diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 37447cabb..4e57199af 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -20,20 +20,12 @@ {% for NODE in ES_LOGSTASH_NODES %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} - {% if grains.id.split('_') | last == 'manager' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %} - {% else %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %} - {% endif %} {% endif %} {% elif grains.id.split('_') | last == 'searchnode' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %} {% if HIGHLANDER %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% endif %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} -{% elif grains.id.split('_') | last == 'heavynode' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client', 'ingest']}) %} {% endif %} {% if HIGHLANDER %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %} @@ -53,3 +45,5 @@ {% endif %} {% endfor %} {% endif %} + +{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].config.node.roles}) %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 1296ef549..44cb0ea7d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,55 +1,16 @@ elasticsearch: - enabled: False - retention: - retention_pct: 50 config: - node: {} + action: + destructive_requires_name: true cluster: routing: allocation: disk: threshold_enabled: true watermark: - low: 80% - high: 85% flood_stage: 90% - network: - host: 0.0.0.0 - path: - logs: /var/log/elasticsearch - action: - destructive_requires_name: true - transport: - bind_host: 0.0.0.0 - publish_port: 9300 - xpack: - ml: - enabled: false - security: - enabled: true - authc: - anonymous: - authz_exception: true - roles: [] - username: _anonymous - transport: - ssl: - enabled: true - verification_mode: none - key: /usr/share/elasticsearch/config/elasticsearch.key - certificate: /usr/share/elasticsearch/config/elasticsearch.crt - certificate_authorities: - - /usr/share/elasticsearch/config/ca.crt - http: - ssl: - enabled: true - client_authentication: none - key: /usr/share/elasticsearch/config/elasticsearch.key - certificate: /usr/share/elasticsearch/config/elasticsearch.crt - certificate_authorities: - - /usr/share/elasticsearch/config/ca.crt - script: - max_compilations_rate: 20000/1m + high: 85% + low: 80% indices: id_field_data: enabled: false @@ -57,3833 +18,8553 @@ elasticsearch: org: elasticsearch: deprecation: ERROR + network: + host: 0.0.0.0 + node: {} + path: + logs: /var/log/elasticsearch + script: + max_compilations_rate: 20000/1m + transport: + bind_host: 0.0.0.0 + publish_port: 9300 + xpack: + ml: + enabled: false + security: + authc: + anonymous: + authz_exception: true + roles: [] + username: _anonymous + enabled: true + http: + ssl: + certificate: /usr/share/elasticsearch/config/elasticsearch.crt + certificate_authorities: + - /usr/share/elasticsearch/config/ca.crt + client_authentication: none + enabled: true + key: /usr/share/elasticsearch/config/elasticsearch.key + transport: + ssl: + certificate: /usr/share/elasticsearch/config/elasticsearch.crt + certificate_authorities: + - /usr/share/elasticsearch/config/ca.crt + enabled: true + key: /usr/share/elasticsearch/config/elasticsearch.key + verification_mode: none + enabled: false index_settings: global_overrides: index_template: template: settings: index: + lifecycle: + name: global_overrides-logs number_of_replicas: default_placeholder - so-logs: - index_sorting: False - index_template: - index_patterns: - - "logs-*-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5001 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "so-data-streams-mappings" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - - "so-logs-mappings" - - "so-logs-settings" - priority: 225 - data_stream: - hidden: false - allow_custom_routing: false policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-system_x_auth: - index_sorting: False - index_template: - index_patterns: - - "logs-system.auth*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.auth@package" - - "logs-system.auth@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_syslog: - index_sorting: False - index_template: - index_patterns: - - "logs-system.syslog*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.syslog@package" - - "logs-system.syslog@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_system: - index_sorting: False - index_template: - index_patterns: - - "logs-system.system*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.system@package" - - "logs-system.system@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_application: - index_sorting: False - index_template: - index_patterns: - - "logs-system.application*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.application@package" - - "logs-system.application@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_security: - index_sorting: False - index_template: - index_patterns: - - "logs-system.security*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.security@package" - - "logs-system.security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_forwarded: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.forwarded*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.forwarded@package" - - "logs-windows.forwarded@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_powershell: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.powershell-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.powershell@package" - - "logs-windows.powershell@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_powershell_operational: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.powershell_operational-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.powershell_operational@package" - - "logs-windows.powershell_operational@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_sysmon_operational: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.sysmon_operational-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.sysmon_operational@package" - - "logs-windows.sysmon_operational@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-apache_x_access: - index_sorting: False - index_template: - index_patterns: - - "logs-apache.access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-apache.access@package" - - "logs-apache.access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-apache_x_error: - index_sorting: False - index_template: - index_patterns: - - "logs-apache.error-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-apache.error@package" - - "logs-apache.error@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-auditd_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-auditd.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-auditd.log@package" - - "logs-auditd.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_cloudtrail: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.cloudtrail-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.cloudtrail@package" - - "logs-aws.cloudtrail@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_cloudwatch_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.cloudwatch_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.cloudwatch_logs@package" - - "logs-aws.cloudwatch_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_ec2_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.ec2_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.ec2_logs@package" - - "logs-aws.ec2_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_elb_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.elb_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.elb_logs@package" - - "logs-aws.elb_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_firewall_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.firewall_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.firewall_logs@package" - - "logs-aws.firewall_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_route53_public_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.route53_public_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.route53_public_logs@package" - - "logs-aws.route53_public_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_route53_resolver_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.route53_resolver_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.route53_resolver_logs@package" - - "logs-aws.route53_resolver_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_s3access: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.s3access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.s3access@package" - - "logs-aws.s3access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_vpcflow: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.vpcflow-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.vpcflow@package" - - "logs-aws.vpcflow@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_waf: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.waf-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.waf@package" - - "logs-aws.waf@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_activitylogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.activitylogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.activitylogs@package" - - "logs-azure.activitylogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_application_gateway: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.application_gateway-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.application_gateway@package" - - "logs-azure.application_gateway@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_auditlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.auditlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.auditlogs@package" - - "logs-azure.auditlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_eventhub: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.eventhub-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.eventhub@package" - - "logs-azure.eventhub@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_firewall_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.firewall_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.firewall_logs@package" - - "logs-azure.firewall_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_identity_protection: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.identity_protection-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.identity_protection@package" - - "logs-azure.identity_protection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_platformlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.platformlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.platformlogs@package" - - "logs-azure.platformlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_provisioning: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.provisioning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.provisioning@package" - - "logs-azure.provisioning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_signinlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.signinlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.signinlogs@package" - - "logs-azure.signinlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_springcloudlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.springcloudlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.springcloudlogs@package" - - "logs-azure.springcloudlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-barracuda_x_waf: - index_sorting: False - index_template: - index_patterns: - - "logs-barracuda.waf-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-barracuda.waf@package" - - "logs-barracuda.waf@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_asa_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_asa.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_asa.log@package" - - "logs-cisco_asa.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cloudflare_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-cloudflare.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cloudflare.audit@package" - - "logs-cloudflare.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cloudflare_x_logpull: - index_sorting: False - index_template: - index_patterns: - - "logs-cloudflare.logpull-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cloudflare.logpull@package" - - "logs-cloudflare.logpull@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-crowdstrike_x_falcon: - index_sorting: False - index_template: - index_patterns: - - "logs-crowdstrike.falcon-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-crowdstrike.falcon@package" - - "logs-crowdstrike.falcon@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-crowdstrike_x_fdr: - index_sorting: False - index_template: - index_patterns: - - "logs-crowdstrike.fdr-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-crowdstrike.fdr@package" - - "logs-crowdstrike.fdr@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_ai_analyst_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.ai_analyst_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.ai_analyst_alert@package" - - "logs-darktrace.ai_analyst_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_model_breach_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.model_breach_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.model_breach_alert@package" - - "logs-darktrace.model_breach_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_system_status_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.system_status_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.system_status_alert@package" - - "logs-darktrace.system_status_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-f5_bigip_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-f5_bigip.