.OldSdDacl2", - "winlog.event_data.OldSdSacl0", - "winlog.event_data.OldSdSacl1", - "winlog.event_data.OldSdSacl2", - "winlog.event_data.OldTargetUserName", - "winlog.event_data.OldTime", - "winlog.event_data.OldUacValue", - "winlog.event_data.OriginalFileName", - "winlog.event_data.PackageName", - "winlog.event_data.PasswordLastSet", - "winlog.event_data.PasswordHistoryLength", - "winlog.event_data.Path", - "winlog.event_data.ParentProcessName", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreAuthType", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrimaryGroupId", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.ProfilePath", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SamAccountName", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptPath", - "winlog.event_data.Session", - "winlog.event_data.SidHistory", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.Service", - "winlog.event_data.ServiceAccount", - "winlog.event_data.ServiceFileName", - "winlog.event_data.ServiceName", - "winlog.event_data.ServicePrincipalNames", - "winlog.event_data.ServiceSid", - "winlog.event_data.ServiceStartType", - "winlog.event_data.ServiceType", - "winlog.event_data.ServiceVersion", - "winlog.event_data.SessionName", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.SidFilteringEnabled", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StatusDescription", - "winlog.event_data.StopTime", - "winlog.event_data.SubCategory", - "winlog.event_data.SubCategoryGuid", - "winlog.event_data.SubcategoryGuid", - "winlog.event_data.SubCategoryId", - "winlog.event_data.SubcategoryId", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.SubStatus", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetSid", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TdoAttributes", - "winlog.event_data.TdoDirection", - "winlog.event_data.TdoType", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TicketEncryptionType", - "winlog.event_data.TicketEncryptionTypeDescription", - "winlog.event_data.TicketOptions", - "winlog.event_data.TicketOptionsDescription", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserAccountControl", - "winlog.event_data.UserParameters", - "winlog.event_data.UserPrincipalName", - "winlog.event_data.UserSid", - "winlog.event_data.UserWorkstations", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.WorkstationName", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user_data.BackupPath", - "winlog.user_data.Channel", - "winlog.user_data.SubjectDomainName", - "winlog.user_data.SubjectLogonId", - "winlog.user_data.SubjectUserName", - "winlog.user_data.SubjectUserSid", - "winlog.user_data.xml_name", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.forwarded" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "start": { - "type": "date" - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon": { - "properties": { - "failure": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonHours": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "AllowedToDelegateTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoAttributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMask": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordHistoryLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "PackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidHistory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CrashOnAuditFailValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "HandleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DnsHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineAccountQuota": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserParameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUacValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProfilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ComputerAccountChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainPolicyChanged": { - "ignore_above": 1024, - "type": "keyword" - }, - "CategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreAuthType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewUACList": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "SidFilteringEnabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSourceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrimaryGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "PasswordLastSet": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "GroupTypeChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketOptionsDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserWorkstations": { - "ignore_above": 1024, - "type": "keyword" - }, - "SamAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditSourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategoryGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuditPolicyChangesDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessMaskDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TicketEncryptionTypeDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServicePrincipalNames": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "KerberosPolicyChange": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "MandatoryLabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "HomeDirectory": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccountExpires": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceStartType": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "Dummy": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdSacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSd": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StatusDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "DomainBehaviorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessGranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubcategoryId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AccessRemoved": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "MixedDomainMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl1": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl0": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSdDacl2": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallerProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "Service": { - "ignore_above": 1024, - "type": "keyword" - }, - "TdoDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAccountControl": { - "ignore_above": 1024, - "type": "keyword" - }, - "OemInformation": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonID": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_created": { - "type": "date" - }, - "trustDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustAttribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "computerObject": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_data": { - "properties": { - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BackupPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "Channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xml_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustType": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json deleted file mode 100644 index ad0ff857e..