diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a14c03e2d..37eab28a0 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -80,8 +80,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.apm_server@package" - "so-logs-elastic_agent.apm_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -114,8 +114,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.auditbeat@package" - "so-logs-elastic_agent.auditbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -148,8 +148,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.cloudbeat@package" - "so-logs-elastic_agent.cloudbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -182,8 +182,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.endpoint_security@package" - "so-logs-elastic_agent.endpoint_security@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -216,8 +216,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.filebeat@package" - "so-logs-elastic_agent.filebeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -250,8 +250,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.fleet_server@package" - "so-logs-elastic_agent.fleet_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -284,8 +284,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.heartbeat@package" - "so-logs-elastic_agent.heartbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -318,8 +318,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent@package" - "so-logs-elastic_agent@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -352,8 +352,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.metricbeat@package" - "so-logs-elastic_agent.metricbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -386,8 +386,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.osquerybeat@package" - "so-logs-elastic_agent.osquerybeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -420,8 +420,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.packetbeat@package" - "so-logs-elastic_agent.packetbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json new file mode 100644 index 000000000..cac2cd8ee --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json @@ -0,0 +1,74 @@ +{ + "component_templates": [ + { + "name": "so-fleet_agent_id_verification-1", + "component_template": { + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "final_pipeline": ".fleet_final_pipeline-1" + } + }, + "mappings": { + "properties": { + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + } + } + } + }, + "_meta": { + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json new file mode 100644 index 000000000..5e569846c --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json @@ -0,0 +1,73 @@ +{ + "component_templates": [ + { + "name": "so-fleet_globals-1", + "component_template": { + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "_meta": { + "managed_by": "security_onion", + "managed": true + }, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + } + }, + "_meta": { + "managed_by": "security_onion", + "managed": true + } + } + } + ] +}