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-f5_bigip.log@package" - - "logs-f5_bigip.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fim_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-fim.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fim.event@package" - - "logs-fim.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_clientendpoint: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.clientendpoint-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.clientendpoint@package" - - "logs-fortinet.clientendpoint@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.firewall@package" - - "logs-fortinet.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_fortimail: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.fortimail-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.fortimail@package" - - "logs-fortinet.fortimail@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_fortimanager: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.fortimanager-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.fortimanager@package" - - "logs-fortinet.fortimanager@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_fortigate_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet_fortigate.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet_fortigate.log@package" - - "logs-fortinet_fortigate.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.audit@package" - - "logs-gcp.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_dns: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.dns-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.dns@package" - - "logs-gcp.dns@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.firewall@package" - - "logs-gcp.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_loadbalancing_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.loadbalancing_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.loadbalancing_logs@package" - - "logs-gcp.loadbalancing_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_vpcflow: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.vpcflow-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.vpcflow@package" - - "logs-gcp.vpcflow@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-github.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.audit@package" - - "logs-github.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_code_scanning: - index_sorting: False - index_template: - index_patterns: - - "logs-github.code_scanning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.code_scanning@package" - - "logs-github.code_scanning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_dependabot: - index_sorting: False - index_template: - index_patterns: - - "logs-github.dependabot-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.dependabot@package" - - "logs-github.dependabot@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_issues: - index_sorting: False - index_template: - index_patterns: - - "logs-github.issues-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.issues@package" - - "logs-github.issues@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_secret_scanning: - index_sorting: False - index_template: - index_patterns: - - "logs-github.secret_scanning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.secret_scanning@package" - - "logs-github.secret_scanning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_access_transparency: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.access_transparency-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.access_transparency@package" - - "logs-google_workspace.access_transparency@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_admin: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.admin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.admin@package" - - "logs-google_workspace.admin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.alert@package" - - "logs-google_workspace.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_context_aware_access: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.context_aware_access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.context_aware_access@package" - - "logs-google_workspace.context_aware_access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_device: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.device-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.device@package" - - "logs-google_workspace.device@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_drive: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.drive-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.drive@package" - - "logs-google_workspace.drive@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_gcp: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.gcp-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.gcp@package" - - "logs-google_workspace.gcp@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_group_enterprise: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.group_enterprise-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.group_enterprise@package" - - "logs-google_workspace.group_enterprise@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_groups: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.groups-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.groups@package" - - "logs-google_workspace.groups@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_login: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.login-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.login@package" - - "logs-google_workspace.login@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_rules: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.rules-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.rules@package" - - "logs-google_workspace.rules@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_saml: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.saml-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.saml@package" - - "logs-google_workspace.saml@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_token: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.token-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.token@package" - - "logs-google_workspace.token@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_user_accounts: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.user_accounts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.user_accounts@package" - - "logs-google_workspace.user_accounts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-http_endpoint_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-http_endpoint.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-http_endpoint.generic@package" - - "logs-http_endpoint.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-httpjson_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-httpjson.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-httpjson.generic@package" - - "logs-httpjson.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_junos: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.junos-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.junos@package" - - "logs-juniper.junos@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_netscreen: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.netscreen-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.netscreen@package" - - "logs-juniper.netscreen@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_srx: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.srx-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.srx@package" - - "logs-juniper.srx@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_srx_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper_srx.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper_srx.log@package" - - "logs-juniper_srx.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-kafka_log_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-kafka_log.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-kafka_log.generic@package" - - "logs-kafka_log.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_detailed_shared_folder: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.detailed_shared_folder-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.detailed_shared_folder@package" - - "logs-lastpass.detailed_shared_folder@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_event_report: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.event_report-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.event_report@package" - - "logs-lastpass.event_report@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_user: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.user-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.user@package" - - "logs-lastpass.user@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.event@package" - - "logs-m365_defender.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_incident: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.incident-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.incident@package" - - "logs-m365_defender.incident@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.log@package" - - "logs-m365_defender.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-microsoft_defender_endpoint_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-microsoft_defender_endpoint.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-microsoft_defender_endpoint.log@package" - - "logs-microsoft_defender_endpoint.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-microsoft_dhcp_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-microsoft_dhcp.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-microsoft_dhcp.log@package" - - "logs-microsoft_dhcp.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-netflow_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-netflow.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-netflow.log@package" - - "logs-netflow.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-o365_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-o365.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-o365.audit@package" - - "logs-o365.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-okta_x_system: - index_sorting: False - index_template: - index_patterns: - - "logs-okta.system-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-okta.system@package" - - "logs-okta.system@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-panw_x_panos: - index_sorting: False - index_template: - index_patterns: - - "logs-panw.panos-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-panw.panos@package" - - "logs-panw.panos@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-pfsense_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-pfsense.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-pfsense.log@package" - - "logs-pfsense.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_activity: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.activity-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.activity@package" - - "logs-sentinel_one.activity@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_agent: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.agent-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.agent@package" - - "logs-sentinel_one.agent@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.alert@package" - - "logs-sentinel_one.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_group: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.group-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.group@package" - - "logs-sentinel_one.group@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.threat@package" - - "logs-sentinel_one.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sonicwall_firewall_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-sonicwall_firewall.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sonicwall_firewall.log@package" - - "logs-sonicwall_firewall.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-symantec_endpoint_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-symantec_endpoint.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-symantec_endpoint.log@package" - - "logs-symantec_endpoint.