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@package.json +++ /dev/null @@ -1,1335 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "search_analyzer": "powershell_script_analyzer", - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json deleted file mode 100644 index b5cc588c9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@package.json +++ /dev/null @@ -1,1334 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.powershell_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "analysis": { - "analyzer": { - "powershell_script_analyzer": { - "pattern": "[\\W&&[^-]]+", - "type": "pattern" - } - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.user.domain", - "destination.user.id", - "destination.user.name", - "ecs.version", - "file.directory", - "file.extension", - "file.name", - "file.path", - "log.level", - "message", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.name", - "process.title", - "related.hash", - "related.hosts", - "related.user", - "source.user.domain", - "source.user.id", - "source.user.name", - "user.domain", - "user.id", - "user.name", - "powershell.id", - "powershell.pipeline_id", - "powershell.runspace_id", - "powershell.command.path", - "powershell.command.name", - "powershell.command.type", - "powershell.command.value", - "powershell.connected_user.domain", - "powershell.connected_user.name", - "powershell.engine.version", - "powershell.engine.previous_state", - "powershell.engine.new_state", - "powershell.file.script_block_id", - "powershell.file.script_block_text", - "powershell.process.executable_version", - "powershell.provider.new_state", - "powershell.provider.name", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.Company", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "powershell": { - "properties": { - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - }, - "connected_user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "executable_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_text": { - "analyzer": "powershell_script_analyzer", - "type": "text" - }, - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "engine": { - "properties": { - "previous_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "runspace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "text" - } - } - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.powershell_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json deleted file mode 100644 index 451eaf7aa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@package.json +++ /dev/null @@ -1,1752 +0,0 @@ - {"template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-windows.sysmon_operational-1.20.1", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "event.action", - "event.category", - "event.code", - "event.kind", - "event.outcome", - "event.provider", - "event.type", - "tags", - "input.type", - "destination.domain", - "dns.answers.class", - "dns.answers.data", - "dns.answers.name", - "dns.answers.type", - "dns.header_flags", - "dns.id", - "dns.op_code", - "dns.question.class", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "dns.response_code", - "dns.type", - "ecs.version", - "error.code", - "error.message", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.directory", - "file.extension", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.architecture", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.domain", - "group.id", - "group.name", - "log.level", - "message", - "network.community_id", - "network.direction", - "network.protocol", - "network.transport", - "network.type", - "process.args", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.args", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.name", - "process.pe.architecture", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.title", - "process.working_directory", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "related.hash", - "related.hosts", - "related.user", - "rule.name", - "service.name", - "service.type", - "source.domain", - "user.domain", - "user.id", - "user.name", - "user.target.group.domain", - "user.target.group.id", - "user.target.group.name", - "user.target.name", - "sysmon.dns.status", - "winlog.api", - "winlog.activity_id", - "winlog.computer_name", - "winlog.event_data.AuthenticationPackageName", - "winlog.event_data.Binary", - "winlog.event_data.BitlockerUserInputTime", - "winlog.event_data.BootMode", - "winlog.event_data.BootType", - "winlog.event_data.BuildVersion", - "winlog.event_data.CallTrace", - "winlog.event_data.ClientInfo", - "winlog.event_data.Company", - "winlog.event_data.Configuration", - "winlog.event_data.CorruptionActionState", - "winlog.event_data.CreationUtcTime", - "winlog.event_data.Description", - "winlog.event_data.Detail", - "winlog.event_data.DeviceName", - "winlog.event_data.DeviceNameLength", - "winlog.event_data.DeviceTime", - "winlog.event_data.DeviceVersionMajor", - "winlog.event_data.DeviceVersionMinor", - "winlog.event_data.DriveName", - "winlog.event_data.DriverName", - "winlog.event_data.DriverNameLength", - "winlog.event_data.DwordVal", - "winlog.event_data.EntryCount", - "winlog.event_data.EventType", - "winlog.event_data.EventNamespace", - "winlog.event_data.ExtraInfo", - "winlog.event_data.FailureName", - "winlog.event_data.FailureNameLength", - "winlog.event_data.FileVersion", - "winlog.event_data.FinalStatus", - "winlog.event_data.GrantedAccess", - "winlog.event_data.Group", - "winlog.event_data.IdleImplementation", - "winlog.event_data.IdleStateCount", - "winlog.event_data.ImpersonationLevel", - "winlog.event_data.IntegrityLevel", - "winlog.event_data.IpAddress", - "winlog.event_data.IpPort", - "winlog.event_data.KeyLength", - "winlog.event_data.LastBootGood", - "winlog.event_data.LastShutdownGood", - "winlog.event_data.LmPackageName", - "winlog.event_data.LogonGuid", - "winlog.event_data.LogonId", - "winlog.event_data.LogonProcessName", - "winlog.event_data.LogonType", - "winlog.event_data.MajorVersion", - "winlog.event_data.MaximumPerformancePercent", - "winlog.event_data.MemberName", - "winlog.event_data.MemberSid", - "winlog.event_data.MinimumPerformancePercent", - "winlog.event_data.MinimumThrottlePercent", - "winlog.event_data.MinorVersion", - "winlog.event_data.Name", - "winlog.event_data.NewProcessId", - "winlog.event_data.NewProcessName", - "winlog.event_data.NewSchemeGuid", - "winlog.event_data.NewThreadId", - "winlog.event_data.NewTime", - "winlog.event_data.NominalFrequency", - "winlog.event_data.Number", - "winlog.event_data.OldSchemeGuid", - "winlog.event_data.OldTime", - "winlog.event_data.Operation", - "winlog.event_data.OriginalFileName", - "winlog.event_data.Path", - "winlog.event_data.PerformanceImplementation", - "winlog.event_data.PreviousCreationUtcTime", - "winlog.event_data.PreviousTime", - "winlog.event_data.PrivilegeList", - "winlog.event_data.ProcessId", - "winlog.event_data.ProcessName", - "winlog.event_data.ProcessPath", - "winlog.event_data.ProcessPid", - "winlog.event_data.Product", - "winlog.event_data.PuaCount", - "winlog.event_data.PuaPolicyId", - "winlog.event_data.QfeVersion", - "winlog.event_data.Query", - "winlog.event_data.Reason", - "winlog.event_data.SchemaVersion", - "winlog.event_data.ScriptBlockText", - "winlog.event_data.ServiceName", - "winlog.event_data.ServiceVersion", - "winlog.event_data.Session", - "winlog.event_data.ShutdownActionType", - "winlog.event_data.ShutdownEventCode", - "winlog.event_data.ShutdownReason", - "winlog.event_data.Signature", - "winlog.event_data.SignatureStatus", - "winlog.event_data.Signed", - "winlog.event_data.StartAddress", - "winlog.event_data.StartFunction", - "winlog.event_data.StartModule", - "winlog.event_data.StartTime", - "winlog.event_data.State", - "winlog.event_data.Status", - "winlog.event_data.StopTime", - "winlog.event_data.SubjectDomainName", - "winlog.event_data.SubjectLogonId", - "winlog.event_data.SubjectUserName", - "winlog.event_data.SubjectUserSid", - "winlog.event_data.TSId", - "winlog.event_data.TargetDomainName", - "winlog.event_data.TargetImage", - "winlog.event