From 7f2c5bc7572131ef0d5335d331cadbd6b0377b9b Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 20 Sep 2022 20:27:26 +0000 Subject: [PATCH 1/2] Add component templates for Fleet --- .../so-fleet_agent_id_verification-1.json | 36 +++++++++++++++++++ .../elastic-agent/so-fleet_globals-1.json | 34 ++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json new file mode 100644 index 000000000..e3b768ae3 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json @@ -0,0 +1,36 @@ +{ + "component_templates": [ + { + "name": ".fleet_agent_id_verification-1", + "component_template": { + "template": { + "settings": { + "index": { + "final_pipeline": ".fleet_final_pipeline-1" + } + }, + "mappings": { + "properties": { + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + } + } + } + }, + "_meta": { + "managed_by": "fleet", + "managed": true + } + } + } + ] +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json new file mode 100644 index 000000000..002529d01 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json @@ -0,0 +1,34 @@ +{ + "component_templates": [ + { + "name": ".fleet_globals-1", + "component_template": { + "template": { + "settings": {}, + "mappings": { + "_meta": { + "managed_by": "fleet", + "managed": true + }, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + } + }, + "_meta": { + "managed_by": "fleet", + "managed": true + } + } + } + ] +} From 46dd4c2749e376c94d3827aad8f5a24e8ebd7ce8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 20 Sep 2022 20:33:06 +0000 Subject: [PATCH 2/2] Rename component mappings and references for Security Onion --- salt/elasticsearch/defaults.yaml | 44 ++++++++--------- .../so-fleet_agent_id_verification-1.json | 40 +++++++++++++++- .../elastic-agent/so-fleet_globals-1.json | 47 +++++++++++++++++-- 3 files changed, 104 insertions(+), 27 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a14c03e2d..37eab28a0 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -80,8 +80,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.apm_server@package" - "so-logs-elastic_agent.apm_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -114,8 +114,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.auditbeat@package" - "so-logs-elastic_agent.auditbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -148,8 +148,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.cloudbeat@package" - "so-logs-elastic_agent.cloudbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -182,8 +182,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.endpoint_security@package" - "so-logs-elastic_agent.endpoint_security@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -216,8 +216,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.filebeat@package" - "so-logs-elastic_agent.filebeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -250,8 +250,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.fleet_server@package" - "so-logs-elastic_agent.fleet_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -284,8 +284,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.heartbeat@package" - "so-logs-elastic_agent.heartbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -318,8 +318,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent@package" - "so-logs-elastic_agent@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -352,8 +352,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.metricbeat@package" - "so-logs-elastic_agent.metricbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -386,8 +386,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.osquerybeat@package" - "so-logs-elastic_agent.osquerybeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -420,8 +420,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.packetbeat@package" - "so-logs-elastic_agent.packetbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json index e3b768ae3..cac2cd8ee 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json @@ -1,10 +1,48 @@ { "component_templates": [ { - "name": ".fleet_agent_id_verification-1", + "name": "so-fleet_agent_id_verification-1", "component_template": { "template": { "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, "index": { "final_pipeline": ".fleet_final_pipeline-1" } diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json index 002529d01..5e569846c 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json @@ -1,13 +1,52 @@ { "component_templates": [ { - "name": ".fleet_globals-1", + "name": "so-fleet_globals-1", "component_template": { "template": { - "settings": {}, + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "_meta": { - "managed_by": "fleet", + "managed_by": "security_onion", "managed": true }, "dynamic_templates": [ @@ -25,7 +64,7 @@ } }, "_meta": { - "managed_by": "fleet", + "managed_by": "security_onion", "managed": true } }