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_malware: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.malware-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.malware@package" - - "logs-ti_abusech.malware@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_malwarebazaar: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.malwarebazaar-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.malwarebazaar@package" - - "logs-ti_abusech.malwarebazaar@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_threatfox: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.threatfox-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.threatfox@package" - - "logs-ti_abusech.threatfox@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_url: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.url-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.url@package" - - "logs-ti_abusech.url@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_misp_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_misp.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_misp.threat@package" - - "logs-ti_misp.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_misp_x_threat_attributes: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_misp.threat_attributes-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_misp.threat_attributes@package" - - "logs-ti_misp.threat_attributes@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_otx_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_otx.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_otx.threat@package" - - "logs-ti_otx.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_recordedfuture_x_latest_ioc-template: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_recordedfuture.latest_ioc-template-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_recordedfuture.latest_ioc-template@package" - - "logs-ti_recordedfuture.latest_ioc-template@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_recordedfuture_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_recordedfuture.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_recordedfuture.threat@package" - - "logs-ti_recordedfuture.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_alerts: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.alerts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.alerts@package" - - "logs-zscaler_zia.alerts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_dns: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.dns-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.dns@package" - - "logs-zscaler_zia.dns@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.firewall@package" - - "logs-zscaler_zia.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_tunnel: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.tunnel-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.tunnel@package" - - "logs-zscaler_zia.tunnel@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_web: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.web-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.web@package" - - "logs-zscaler_zia.web@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_app_connector_status: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.app_connector_status-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.app_connector_status@package" - - "logs-zscaler_zpa.app_connector_status@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.audit@package" - - "logs-zscaler_zpa.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_browser_access: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.browser_access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.browser_access@package" - - "logs-zscaler_zpa.browser_access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_user_activity: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.user_activity-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.user_activity@package" - - "logs-zscaler_zpa.user_activity@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_user_status: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.user_status-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.user_status@package" - - "logs-zscaler_zpa.user_status@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-1password_x_item_usages: - index_sorting: False - index_template: - index_patterns: - - "logs-1password.item_usages-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-1password.item_usages@package" - - "logs-1password.item_usages@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-1password_x_signin_attempts: - index_sorting: False - index_template: - index_patterns: - - "logs-1password.signin_attempts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-1password.signin_attempts@package" - - "logs-1password.signin_attempts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-osquery-manager-actions: - index_sorting: False - index_template: - index_patterns: - - ".logs-osquery_manager.actions*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-osquery_manager.actions" - priority: 501 - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-osquery-manager-action_x_responses: - index_sorting: False - index_template: - index_patterns: - - ".logs-osquery_manager.action.responses*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-osquery_manager.action.responses" - priority: 501 - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_apm_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.apm_server-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.apm_server@package" - - "logs-elastic_agent.apm_server@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: + min_age: 365d hot: - min_age: 0ms actions: - set_priority: - priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_auditbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.auditbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.auditbeat@package" - - "logs-elastic_agent.auditbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: set_priority: priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_cloudbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.cloudbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.cloudbeat@package" - - "logs-elastic_agent.cloudbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - policy: - phases: - hot: min_age: 0ms + warm: actions: set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: + priority: 50 min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_endpoint_security: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.endpoint_security-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.endpoint_security@package" - - "logs-elastic_agent.endpoint_security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_alerts: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.alerts-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.alerts@custom" - - "logs-endpoint.alerts@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_api: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.api-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.api@custom" - - "logs-endpoint.events.api@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_file: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.file-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.file@custom" - - "logs-endpoint.events.file@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_library: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.library-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.library@custom" - - "logs-endpoint.events.library@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_network: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.network-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.network@custom" - - "logs-endpoint.events.network@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_process: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.process-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.process@custom" - - "logs-endpoint.events.process@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_registry: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.registry-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.registry@custom" - - "logs-endpoint.events.registry@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_security: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.security-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.security@custom" - - "logs-endpoint.events.security@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_filebeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.filebeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.filebeat@package" - - "logs-elastic_agent.filebeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_fleet_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.fleet_server-*" - template: - settings: - index: - number_of_replicas: 0 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.fleet_server@package" - - "logs-elastic_agent.fleet_server@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_heartbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.heartbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.heartbeat@package" - - "logs-elastic_agent.heartbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "event-mappings" - - "logs-elastic_agent@package" - - "logs-elastic_agent@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_metricbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.metricbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.metricbeat@package" - - "logs-elastic_agent.metricbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_osquerybeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.osquerybeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.osquerybeat@package" - - "logs-elastic_agent.osquerybeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_packetbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.packetbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.packetbeat@package" - - "logs-elastic_agent.packetbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true so-case: - index_sorting: False + index_sorting: false index_template: + composed_of: + - case-mappings + - case-settings index_patterns: - - so-case* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 1500 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - case-mappings - - case-settings + - so-case* priority: 500 - so-common: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - data_stream: {} - index_patterns: - - logs-*-so* template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 1 - so-endgame: - index_sorting: False - index_template: - index_patterns: - - endgame* - template: - mappings: dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - endgame-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 - so-idh: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-idh-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-suricata: - index_sorting: False - index_template: - data_stream: {} - index_patterns: - - logs-suricata-so* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: - name: so-suricata-logs + name: so-case-logs mapping: total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 + limit: 1500 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - suricata-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-import: - index_sorting: False + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-common: + close: 30 + delete: 365 + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings data_stream: {} index_patterns: - - logs-import-so* + - logs-*-so* + priority: 1 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-common-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-endgame: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - endgame-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings + index_patterns: + - endgame* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-endgame-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-idh: + close: 30 + delete: 365 + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + index_patterns: + - so-idh-* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-idh-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-import: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings + data_stream: {} + index_patterns: + - logs-import-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + final_pipeline: .fleet_final_pipeline-1 lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - final_pipeline: ".fleet_final_pipeline-1" - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-kratos: - warm: 7 close: 30 delete: 365 - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings data_stream: - hidden: false allow_custom_routing: false + hidden: false index_patterns: - - logs-kratos-so* + - logs-kratos-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-kratos-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-logstash: - index_sorting: False + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-logs: + index_sorting: false index_template: + composed_of: + - so-data-streams-mappings + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + - so-logs-mappings + - so-logs-settings + data_stream: + allow_custom_routing: false + hidden: false index_patterns: - - logs-logstash-default* + - logs-*-* + priority: 225 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-logs + mapping: + total_fields: + limit: 5001 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-1password_x_item_usages: + index_sorting: false + index_template: + composed_of: + - logs-1password.item_usages@package + - logs-1password.item_usages@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-1password.item_usages-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-1password.item_usages-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-1password_x_signin_attempts: + index_sorting: false + index_template: + composed_of: + - logs-1password.signin_attempts@package + - logs-1password.signin_attempts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-1password.signin_attempts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-1password.signin_attempts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-apache_x_access: + index_sorting: false + index_template: + composed_of: + - logs-apache.access@package + - logs-apache.access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-apache.access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-apache.access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-apache_x_error: + index_sorting: false + index_template: + composed_of: + - logs-apache.error@package + - logs-apache.error@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-apache.error-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-apache.error-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-auditd_x_log: + index_sorting: false + index_template: + composed_of: + - logs-auditd.log@package + - logs-auditd.