_data.TargetInfo", - "winlog.event_data.TargetLogonGuid", - "winlog.event_data.TargetLogonId", - "winlog.event_data.TargetProcessGUID", - "winlog.event_data.TargetProcessId", - "winlog.event_data.TargetServerName", - "winlog.event_data.TargetUserName", - "winlog.event_data.TargetUserSid", - "winlog.event_data.TerminalSessionId", - "winlog.event_data.TokenElevationType", - "winlog.event_data.TransmittedServices", - "winlog.event_data.Type", - "winlog.event_data.UserSid", - "winlog.event_data.Version", - "winlog.event_data.Workstation", - "winlog.event_data.param1", - "winlog.event_data.param2", - "winlog.event_data.param3", - "winlog.event_data.param4", - "winlog.event_data.param5", - "winlog.event_data.param6", - "winlog.event_data.param7", - "winlog.event_data.param8", - "winlog.event_id", - "winlog.keywords", - "winlog.channel", - "winlog.record_id", - "winlog.related_activity_id", - "winlog.opcode", - "winlog.provider_guid", - "winlog.provider_name", - "winlog.task", - "winlog.user.identifier", - "winlog.user.name", - "winlog.user.domain", - "winlog.user.type" - ] - } - } - }, - "mappings": { - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - }, - { - "winlog.user_data": { - "path_match": "winlog.user_data.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - }, - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "port": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "type": "match_only_text" - } - } - }, - "network": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "type": "constant_keyword", - "value": "windows" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "type": "constant_keyword", - "value": "windows.sysmon_operational" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - } - } - }, - "pe": { - "properties": { - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "pid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "args_count": { - "type": "long" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "wildcard", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "winlog": { - "properties": { - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - } - } - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_data": { - "properties": { - "SignatureStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginalFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Query": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "Product": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "CallTrace": { - "ignore_above": 1024, - "type": "keyword" - }, - "StopTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "GrantedAccess": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorruptionActionState": { - "ignore_above": 1024, - "type": "keyword" - }, - "KeyLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousCreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "PerformanceImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Group": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewThreadId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Description": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownActionType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DwordVal": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMajor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScriptBlockText": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "MaximumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "FinalStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleStateCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "MajorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "Path": { - "ignore_above": 1024, - "type": "keyword" - }, - "SchemaVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "TokenElevationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinorVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IdleImplementation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessPath": { - "ignore_above": 1024, - "type": "keyword" - }, - "QfeVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceVersionMinor": { - "ignore_above": 1024, - "type": "keyword" - }, - "Type": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Company": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaPolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntegrityLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastShutdownGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpPort": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Name": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LastBootGood": { - "ignore_above": 1024, - "type": "keyword" - }, - "PuaCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessGUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signed": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownEventCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PreviousTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartFunction": { - "ignore_above": 1024, - "type": "keyword" - }, - "BootType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "TerminalSessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "MemberSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriverName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceNameLength": { - "ignore_above": 1024, - "type": "keyword" - }, - "OldSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationUtcTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ShutdownReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetServerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Number": { - "ignore_above": 1024, - "type": "keyword" - }, - "BuildVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetImage": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumPerformancePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TSId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PrivilegeList": { - "ignore_above": 1024, - "type": "keyword" - }, - "param7": { - "ignore_above": 1024, - "type": "keyword" - }, - "param8": { - "ignore_above": 1024, - "type": "keyword" - }, - "param5": { - "ignore_above": 1024, - "type": "keyword" - }, - "param6": { - "ignore_above": 1024, - "type": "keyword" - }, - "DriveName": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventNamespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExtraInfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartModule": { - "ignore_above": 1024, - "type": "keyword" - }, - "param3": { - "ignore_above": 1024, - "type": "keyword" - }, - "param4": { - "ignore_above": 1024, - "type": "keyword" - }, - "param1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param2": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workstation": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FailureName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NewSchemeGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "Signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "MinimumThrottlePercent": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EntryCount": { - "ignore_above": 1024, - "type": "keyword" - }, - "BitlockerUserInputTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "NominalFrequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "Session": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "answers": { - "properties": { - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dataset": { - "properties": { - "name": { - "type": "constant_keyword" - }, - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "match_only_text" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "windows" - }, - "managed_by": "fleet", - "managed": true - } - }