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-auditd.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-auditd.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-auth0_x_logs: + index_sorting: false + index_template: + composed_of: + - logs-auth0.logs@package + - logs-auth0.logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-auth0.logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-auth0.logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_cloudtrail: + index_sorting: false + index_template: + composed_of: + - logs-aws.cloudtrail@package + - logs-aws.cloudtrail@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.cloudtrail-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.cloudtrail-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_cloudwatch_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.cloudwatch_logs@package + - logs-aws.cloudwatch_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.cloudwatch_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.cloudwatch_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_ec2_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.ec2_logs@package + - logs-aws.ec2_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.ec2_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.ec2_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_elb_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.elb_logs@package + - logs-aws.elb_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.elb_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.elb_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_firewall_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.firewall_logs@package + - logs-aws.firewall_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.firewall_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.firewall_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_route53_public_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.route53_public_logs@package + - logs-aws.route53_public_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.route53_public_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.route53_public_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_route53_resolver_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.route53_resolver_logs@package + - logs-aws.route53_resolver_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.route53_resolver_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.route53_resolver_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_s3access: + index_sorting: false + index_template: + composed_of: + - logs-aws.s3access@package + - logs-aws.s3access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.s3access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.s3access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_vpcflow: + index_sorting: false + index_template: + composed_of: + - logs-aws.vpcflow@package + - logs-aws.vpcflow@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.vpcflow-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.vpcflow-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_waf: + index_sorting: false + index_template: + composed_of: + - logs-aws.waf@package + - logs-aws.waf@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.waf-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.waf-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_activitylogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.activitylogs@package + - logs-azure.activitylogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.activitylogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.activitylogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_application_gateway: + index_sorting: false + index_template: + composed_of: + - logs-azure.application_gateway@package + - logs-azure.application_gateway@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.application_gateway-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.application_gateway-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_auditlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.auditlogs@package + - logs-azure.auditlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.auditlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.auditlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_eventhub: + index_sorting: false + index_template: + composed_of: + - logs-azure.eventhub@package + - logs-azure.eventhub@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.eventhub-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.eventhub-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_firewall_logs: + index_sorting: false + index_template: + composed_of: + - logs-azure.firewall_logs@package + - logs-azure.firewall_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.firewall_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.firewall_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_identity_protection: + index_sorting: false + index_template: + composed_of: + - logs-azure.identity_protection@package + - logs-azure.identity_protection@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.identity_protection-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.identity_protection-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_platformlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.platformlogs@package + - logs-azure.platformlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.platformlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.platformlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_provisioning: + index_sorting: false + index_template: + composed_of: + - logs-azure.provisioning@package + - logs-azure.provisioning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.provisioning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.provisioning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_signinlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.signinlogs@package + - logs-azure.signinlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.signinlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.signinlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_springcloudlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.springcloudlogs@package + - logs-azure.springcloudlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.springcloudlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.springcloudlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-barracuda_x_waf: + index_sorting: false + index_template: + composed_of: + - logs-barracuda.waf@package + - logs-barracuda.waf@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-barracuda.waf-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-barracuda.waf-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-carbonblack_edr_x_log: + index_sorting: false + index_template: + composed_of: + - logs-carbonblack_edr.log@package + - logs-carbonblack_edr.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-carbonblack_edr.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-carbonblack_edr.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_asa_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_asa.log@package + - logs-cisco_asa.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_asa.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_asa.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_admin: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.admin@package + - logs-cisco_duo.admin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.admin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.admin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_auth: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.auth@package + - logs-cisco_duo.auth@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.auth-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.auth-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_offline_enrollment: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.offline_enrollment@package + - logs-cisco_duo.offline_enrollment@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.offline_enrollment-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.offline_enrollment-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_summary: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.summary@package + - logs-cisco_duo.summary@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.summary-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.summary-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_telephony: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.telephony@package + - logs-cisco_duo.telephony@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.telephony-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.telephony-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_meraki_x_events: + index_sorting: false + index_template: + composed_of: + - logs-cisco_meraki.events@package + - logs-cisco_meraki.events@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_meraki.events-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_meraki.events-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_meraki_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_meraki.log@package + - logs-cisco_meraki.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_meraki.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_meraki.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_umbrella_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_umbrella.log@package + - logs-cisco_umbrella.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_umbrella.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_umbrella.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare.audit@package + - logs-cloudflare.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cloudflare.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_x_logpull: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare.logpull@package + - logs-cloudflare.logpull@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cloudflare.logpull-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare.logpull-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_falcon: + index_sorting: false + index_template: + composed_of: + - logs-crowdstrike.falcon@package + - logs-crowdstrike.falcon@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-crowdstrike.falcon-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-crowdstrike.falcon-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_fdr: + index_sorting: false + index_template: + composed_of: + - logs-crowdstrike.fdr@package + - logs-crowdstrike.fdr@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-crowdstrike.fdr-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-crowdstrike.fdr-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_ai_analyst_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.ai_analyst_alert@package + - logs-darktrace.ai_analyst_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.ai_analyst_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.ai_analyst_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_model_breach_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.model_breach_alert@package + - logs-darktrace.model_breach_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.model_breach_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.model_breach_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_system_status_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.system_status_alert@package + - logs-darktrace.system_status_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.system_status_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.system_status_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent@package + - logs-elastic_agent@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_apm_server: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.apm_server@package + - logs-elastic_agent.apm_server@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.apm_server-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.apm_server-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_auditbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.auditbeat@package + - logs-elastic_agent.auditbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.auditbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.auditbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_cloudbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.cloudbeat@package + - logs-elastic_agent.cloudbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + index_patterns: + - logs-elastic_agent.cloudbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.cloudbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_endpoint_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.endpoint_security@package + - logs-elastic_agent.endpoint_security@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.endpoint_security-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.endpoint_security-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_filebeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.filebeat@package + - logs-elastic_agent.filebeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.filebeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.filebeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_fleet_server: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.fleet_server@package + - logs-elastic_agent.fleet_server@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.fleet_server-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.fleet_server-logs + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_heartbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.heartbeat@package + - logs-elastic_agent.heartbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + index_patterns: + - logs-elastic_agent.heartbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.heartbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_metricbeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.metricbeat@package + - logs-elastic_agent.metricbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.metricbeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.metricbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_osquerybeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.osquerybeat@package + - logs-elastic_agent.osquerybeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.osquerybeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.osquerybeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_packetbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.packetbeat@package + - logs-elastic_agent.packetbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.packetbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.packetbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_alerts: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.alerts@custom + - logs-endpoint.alerts@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.alerts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.alerts-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_api: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.api@custom + - logs-endpoint.events.api@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.api-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.api-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_file: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.file@custom + - logs-endpoint.events.file@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.file-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.file-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_library: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.library@custom + - logs-endpoint.events.library@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.library-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.library-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_network: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.network@custom + - logs-endpoint.events.network@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.network-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.network-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_process: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.process@custom + - logs-endpoint.events.process@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.process-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.process-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_registry: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.registry@custom + - logs-endpoint.events.registry@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.registry-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.registry-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.security@custom + - logs-endpoint.events.security@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.security-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.security-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-f5_bigip_x_log: + index_sorting: false + index_template: + composed_of: + - logs-f5_bigip.log@package + - logs-f5_bigip.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-f5_bigip.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-f5_bigip.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fim_x_event: + index_sorting: false + index_template: + composed_of: + - logs-fim.event@package + - logs-fim.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fim.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fim.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fireeye_x_nx: + index_sorting: false + index_template: + composed_of: + - logs-fireeye.nx@package + - logs-fireeye.nx@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fireeye.nx-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fireeye.nx-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_fortigate_x_log: + index_sorting: false + index_template: + composed_of: + - logs-fortinet_fortigate.log@package + - logs-fortinet_fortigate.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet_fortigate.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet_fortigate.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_clientendpoint: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.clientendpoint@package + - logs-fortinet.clientendpoint@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.clientendpoint-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.clientendpoint-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.firewall@package + - logs-fortinet.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_fortimail: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.fortimail@package + - logs-fortinet.fortimail@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.fortimail-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.fortimail-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_fortimanager: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.fortimanager@package + - logs-fortinet.fortimanager@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.fortimanager-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.fortimanager-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-gcp.audit@package + - logs-gcp.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_dns: + index_sorting: false + index_template: + composed_of: + - logs-gcp.dns@package + - logs-gcp.dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-gcp.firewall@package + - logs-gcp.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_loadbalancing_logs: + index_sorting: false + index_template: + composed_of: + - logs-gcp.loadbalancing_logs@package + - logs-gcp.loadbalancing_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.loadbalancing_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.loadbalancing_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_vpcflow: + index_sorting: false + index_template: + composed_of: + - logs-gcp.vpcflow@package + - logs-gcp.vpcflow@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.vpcflow-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.vpcflow-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-github.audit@package + - logs-github.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_code_scanning: + index_sorting: false + index_template: + composed_of: + - logs-github.code_scanning@package + - logs-github.code_scanning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.code_scanning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.code_scanning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_dependabot: + index_sorting: false + index_template: + composed_of: + - logs-github.dependabot@package + - logs-github.dependabot@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.dependabot-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.dependabot-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_issues: + index_sorting: false + index_template: + composed_of: + - logs-github.issues@package + - logs-github.issues@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.issues-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.issues-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_secret_scanning: + index_sorting: false + index_template: + composed_of: + - logs-github.secret_scanning@package + - logs-github.secret_scanning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.secret_scanning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.secret_scanning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_access_transparency: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.access_transparency@package + - logs-google_workspace.access_transparency@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.access_transparency-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.access_transparency-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_admin: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.admin@package + - logs-google_workspace.admin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.admin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.admin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.alert@package + - logs-google_workspace.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_context_aware_access: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.context_aware_access@package + - logs-google_workspace.context_aware_access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.context_aware_access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.context_aware_access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_device: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.device@package + - logs-google_workspace.device@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.device-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.device-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_drive: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.drive@package + - logs-google_workspace.drive@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.drive-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.drive-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_gcp: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.gcp@package + - logs-google_workspace.gcp@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.gcp-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.gcp-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_group_enterprise: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.group_enterprise@package + - logs-google_workspace.group_enterprise@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.group_enterprise-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.group_enterprise-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_groups: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.groups@package + - logs-google_workspace.groups@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.groups-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.groups-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_login: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.login@package + - logs-google_workspace.login@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.login-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.login-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_rules: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.rules@package + - logs-google_workspace.rules@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.rules-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.rules-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_saml: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.saml@package + - logs-google_workspace.saml@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.saml-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.saml-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_token: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.token@package + - logs-google_workspace.token@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.token-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.token-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_user_accounts: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.user_accounts@package + - logs-google_workspace.user_accounts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.user_accounts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.user_accounts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-http_endpoint_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-http_endpoint.generic@package + - logs-http_endpoint.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-http_endpoint.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-http_endpoint.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-httpjson_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-httpjson.generic@package + - logs-httpjson.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-httpjson.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-httpjson.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_srx_x_log: + index_sorting: false + index_template: + composed_of: + - logs-juniper_srx.log@package + - logs-juniper_srx.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper_srx.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper_srx.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_junos: + index_sorting: false + index_template: + composed_of: + - logs-juniper.junos@package + - logs-juniper.junos@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.junos-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.junos-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_netscreen: + index_sorting: false + index_template: + composed_of: + - logs-juniper.netscreen@package + - logs-juniper.netscreen@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.netscreen-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.netscreen-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_srx: + index_sorting: false + index_template: + composed_of: + - logs-juniper.srx@package + - logs-juniper.srx@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.srx-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.srx-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-kafka_log_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-kafka_log.generic@package + - logs-kafka_log.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-kafka_log.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-kafka_log.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_detailed_shared_folder: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.detailed_shared_folder@package + - logs-lastpass.detailed_shared_folder@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.detailed_shared_folder-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.detailed_shared_folder-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_event_report: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.event_report@package + - logs-lastpass.event_report@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.event_report-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.event_report-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_user: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.user@package + - logs-lastpass.user@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.user-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.user-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_event: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.event@package + - logs-m365_defender.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_incident: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.incident@package + - logs-m365_defender.incident@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.incident-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.incident-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_log: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.log@package + - logs-m365_defender.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-microsoft_defender_endpoint_x_log: + index_sorting: false + index_template: + composed_of: + - logs-microsoft_defender_endpoint.log@package + - logs-microsoft_defender_endpoint.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-microsoft_defender_endpoint.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_defender_endpoint.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-microsoft_dhcp_x_log: + index_sorting: false + index_template: + composed_of: + - logs-microsoft_dhcp.log@package + - logs-microsoft_dhcp.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-microsoft_dhcp.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_dhcp.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_audit_events: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.audit_events@package + - logs-mimecast.audit_events@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.audit_events-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.audit_events-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_dlp_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.dlp_logs@package + - logs-mimecast.dlp_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.dlp_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.dlp_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_siem_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.siem_logs@package + - logs-mimecast.siem_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.siem_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.siem_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_threat_intel_malware_customer: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.threat_intel_malware_customer@package + - logs-mimecast.threat_intel_malware_customer@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.threat_intel_malware_customer-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.threat_intel_malware_customer-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_threat_intel_malware_grid: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.threat_intel_malware_grid@package + - logs-mimecast.threat_intel_malware_grid@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.threat_intel_malware_grid-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.threat_intel_malware_grid-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_ap_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_ap_logs@package + - logs-mimecast.ttp_ap_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_ap_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_ap_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_ip_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_ip_logs@package + - logs-mimecast.ttp_ip_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_ip_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_ip_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_url_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_url_logs@package + - logs-mimecast.ttp_url_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_url_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_url_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-netflow_x_log: + index_sorting: false + index_template: + composed_of: + - logs-netflow.log@package + - logs-netflow.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-netflow.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-netflow.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-o365_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-o365.audit@package + - logs-o365.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-o365.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-o365.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-okta_x_system: + index_sorting: false + index_template: + composed_of: + - logs-okta.system@package + - logs-okta.system@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-okta.system-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-okta.system-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-osquery-manager-action_x_responses: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.action.responses + index_patterns: + - .logs-osquery_manager.action.responses* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-osquery-manager-action.responses-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-osquery-manager-actions: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.actions + index_patterns: + - .logs-osquery_manager.actions* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-osquery-manager-actions-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-panw_x_panos: + index_sorting: false + index_template: + composed_of: + - logs-panw.panos@package + - logs-panw.panos@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-panw.panos-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-panw.panos-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-pfsense_x_log: + index_sorting: false + index_template: + composed_of: + - logs-pfsense.log@package + - logs-pfsense.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-pfsense.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-pfsense.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-pulse_connect_secure_x_log: + index_sorting: false + index_template: + composed_of: + - logs-pulse_connect_secure.log@package + - logs-pulse_connect_secure.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-pulse_connect_secure.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-pulse_connect_secure.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_activity: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.activity@package + - logs-sentinel_one.activity@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.activity-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.activity-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_agent: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.agent@package + - logs-sentinel_one.agent@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.agent-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.agent-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.alert@package + - logs-sentinel_one.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_group: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.group@package + - logs-sentinel_one.group@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.group-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.group-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.threat@package + - logs-sentinel_one.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-snyk_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-snyk.audit@package + - logs-snyk.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-snyk.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-snyk.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-snyk_x_vulnerabilities: + index_sorting: false + index_template: + composed_of: + - logs-snyk.vulnerabilities@package + - logs-snyk.vulnerabilities@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-snyk.vulnerabilities-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-snyk.vulnerabilities-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sonicwall_firewall_x_log: + index_sorting: false + index_template: + composed_of: + - logs-sonicwall_firewall.log@package + - logs-sonicwall_firewall.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sonicwall_firewall.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sonicwall_firewall.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_central_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-sophos_central.alert@package + - logs-sophos_central.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos_central.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos_central.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_central_x_event: + index_sorting: false + index_template: + composed_of: + - logs-sophos_central.event@package + - logs-sophos_central.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos_central.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos_central.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_x_utm: + index_sorting: false + index_template: + composed_of: + - logs-sophos.utm@package + - logs-sophos.utm@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos.utm-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos.utm-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_x_xg: + index_sorting: false + index_template: + composed_of: + - logs-sophos.xg@package + - logs-sophos.xg@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos.xg-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos.xg-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-symantec_endpoint_x_log: + index_sorting: false + index_template: + composed_of: + - logs-symantec_endpoint.log@package + - logs-symantec_endpoint.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-symantec_endpoint.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-symantec_endpoint.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_application: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.application@package + - logs-system.application@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.application* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.application-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_auth: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.auth@package + - logs-system.auth@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.auth* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.auth-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.security@package + - logs-system.security@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.security* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.security-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_syslog: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.syslog@package + - logs-system.syslog@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.syslog* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.syslog-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_system: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.system@package + - logs-system.system@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.system* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.system-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_asset: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.asset@package + - logs-tenable_sc.asset@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.asset-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.asset-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_plugin: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.plugin@package + - logs-tenable_sc.plugin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.plugin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.plugin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_vulnerability: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.vulnerability@package + - logs-tenable_sc.vulnerability@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.vulnerability-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.vulnerability-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_malware: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.malware@package + - logs-ti_abusech.malware@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.malware-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.malware-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_malwarebazaar: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.malwarebazaar@package + - logs-ti_abusech.malwarebazaar@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.malwarebazaar-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.malwarebazaar-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_threatfox: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.threatfox@package + - logs-ti_abusech.threatfox@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.threatfox-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.threatfox-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_url: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.url@package + - logs-ti_abusech.url@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.url-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.url-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_misp_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_misp.threat@package + - logs-ti_misp.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_misp.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_misp.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_misp_x_threat_attributes: + index_sorting: false + index_template: + composed_of: + - logs-ti_misp.threat_attributes@package + - logs-ti_misp.threat_attributes@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_misp.threat_attributes-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_misp.threat_attributes-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_otx_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_otx.threat@package + - logs-ti_otx.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_otx.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_otx.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_recordedfuture_x_latest_ioc-template: + index_sorting: false + index_template: + composed_of: + - logs-ti_recordedfuture.latest_ioc-template@package + - logs-ti_recordedfuture.latest_ioc-template@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_recordedfuture.latest_ioc-template-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_recordedfuture.latest_ioc-template-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_recordedfuture_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_recordedfuture.threat@package + - logs-ti_recordedfuture.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_recordedfuture.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_recordedfuture.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_forwarded: + index_sorting: false + index_template: + composed_of: + - logs-windows.forwarded@package + - logs-windows.forwarded@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.forwarded* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.forwarded-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_powershell: + index_sorting: false + index_template: + composed_of: + - logs-windows.powershell@package + - logs-windows.powershell@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.powershell-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.powershell-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_powershell_operational: + index_sorting: false + index_template: + composed_of: + - logs-windows.powershell_operational@package + - logs-windows.powershell_operational@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.powershell_operational-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.powershell_operational-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_sysmon_operational: + index_sorting: false + index_template: + composed_of: + - logs-windows.sysmon_operational@package + - logs-windows.sysmon_operational@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.sysmon_operational-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.sysmon_operational-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_alerts: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.alerts@package + - logs-zscaler_zia.alerts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.alerts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.alerts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_dns: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.dns@package + - logs-zscaler_zia.dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.firewall@package + - logs-zscaler_zia.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_tunnel: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.tunnel@package + - logs-zscaler_zia.tunnel@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.tunnel-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.tunnel-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_web: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.web@package + - logs-zscaler_zia.web@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.web-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.web-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_app_connector_status: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.app_connector_status@package + - logs-zscaler_zpa.app_connector_status@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.app_connector_status-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.app_connector_status-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.audit@package + - logs-zscaler_zpa.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_browser_access: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.browser_access@package + - logs-zscaler_zpa.browser_access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.browser_access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.browser_access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_user_activity: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.user_activity@package + - logs-zscaler_zpa.user_activity@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.user_activity-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.user_activity-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_user_status: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.user_status@package + - logs-zscaler_zpa.user_status@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.user_status-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.user_status-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logstash: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - logstash-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + index_patterns: + - logs-logstash-default* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -3891,104 +8572,109 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - logstash-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-redis: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - redis-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings index_patterns: - - logs-redis-default* + - logs-redis-default* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -3996,315 +8682,447 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - redis-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-strelka: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - so-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - so-scan-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-strelka-so* + - logs-strelka-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-strelka-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - so-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - so-scan-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-suricata: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - suricata-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + data_stream: {} + index_patterns: + - logs-suricata-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-suricata-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-syslog: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-syslog-so* + - logs-syslog-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-syslog-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-zeek: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - zeek-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-zeek-so* + - logs-zeek-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -4312,611 +9130,89 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 2 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - zeek-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 2 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-logs-auth0_x_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-auth0.logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-auth0.logs@package" - - "logs-auth0.logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-carbonblack_edr_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-carbonblack_edr.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-carbonblack_edr.log@package" - - "logs-carbonblack_edr.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_admin: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.admin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.admin@package" - - "logs-cisco_duo.admin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_auth: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.auth-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.auth@package" - - "logs-cisco_duo.auth@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_offline_enrollment: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.offline_enrollment-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.offline_enrollment@package" - - "logs-cisco_duo.offline_enrollment@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_summary: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.summary-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.summary@package" - - "logs-cisco_duo.summary@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_telephony: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.telephony-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.telephony@package" - - "logs-cisco_duo.telephony@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_meraki_x_events: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_meraki.events-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_meraki.events@package" - - "logs-cisco_meraki.events@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_meraki_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_meraki.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_meraki.log@package" - - "logs-cisco_meraki.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_umbrella_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_umbrella.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_umbrella.log@package" - - "logs-cisco_umbrella.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fireeye_x_nx: - index_sorting: False - index_template: - index_patterns: - - "logs-fireeye.nx-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fireeye.nx@package" - - "logs-fireeye.nx@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_audit_events: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.audit_events-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.audit_events@package" - - "logs-mimecast.audit_events@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_dlp_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.dlp_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.dlp_logs@package" - - "logs-mimecast.dlp_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_siem_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.siem_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.siem_logs@package" - - "logs-mimecast.siem_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_threat_intel_malware_customer: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.threat_intel_malware_customer-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.threat_intel_malware_customer@package" - - "logs-mimecast.threat_intel_malware_customer@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_threat_intel_malware_grid: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.threat_intel_malware_grid-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.threat_intel_malware_grid@package" - - "logs-mimecast.threat_intel_malware_grid@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_ap_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_ap_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_ap_logs@package" - - "logs-mimecast.ttp_ap_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_ip_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_ip_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_ip_logs@package" - - "logs-mimecast.ttp_ip_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_url_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_url_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_url_logs@package" - - "logs-mimecast.ttp_url_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-pulse_connect_secure_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-pulse_connect_secure.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-pulse_connect_secure.log@package" - - "logs-pulse_connect_secure.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-snyk_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-snyk.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-snyk.audit@package" - - "logs-snyk.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-snyk_x_vulnerabilities: - index_sorting: False - index_template: - index_patterns: - - "logs-snyk.vulnerabilities-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-snyk.vulnerabilities@package" - - "logs-snyk.vulnerabilities@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_x_utm: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos.utm-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos.utm@package" - - "logs-sophos.utm@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_x_xg: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos.xg-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos.xg@package" - - "logs-sophos.xg@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_central_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos_central.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos_central.alert@package" - - "logs-sophos_central.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_central_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos_central.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos_central.event@package" - - "logs-sophos_central.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_asset: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.asset-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.asset@package" - - "logs-tenable_sc.asset@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_plugin: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.plugin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.plugin@package" - - "logs-tenable_sc.plugin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_vulnerability: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.vulnerability-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.vulnerability@package" - - "logs-tenable_sc.vulnerability@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + retention: + retention_pct: 50 + so_roles: + so-eval: + config: + node: + roles: [] + so-heavynode: + config: + node: + roles: + - master + - data + - data_hot + - remote_cluster_client + - ingest + so-import: + config: + node: + roles: [] + so-manager: + config: + node: + roles: + - master + - data + - remote_cluster_client + - transform + so-managersearch: + config: + node: + roles: + - master + - data + - data_hot + - ingest + - transform + - remote_cluster_client + so-searchnode: + config: + node: + roles: + - data + - data_hot + - ingest + - transform + so-standalone: + config: + node: + roles: + - master + - data + - data_hot + - ingest + - transform + - remote_cluster_client diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index e4de29e00..a5170b776 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -33,7 +33,6 @@ elasticsearch: flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch.html - script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. @@ -57,32 +56,6 @@ elasticsearch: forcedType: int global: True helpLink: elasticsearch.html - so-logs: &indexSettings - index_sorting: - description: Sorts the index by event time, at the cost of additional processing resource consumption. - global: True - helpLink: elasticsearch.html - index_template: - index_patterns: - description: Patterns for matching multiple indices or tables. - forceType: "[]string" - multiline: True - global: True - helpLink: elasticsearch.html - template: - settings: - index: - number_of_replicas: - description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. - forcedType: int - global: True - helpLink: elasticsearch.html - mapping: - total_fields: - limit: - description: Max number of fields that can exist on a single index. Larger values will consume more resources. - global: True - helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True @@ -100,48 +73,10 @@ elasticsearch: description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html - mappings: - _meta: - package: - name: - description: Meta settings for the mapping. - global: True - helpLink: elasticsearch.html - managed_by: - description: Meta settings for the mapping. - global: True - helpLink: elasticsearch.html - managed: - description: Meta settings for the mapping. - forcedType: bool - global: True - helpLink: elasticsearch.html - composed_of: - description: The index template is composed of these component templates. - forcedType: "[]string" - global: True - helpLink: elasticsearch.html - priority: - description: The priority of the index template. - forcedType: int - global: True - helpLink: elasticsearch.html - data_stream: - hidden: - description: Hide the data stream. - forcedType: bool - global: True - helpLink: elasticsearch.html - allow_custom_routing: - description: Allow custom routing for the data stream. - forcedType: bool - global: True - helpLink: elasticsearch.html - policy: phases: hot: - min_age: - description: Minimum age of index. This determines when the index should be moved to the hot tier. + max_age: + description: Maximum age of index. ex. 7d - This determines when the index should be moved out of the hot tier. global: True helpLink: elasticsearch.html actions: @@ -160,10 +95,187 @@ elasticsearch: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True helpLink: elasticsearch.html + cold: + min_age: + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + global: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + global: True + helpLink: elasticsearch.html + warm: + min_age: + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + regex: ^\[0-9\]{1,5}d$ + forcedType: string + global: True + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + helpLink: elasticsearch.html + delete: + min_age: + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. + global: True + helpLink: elasticsearch.html + so-logs: &indexSettings + index_sorting: + description: Sorts the index by event time, at the cost of additional processing resource consumption. + global: True + advanced: True + helpLink: elasticsearch.html + index_template: + index_patterns: + description: Patterns for matching multiple indices or tables. + forceType: "[]string" + multiline: True + global: True + advanced: True + helpLink: elasticsearch.html + template: + settings: + index: + number_of_replicas: + description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + mapping: + total_fields: + limit: + description: Max number of fields that can exist on a single index. Larger values will consume more resources. + global: True + advanced: True + helpLink: elasticsearch.html + refresh_interval: + description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. + global: True + advanced: True + helpLink: elasticsearch.html + number_of_shards: + description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + global: True + advanced: True + helpLink: elasticsearch.html + sort: + field: + description: The field to sort by. Must set index_sorting to True. + global: True + advanced: True + helpLink: elasticsearch.html + order: + description: The order to sort by. Must set index_sorting to True. + global: True + advanced: True + helpLink: elasticsearch.html + mappings: + _meta: + package: + name: + description: Meta settings for the mapping. + global: True + advanced: True + helpLink: elasticsearch.html + managed_by: + description: Meta settings for the mapping. + global: True + advanced: True + helpLink: elasticsearch.html + managed: + description: Meta settings for the mapping. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + composed_of: + description: The index template is composed of these component templates. + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html + priority: + description: The priority of the index template. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + data_stream: + hidden: + description: Hide the data stream. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + allow_custom_routing: + description: Allow custom routing for the data stream. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + policy: + phases: + hot: + min_age: + description: Minimum age of index. This determines when the index should be moved to the hot tier. + global: True + advanced: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + warm: + min_age: + description: Minimum age of index. This determines when the index should be moved to the hot tier. + global: True + advanced: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html cold: min_age: description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. global: True + advanced: True helpLink: elasticsearch.html actions: set_priority: @@ -171,26 +283,31 @@ elasticsearch: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True + advanced: True helpLink: elasticsearch.html delete: min_age: description: Minimum age of index. This determines when the index should be deleted. global: True + advanced: True helpLink: elasticsearch.html _meta: package: name: description: Meta settings for the mapping. global: True + advanced: True helpLink: elasticsearch.html managed_by: description: Meta settings for the mapping. global: True + advanced: True helpLink: elasticsearch.html managed: description: Meta settings for the mapping. forcedType: bool global: True + advanced: True helpLink: elasticsearch.html so-logs-system_x_auth: *indexSettings so-logs-system_x_syslog: *indexSettings @@ -345,3 +462,19 @@ elasticsearch: so-strelka: *indexSettings so-syslog: *indexSettings so-zeek: *indexSettings + so_roles: + so-manger: &soroleSettings + config: + node: + roles: + description: List of Elasticsearch roles that the node should have. Blank assumes all roles + forcedType: "[]string" + global: False + advanced: True + helpLink: elasticsearch.html + so-managersearch: *soroleSettings + so-standalone: *soroleSettings + so-searchnode: *soroleSettings + so-heavynode: *soroleSettings + so-eval: *soroleSettings + so-import: *soroleSettings diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc07765b8..0666e25ae 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -403,6 +403,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 [[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10 [[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20 + [[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30 true } @@ -414,7 +415,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 - [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 + [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 + [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 true } @@ -446,6 +448,11 @@ post_to_2.4.20() { POSTVERSION=2.4.20 } +post_to_2.4.30() { + echo "Nothing to apply" + POSTVERSION=2.4.30 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -523,6 +530,12 @@ up_to_2.4.20() { INSTALLEDVERSION=2.4.20 } +up_to_2.4.30() { + echo "Nothing to do for 2.4.30" + + INSTALLEDVERSION=2.4.30 +} + determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap