From a887551dad8a9fed9a2b3f4d3b5e506d926a5e68 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 15:22:47 -0400 Subject: [PATCH 01/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 262 ++++++++++++++++------ 1 file changed, 197 insertions(+), 65 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index e4de29e00..f04ba08e0 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -33,7 +33,6 @@ elasticsearch: flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. helpLink: elasticsearch.html - script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. @@ -48,6 +47,11 @@ elasticsearch: helpLink: elasticsearch.html index_settings: global_overrides: + index_sorting: + description: Sorts the index by event time, at the cost of additional processing resource consumption. + global: True + advanced: True + helpLink: elasticsearch.html index_template: template: settings: @@ -57,32 +61,6 @@ elasticsearch: forcedType: int global: True helpLink: elasticsearch.html - so-logs: &indexSettings - index_sorting: - description: Sorts the index by event time, at the cost of additional processing resource consumption. - global: True - helpLink: elasticsearch.html - index_template: - index_patterns: - description: Patterns for matching multiple indices or tables. - forceType: "[]string" - multiline: True - global: True - helpLink: elasticsearch.html - template: - settings: - index: - number_of_replicas: - description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. - forcedType: int - global: True - helpLink: elasticsearch.html - mapping: - total_fields: - limit: - description: Max number of fields that can exist on a single index. Larger values will consume more resources. - global: True - helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True @@ -100,44 +78,7 @@ elasticsearch: description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html - mappings: - _meta: - package: - name: - description: Meta settings for the mapping. - global: True - helpLink: elasticsearch.html - managed_by: - description: Meta settings for the mapping. - global: True - helpLink: elasticsearch.html - managed: - description: Meta settings for the mapping. - forcedType: bool - global: True - helpLink: elasticsearch.html - composed_of: - description: The index template is composed of these component templates. - forcedType: "[]string" - global: True - helpLink: elasticsearch.html - priority: - description: The priority of the index template. - forcedType: int - global: True - helpLink: elasticsearch.html - data_stream: - hidden: - description: Hide the data stream. - forcedType: bool - global: True - helpLink: elasticsearch.html - allow_custom_routing: - description: Allow custom routing for the data stream. - forcedType: bool - global: True - helpLink: elasticsearch.html - policy: + policy: phases: hot: min_age: @@ -160,6 +101,27 @@ elasticsearch: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True helpLink: elasticsearch.html + warm: + min_age: + description: Minimum age of index. This determines when the index should be moved to the warm tier. + global: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + helpLink: elasticsearch.html cold: min_age: description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. @@ -177,20 +139,190 @@ elasticsearch: description: Minimum age of index. This determines when the index should be deleted. global: True helpLink: elasticsearch.html + so-logs: &indexSettings + index_sorting: + description: Sorts the index by event time, at the cost of additional processing resource consumption. + global: True + advanced: True + helpLink: elasticsearch.html + index_template: + index_patterns: + description: Patterns for matching multiple indices or tables. + forceType: "[]string" + multiline: True + global: True + advanced: True + helpLink: elasticsearch.html + template: + settings: + index: + number_of_replicas: + description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + mapping: + total_fields: + limit: + description: Max number of fields that can exist on a single index. Larger values will consume more resources. + global: True + advanced: True + helpLink: elasticsearch.html + refresh_interval: + description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. + global: True + advanced: True + helpLink: elasticsearch.html + number_of_shards: + description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + global: True + advanced: True + helpLink: elasticsearch.html + sort: + field: + description: The field to sort by. Must set index_sorting to True. + global: True + advanced: True + helpLink: elasticsearch.html + order: + description: The order to sort by. Must set index_sorting to True. + global: True + advanced: True + helpLink: elasticsearch.html + mappings: + _meta: + package: + name: + description: Meta settings for the mapping. + global: True + advanced: True + helpLink: elasticsearch.html + managed_by: + description: Meta settings for the mapping. + global: True + advanced: True + helpLink: elasticsearch.html + managed: + description: Meta settings for the mapping. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + composed_of: + description: The index template is composed of these component templates. + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html + priority: + description: The priority of the index template. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + data_stream: + hidden: + description: Hide the data stream. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + allow_custom_routing: + description: Allow custom routing for the data stream. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html + policy: + phases: + hot: + min_age: + description: Minimum age of index. This determines when the index should be moved to the hot tier. + global: True + advanced: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + warm: + min_age: + description: Minimum age of index. This determines when the index should be moved to the hot tier. + global: True + advanced: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + advanced: True + helpLink: elasticsearch.html + cold: + min_age: + description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + global: True + advanced: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + forcedType: int + global: True + advanced: True + helpLink: elasticsearch.html + delete: + min_age: + description: Minimum age of index. This determines when the index should be deleted. + global: True + advanced: True + helpLink: elasticsearch.html _meta: package: name: description: Meta settings for the mapping. global: True + advanced: True helpLink: elasticsearch.html managed_by: description: Meta settings for the mapping. global: True + advanced: True helpLink: elasticsearch.html managed: description: Meta settings for the mapping. forcedType: bool global: True + advanced: True helpLink: elasticsearch.html so-logs-system_x_auth: *indexSettings so-logs-system_x_syslog: *indexSettings From 6fb0c5dbfe5800c59a078a7aed80b0be1a8ed1c8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 15:37:36 -0400 Subject: [PATCH 02/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index f04ba08e0..764de3c44 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -477,3 +477,18 @@ elasticsearch: so-strelka: *indexSettings so-syslog: *indexSettings so-zeek: *indexSettings + so_roles: + so-maanger: &soroleSettings + node: + roles: + description: List of Elasticsearch roles that the node should have. Blank assumes all roles + forcedType: "[]string" + global: False + advanced: True + helpLink: elasticsearch.html + so-managersearch: *soroleSettings + so-standalone: *soroleSettings + so-searchnode: *soroleSettings + so-heavynode: *soroleSettings + so-eval: *soroleSettings + so-import: *soroleSettings \ No newline at end of file From 1ae8896a05b6b07c4bdaf664f72ecc56544c4c4f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 25 Oct 2023 15:47:40 -0400 Subject: [PATCH 03/20] Update config.map.jinja --- salt/elasticsearch/config.map.jinja | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 37447cabb..c98d96cc0 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -20,20 +20,12 @@ {% for NODE in ES_LOGSTASH_NODES %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} - {% if grains.id.split('_') | last == 'manager' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client','transform']}) %} - {% else %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %} - {% endif %} {% endif %} {% elif grains.id.split('_') | last == 'searchnode' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %} {% if HIGHLANDER %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% endif %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} -{% elif grains.id.split('_') | last == 'heavynode' %} - {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client', 'ingest']}) %} {% endif %} {% if HIGHLANDER %} {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %} @@ -53,3 +45,5 @@ {% endif %} {% endfor %} {% endif %} + +{% do ELASTICSEARCHMERGED.elasticsearch.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].node.roles}) %} From af4b34801f958b9110e4de3837b01e3d8d341018 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 25 Oct 2023 15:48:27 -0400 Subject: [PATCH 04/20] Update defaults.yaml --- salt/elasticsearch/defaults.yaml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 1296ef549..5449df506 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -4920,3 +4920,41 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so_roles: + so-manager: + node: + roles: + - master + - data + - remote_cluster_client + - transform + so-managersearch: + node: + roles: + - master + - data_hot + - remote_cluster_client + so-standalone: + node: + roles: + - master + - data_hot + - remote_cluster_client + so-searchnode: + node: + roles: + - data_hot + - ingest + so-heavynode: + node: + roles: + - master + - data + - remote_cluster_client + - ingest + so-eval: + node: + roles: [] + so-import: + node: + roles: [] From dc53b49f15ed56cfa504193b1f22ee8adc1993c1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 15:53:39 -0400 Subject: [PATCH 05/20] Update soup --- salt/manager/tools/sbin/soup | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc07765b8..0666e25ae 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -403,6 +403,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 [[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10 [[ "$INSTALLEDVERSION" == 2.4.10 ]] && up_to_2.4.20 + [[ "$INSTALLEDVERSION" == 2.4.20 ]] && up_to_2.4.30 true } @@ -414,7 +415,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 - [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 + [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 + [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 true } @@ -446,6 +448,11 @@ post_to_2.4.20() { POSTVERSION=2.4.20 } +post_to_2.4.30() { + echo "Nothing to apply" + POSTVERSION=2.4.30 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -523,6 +530,12 @@ up_to_2.4.20() { INSTALLEDVERSION=2.4.20 } +up_to_2.4.30() { + echo "Nothing to do for 2.4.30" + + INSTALLEDVERSION=2.4.30 +} + determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap From 19fdc9319b900e315427af8364fca73d15289ac1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 25 Oct 2023 15:58:26 -0400 Subject: [PATCH 06/20] fix role update --- salt/elasticsearch/config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index c98d96cc0..cd0cd8974 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -46,4 +46,4 @@ {% endfor %} {% endif %} -{% do ELASTICSEARCHMERGED.elasticsearch.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].node.roles}) %} +{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].node.roles}) %} From d1170cb69f1f197b638151ffef9561d50b3122f9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 16:05:20 -0400 Subject: [PATCH 07/20] Update soc_elasticsearch.yaml --- salt/elasticsearch/soc_elasticsearch.yaml | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 764de3c44..fde8d234f 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -101,27 +101,6 @@ elasticsearch: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True helpLink: elasticsearch.html - warm: - min_age: - description: Minimum age of index. This determines when the index should be moved to the warm tier. - global: True - helpLink: elasticsearch.html - actions: - set_priority: - priority: - description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. - forcedType: int - global: True - helpLink: elasticsearch.html - rollover: - max_age: - description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. - global: True - helpLink: elasticsearch.html - max_primary_shard_size: - description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. - global: True - helpLink: elasticsearch.html cold: min_age: description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. @@ -491,4 +470,4 @@ elasticsearch: so-searchnode: *soroleSettings so-heavynode: *soroleSettings so-eval: *soroleSettings - so-import: *soroleSettings \ No newline at end of file + so-import: *soroleSettings From 5f168a33edaa8a4c0801340d8f8eaf23d68279ff Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 25 Oct 2023 16:16:01 -0400 Subject: [PATCH 08/20] Update defaults.yaml --- salt/elasticsearch/defaults.yaml | 67 ++++++++++++++++++-------------- 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 5449df506..807ca9ea9 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -4922,39 +4922,46 @@ elasticsearch: allow_custom_routing: false so_roles: so-manager: - node: - roles: - - master - - data - - remote_cluster_client - - transform + config: + node: + roles: + - master + - data + - remote_cluster_client + - transform so-managersearch: - node: - roles: - - master - - data_hot - - remote_cluster_client + config: + node: + roles: + - master + - data_hot + - remote_cluster_client so-standalone: - node: - roles: - - master - - data_hot - - remote_cluster_client + config: + node: + roles: + - master + - data_hot + - remote_cluster_client so-searchnode: - node: - roles: - - data_hot - - ingest + config: + node: + roles: + - data_hot + - ingest so-heavynode: - node: - roles: - - master - - data - - remote_cluster_client - - ingest + config: + node: + roles: + - master + - data + - remote_cluster_client + - ingest so-eval: - node: - roles: [] + config: + node: + roles: [] so-import: - node: - roles: [] + config: + node: + roles: [] From 807b40019fc098ea8c0c8d70355e1086dd3dbebc Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 25 Oct 2023 16:16:48 -0400 Subject: [PATCH 09/20] Update soc_elasticsearch.yaml --- salt/elasticsearch/soc_elasticsearch.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index fde8d234f..d456dcbfc 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -458,13 +458,14 @@ elasticsearch: so-zeek: *indexSettings so_roles: so-maanger: &soroleSettings - node: - roles: - description: List of Elasticsearch roles that the node should have. Blank assumes all roles - forcedType: "[]string" - global: False - advanced: True - helpLink: elasticsearch.html + config: + node: + roles: + description: List of Elasticsearch roles that the node should have. Blank assumes all roles + forcedType: "[]string" + global: False + advanced: True + helpLink: elasticsearch.html so-managersearch: *soroleSettings so-standalone: *soroleSettings so-searchnode: *soroleSettings From 39abe19cfd9f6ad0553ade33614ae2cee2829a8d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 25 Oct 2023 16:17:06 -0400 Subject: [PATCH 10/20] Update config.map.jinja --- salt/elasticsearch/config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index cd0cd8974..4e57199af 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -46,4 +46,4 @@ {% endfor %} {% endif %} -{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].node.roles}) %} +{% do ELASTICSEARCHMERGED.config.node.update({'roles': ELASTICSEARCHMERGED.so_roles[GLOBALS.role].config.node.roles}) %} From 88fb7d06e673854a2c8bf22a6c2942493cec77a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 16:20:28 -0400 Subject: [PATCH 11/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d456dcbfc..368f15196 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -47,11 +47,6 @@ elasticsearch: helpLink: elasticsearch.html index_settings: global_overrides: - index_sorting: - description: Sorts the index by event time, at the cost of additional processing resource consumption. - global: True - advanced: True - helpLink: elasticsearch.html index_template: template: settings: From 6d6292714f5053b76b5aff8e6bbea37341772d1e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 16:21:47 -0400 Subject: [PATCH 12/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 368f15196..46306203a 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -73,7 +73,6 @@ elasticsearch: description: The order to sort by. Must set index_sorting to True. global: True helpLink: elasticsearch.html - policy: phases: hot: min_age: From 01810a782cde1f49fcd86c153c81e99b5df14ce3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 25 Oct 2023 16:46:30 -0400 Subject: [PATCH 13/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 46306203a..e3d257f11 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -451,7 +451,7 @@ elasticsearch: so-syslog: *indexSettings so-zeek: *indexSettings so_roles: - so-maanger: &soroleSettings + so-manger: &soroleSettings config: node: roles: From 891ea997e75fdbecc4a043ba2f3a41be51439cdc Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 26 Oct 2023 12:25:37 +0000 Subject: [PATCH 14/20] Add lifecycle policies and warm settings --- salt/elasticsearch/defaults.yaml | 13704 +++++++++++++++++++---------- 1 file changed, 8973 insertions(+), 4731 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 807ca9ea9..9aef09876 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,55 +1,16 @@ elasticsearch: - enabled: False - retention: - retention_pct: 50 config: - node: {} + action: + destructive_requires_name: true cluster: routing: allocation: disk: threshold_enabled: true watermark: - low: 80% - high: 85% flood_stage: 90% - network: - host: 0.0.0.0 - path: - logs: /var/log/elasticsearch - action: - destructive_requires_name: true - transport: - bind_host: 0.0.0.0 - publish_port: 9300 - xpack: - ml: - enabled: false - security: - enabled: true - authc: - anonymous: - authz_exception: true - roles: [] - username: _anonymous - transport: - ssl: - enabled: true - verification_mode: none - key: /usr/share/elasticsearch/config/elasticsearch.key - certificate: /usr/share/elasticsearch/config/elasticsearch.crt - certificate_authorities: - - /usr/share/elasticsearch/config/ca.crt - http: - ssl: - enabled: true - client_authentication: none - key: /usr/share/elasticsearch/config/elasticsearch.key - certificate: /usr/share/elasticsearch/config/elasticsearch.crt - certificate_authorities: - - /usr/share/elasticsearch/config/ca.crt - script: - max_compilations_rate: 20000/1m + high: 85% + low: 80% indices: id_field_data: enabled: false @@ -57,3833 +18,8553 @@ elasticsearch: org: elasticsearch: deprecation: ERROR + network: + host: 0.0.0.0 + node: {} + path: + logs: /var/log/elasticsearch + script: + max_compilations_rate: 20000/1m + transport: + bind_host: 0.0.0.0 + publish_port: 9300 + xpack: + ml: + enabled: false + security: + authc: + anonymous: + authz_exception: true + roles: [] + username: _anonymous + enabled: true + http: + ssl: + certificate: /usr/share/elasticsearch/config/elasticsearch.crt + certificate_authorities: + - /usr/share/elasticsearch/config/ca.crt + client_authentication: none + enabled: true + key: /usr/share/elasticsearch/config/elasticsearch.key + transport: + ssl: + certificate: /usr/share/elasticsearch/config/elasticsearch.crt + certificate_authorities: + - /usr/share/elasticsearch/config/ca.crt + enabled: true + key: /usr/share/elasticsearch/config/elasticsearch.key + verification_mode: none + enabled: false index_settings: global_overrides: index_template: template: settings: index: + lifecycle: + name: global_overrides-logs number_of_replicas: default_placeholder - so-logs: - index_sorting: False - index_template: - index_patterns: - - "logs-*-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5001 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "so-data-streams-mappings" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - - "so-logs-mappings" - - "so-logs-settings" - priority: 225 - data_stream: - hidden: false - allow_custom_routing: false policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-system_x_auth: - index_sorting: False - index_template: - index_patterns: - - "logs-system.auth*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.auth@package" - - "logs-system.auth@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_syslog: - index_sorting: False - index_template: - index_patterns: - - "logs-system.syslog*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.syslog@package" - - "logs-system.syslog@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_system: - index_sorting: False - index_template: - index_patterns: - - "logs-system.system*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.system@package" - - "logs-system.system@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_application: - index_sorting: False - index_template: - index_patterns: - - "logs-system.application*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.application@package" - - "logs-system.application@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-system_x_security: - index_sorting: False - index_template: - index_patterns: - - "logs-system.security*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "event-mappings" - - "logs-system.security@package" - - "logs-system.security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_forwarded: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.forwarded*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.forwarded@package" - - "logs-windows.forwarded@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_powershell: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.powershell-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.powershell@package" - - "logs-windows.powershell@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_powershell_operational: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.powershell_operational-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.powershell_operational@package" - - "logs-windows.powershell_operational@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-windows_x_sysmon_operational: - index_sorting: False - index_template: - index_patterns: - - "logs-windows.sysmon_operational-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-windows.sysmon_operational@package" - - "logs-windows.sysmon_operational@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-apache_x_access: - index_sorting: False - index_template: - index_patterns: - - "logs-apache.access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-apache.access@package" - - "logs-apache.access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-apache_x_error: - index_sorting: False - index_template: - index_patterns: - - "logs-apache.error-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-apache.error@package" - - "logs-apache.error@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-auditd_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-auditd.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-auditd.log@package" - - "logs-auditd.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_cloudtrail: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.cloudtrail-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.cloudtrail@package" - - "logs-aws.cloudtrail@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_cloudwatch_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.cloudwatch_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.cloudwatch_logs@package" - - "logs-aws.cloudwatch_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_ec2_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.ec2_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.ec2_logs@package" - - "logs-aws.ec2_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_elb_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.elb_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.elb_logs@package" - - "logs-aws.elb_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_firewall_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.firewall_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.firewall_logs@package" - - "logs-aws.firewall_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_route53_public_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.route53_public_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.route53_public_logs@package" - - "logs-aws.route53_public_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_route53_resolver_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.route53_resolver_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.route53_resolver_logs@package" - - "logs-aws.route53_resolver_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_s3access: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.s3access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.s3access@package" - - "logs-aws.s3access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_vpcflow: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.vpcflow-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.vpcflow@package" - - "logs-aws.vpcflow@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-aws_x_waf: - index_sorting: False - index_template: - index_patterns: - - "logs-aws.waf-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-aws.waf@package" - - "logs-aws.waf@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_activitylogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.activitylogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.activitylogs@package" - - "logs-azure.activitylogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_application_gateway: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.application_gateway-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.application_gateway@package" - - "logs-azure.application_gateway@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_auditlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.auditlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.auditlogs@package" - - "logs-azure.auditlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_eventhub: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.eventhub-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.eventhub@package" - - "logs-azure.eventhub@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_firewall_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.firewall_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.firewall_logs@package" - - "logs-azure.firewall_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_identity_protection: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.identity_protection-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.identity_protection@package" - - "logs-azure.identity_protection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_platformlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.platformlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.platformlogs@package" - - "logs-azure.platformlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_provisioning: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.provisioning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.provisioning@package" - - "logs-azure.provisioning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_signinlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.signinlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.signinlogs@package" - - "logs-azure.signinlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-azure_x_springcloudlogs: - index_sorting: False - index_template: - index_patterns: - - "logs-azure.springcloudlogs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-azure.springcloudlogs@package" - - "logs-azure.springcloudlogs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-barracuda_x_waf: - index_sorting: False - index_template: - index_patterns: - - "logs-barracuda.waf-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-barracuda.waf@package" - - "logs-barracuda.waf@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_asa_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_asa.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_asa.log@package" - - "logs-cisco_asa.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cloudflare_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-cloudflare.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cloudflare.audit@package" - - "logs-cloudflare.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cloudflare_x_logpull: - index_sorting: False - index_template: - index_patterns: - - "logs-cloudflare.logpull-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cloudflare.logpull@package" - - "logs-cloudflare.logpull@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-crowdstrike_x_falcon: - index_sorting: False - index_template: - index_patterns: - - "logs-crowdstrike.falcon-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-crowdstrike.falcon@package" - - "logs-crowdstrike.falcon@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-crowdstrike_x_fdr: - index_sorting: False - index_template: - index_patterns: - - "logs-crowdstrike.fdr-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-crowdstrike.fdr@package" - - "logs-crowdstrike.fdr@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_ai_analyst_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.ai_analyst_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.ai_analyst_alert@package" - - "logs-darktrace.ai_analyst_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_model_breach_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.model_breach_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.model_breach_alert@package" - - "logs-darktrace.model_breach_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-darktrace_x_system_status_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-darktrace.system_status_alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-darktrace.system_status_alert@package" - - "logs-darktrace.system_status_alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-f5_bigip_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-f5_bigip.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-f5_bigip.log@package" - - "logs-f5_bigip.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fim_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-fim.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fim.event@package" - - "logs-fim.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_clientendpoint: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.clientendpoint-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.clientendpoint@package" - - "logs-fortinet.clientendpoint@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.firewall@package" - - "logs-fortinet.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_fortimail: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.fortimail-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.fortimail@package" - - "logs-fortinet.fortimail@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_x_fortimanager: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet.fortimanager-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet.fortimanager@package" - - "logs-fortinet.fortimanager@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fortinet_fortigate_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-fortinet_fortigate.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fortinet_fortigate.log@package" - - "logs-fortinet_fortigate.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.audit@package" - - "logs-gcp.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_dns: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.dns-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.dns@package" - - "logs-gcp.dns@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.firewall@package" - - "logs-gcp.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_loadbalancing_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.loadbalancing_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.loadbalancing_logs@package" - - "logs-gcp.loadbalancing_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-gcp_x_vpcflow: - index_sorting: False - index_template: - index_patterns: - - "logs-gcp.vpcflow-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-gcp.vpcflow@package" - - "logs-gcp.vpcflow@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-github.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.audit@package" - - "logs-github.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_code_scanning: - index_sorting: False - index_template: - index_patterns: - - "logs-github.code_scanning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.code_scanning@package" - - "logs-github.code_scanning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_dependabot: - index_sorting: False - index_template: - index_patterns: - - "logs-github.dependabot-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.dependabot@package" - - "logs-github.dependabot@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_issues: - index_sorting: False - index_template: - index_patterns: - - "logs-github.issues-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.issues@package" - - "logs-github.issues@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-github_x_secret_scanning: - index_sorting: False - index_template: - index_patterns: - - "logs-github.secret_scanning-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-github.secret_scanning@package" - - "logs-github.secret_scanning@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_access_transparency: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.access_transparency-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.access_transparency@package" - - "logs-google_workspace.access_transparency@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_admin: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.admin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.admin@package" - - "logs-google_workspace.admin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.alert@package" - - "logs-google_workspace.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_context_aware_access: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.context_aware_access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.context_aware_access@package" - - "logs-google_workspace.context_aware_access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_device: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.device-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.device@package" - - "logs-google_workspace.device@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_drive: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.drive-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.drive@package" - - "logs-google_workspace.drive@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_gcp: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.gcp-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.gcp@package" - - "logs-google_workspace.gcp@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_group_enterprise: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.group_enterprise-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.group_enterprise@package" - - "logs-google_workspace.group_enterprise@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_groups: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.groups-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.groups@package" - - "logs-google_workspace.groups@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_login: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.login-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.login@package" - - "logs-google_workspace.login@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_rules: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.rules-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.rules@package" - - "logs-google_workspace.rules@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_saml: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.saml-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.saml@package" - - "logs-google_workspace.saml@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_token: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.token-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.token@package" - - "logs-google_workspace.token@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-google_workspace_x_user_accounts: - index_sorting: False - index_template: - index_patterns: - - "logs-google_workspace.user_accounts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-google_workspace.user_accounts@package" - - "logs-google_workspace.user_accounts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-http_endpoint_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-http_endpoint.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-http_endpoint.generic@package" - - "logs-http_endpoint.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-httpjson_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-httpjson.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-httpjson.generic@package" - - "logs-httpjson.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_junos: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.junos-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.junos@package" - - "logs-juniper.junos@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_netscreen: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.netscreen-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.netscreen@package" - - "logs-juniper.netscreen@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_x_srx: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper.srx-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper.srx@package" - - "logs-juniper.srx@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-juniper_srx_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-juniper_srx.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-juniper_srx.log@package" - - "logs-juniper_srx.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-kafka_log_x_generic: - index_sorting: False - index_template: - index_patterns: - - "logs-kafka_log.generic-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-kafka_log.generic@package" - - "logs-kafka_log.generic@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_detailed_shared_folder: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.detailed_shared_folder-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.detailed_shared_folder@package" - - "logs-lastpass.detailed_shared_folder@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_event_report: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.event_report-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.event_report@package" - - "logs-lastpass.event_report@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-lastpass_x_user: - index_sorting: False - index_template: - index_patterns: - - "logs-lastpass.user-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-lastpass.user@package" - - "logs-lastpass.user@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.event@package" - - "logs-m365_defender.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_incident: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.incident-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.incident@package" - - "logs-m365_defender.incident@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-m365_defender_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-m365_defender.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-m365_defender.log@package" - - "logs-m365_defender.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-microsoft_defender_endpoint_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-microsoft_defender_endpoint.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-microsoft_defender_endpoint.log@package" - - "logs-microsoft_defender_endpoint.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-microsoft_dhcp_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-microsoft_dhcp.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-microsoft_dhcp.log@package" - - "logs-microsoft_dhcp.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-netflow_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-netflow.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-netflow.log@package" - - "logs-netflow.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-o365_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-o365.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-o365.audit@package" - - "logs-o365.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-okta_x_system: - index_sorting: False - index_template: - index_patterns: - - "logs-okta.system-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-okta.system@package" - - "logs-okta.system@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-panw_x_panos: - index_sorting: False - index_template: - index_patterns: - - "logs-panw.panos-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-panw.panos@package" - - "logs-panw.panos@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-pfsense_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-pfsense.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-pfsense.log@package" - - "logs-pfsense.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_activity: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.activity-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.activity@package" - - "logs-sentinel_one.activity@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_agent: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.agent-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.agent@package" - - "logs-sentinel_one.agent@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.alert@package" - - "logs-sentinel_one.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_group: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.group-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.group@package" - - "logs-sentinel_one.group@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sentinel_one_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-sentinel_one.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sentinel_one.threat@package" - - "logs-sentinel_one.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sonicwall_firewall_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-sonicwall_firewall.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sonicwall_firewall.log@package" - - "logs-sonicwall_firewall.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-symantec_endpoint_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-symantec_endpoint.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-symantec_endpoint.log@package" - - "logs-symantec_endpoint.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_malware: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.malware-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.malware@package" - - "logs-ti_abusech.malware@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_malwarebazaar: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.malwarebazaar-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.malwarebazaar@package" - - "logs-ti_abusech.malwarebazaar@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_threatfox: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.threatfox-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.threatfox@package" - - "logs-ti_abusech.threatfox@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_abusech_x_url: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_abusech.url-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_abusech.url@package" - - "logs-ti_abusech.url@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_misp_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_misp.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_misp.threat@package" - - "logs-ti_misp.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_misp_x_threat_attributes: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_misp.threat_attributes-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_misp.threat_attributes@package" - - "logs-ti_misp.threat_attributes@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_otx_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_otx.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_otx.threat@package" - - "logs-ti_otx.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_recordedfuture_x_latest_ioc-template: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_recordedfuture.latest_ioc-template-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_recordedfuture.latest_ioc-template@package" - - "logs-ti_recordedfuture.latest_ioc-template@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-ti_recordedfuture_x_threat: - index_sorting: False - index_template: - index_patterns: - - "logs-ti_recordedfuture.threat-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-ti_recordedfuture.threat@package" - - "logs-ti_recordedfuture.threat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_alerts: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.alerts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.alerts@package" - - "logs-zscaler_zia.alerts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_dns: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.dns-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.dns@package" - - "logs-zscaler_zia.dns@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_firewall: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.firewall-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.firewall@package" - - "logs-zscaler_zia.firewall@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_tunnel: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.tunnel-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.tunnel@package" - - "logs-zscaler_zia.tunnel@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zia_x_web: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zia.web-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zia.web@package" - - "logs-zscaler_zia.web@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_app_connector_status: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.app_connector_status-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.app_connector_status@package" - - "logs-zscaler_zpa.app_connector_status@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.audit@package" - - "logs-zscaler_zpa.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_browser_access: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.browser_access-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.browser_access@package" - - "logs-zscaler_zpa.browser_access@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_user_activity: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.user_activity-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.user_activity@package" - - "logs-zscaler_zpa.user_activity@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-zscaler_zpa_x_user_status: - index_sorting: False - index_template: - index_patterns: - - "logs-zscaler_zpa.user_status-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-zscaler_zpa.user_status@package" - - "logs-zscaler_zpa.user_status@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-1password_x_item_usages: - index_sorting: False - index_template: - index_patterns: - - "logs-1password.item_usages-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-1password.item_usages@package" - - "logs-1password.item_usages@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-1password_x_signin_attempts: - index_sorting: False - index_template: - index_patterns: - - "logs-1password.signin_attempts-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-1password.signin_attempts@package" - - "logs-1password.signin_attempts@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-osquery-manager-actions: - index_sorting: False - index_template: - index_patterns: - - ".logs-osquery_manager.actions*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-osquery_manager.actions" - priority: 501 - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-osquery-manager-action_x_responses: - index_sorting: False - index_template: - index_patterns: - - ".logs-osquery_manager.action.responses*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-osquery_manager.action.responses" - priority: 501 - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_apm_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.apm_server-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.apm_server@package" - - "logs-elastic_agent.apm_server@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: + min_age: 365d hot: - min_age: 0ms actions: - set_priority: - priority: 100 rollover: max_age: 30d max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_auditbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.auditbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.auditbeat@package" - - "logs-elastic_agent.auditbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: set_priority: priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_cloudbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.cloudbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.cloudbeat@package" - - "logs-elastic_agent.cloudbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - policy: - phases: - hot: min_age: 0ms + warm: actions: set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: + priority: 50 min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_endpoint_security: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.endpoint_security-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.endpoint_security@package" - - "logs-elastic_agent.endpoint_security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_alerts: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.alerts-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.alerts@custom" - - "logs-endpoint.alerts@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_api: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.api-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.api@custom" - - "logs-endpoint.events.api@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_file: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.file-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.file@custom" - - "logs-endpoint.events.file@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_library: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.library-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.library@custom" - - "logs-endpoint.events.library@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_network: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.network-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.network@custom" - - "logs-endpoint.events.network@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_process: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.process-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.process@custom" - - "logs-endpoint.events.process@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_registry: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.registry-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.registry@custom" - - "logs-endpoint.events.registry@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-endpoint_x_events_x_security: - index_sorting: False - index_template: - index_patterns: - - "logs-endpoint.events.security-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-endpoint.events.security@custom" - - "logs-endpoint.events.security@package" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_filebeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.filebeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.filebeat@package" - - "logs-elastic_agent.filebeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_fleet_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.fleet_server-*" - template: - settings: - index: - number_of_replicas: 0 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.fleet_server@package" - - "logs-elastic_agent.fleet_server@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_heartbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.heartbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.heartbeat@package" - - "logs-elastic_agent.heartbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "event-mappings" - - "logs-elastic_agent@package" - - "logs-elastic_agent@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_metricbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.metricbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.metricbeat@package" - - "logs-elastic_agent.metricbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_osquerybeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.osquerybeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - composed_of: - - "event-mappings" - - "logs-elastic_agent.osquerybeat@package" - - "logs-elastic_agent.osquerybeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - so-logs-elastic_agent_x_packetbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.packetbeat-*" - template: - settings: - index: - number_of_replicas: 0 - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true - composed_of: - - "logs-elastic_agent.packetbeat@package" - - "logs-elastic_agent.packetbeat@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} - _meta: - package: - name: elastic_agent - managed_by: security_onion - managed: true so-case: - index_sorting: False + index_sorting: false index_template: + composed_of: + - case-mappings + - case-settings index_patterns: - - so-case* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 1500 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - case-mappings - - case-settings + - so-case* priority: 500 - so-common: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - data_stream: {} - index_patterns: - - logs-*-so* template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 1 - so-endgame: - index_sorting: False - index_template: - index_patterns: - - endgame* - template: - mappings: dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - endgame-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 - so-idh: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-idh-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-suricata: - index_sorting: False - index_template: - data_stream: {} - index_patterns: - - logs-suricata-so* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: - name: so-suricata-logs + name: so-case-logs mapping: total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 + limit: 1500 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - suricata-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-import: - index_sorting: False + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-common: + close: 30 + delete: 365 + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings data_stream: {} index_patterns: - - logs-import-so* + - logs-*-so* + priority: 1 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-common-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-endgame: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - endgame-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings + index_patterns: + - endgame* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-endgame-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-idh: + close: 30 + delete: 365 + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + index_patterns: + - so-idh-* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-idh-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-import: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + - winlog-mappings + data_stream: {} + index_patterns: + - logs-import-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + final_pipeline: .fleet_final_pipeline-1 lifecycle: name: so-import-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - final_pipeline: ".fleet_final_pipeline-1" - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-kratos: - warm: 7 close: 30 delete: 365 - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - container-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings data_stream: - hidden: false allow_custom_routing: false + hidden: false index_patterns: - - logs-kratos-so* + - logs-kratos-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-kratos-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-logstash: - index_sorting: False + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + warm: 7 + so-logs: + index_sorting: false index_template: + composed_of: + - so-data-streams-mappings + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + - so-logs-mappings + - so-logs-settings + data_stream: + allow_custom_routing: false + hidden: false index_patterns: - - logs-logstash-default* + - logs-*-* + priority: 225 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-logs + mapping: + total_fields: + limit: 5001 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-1password_x_item_usages: + index_sorting: false + index_template: + composed_of: + - logs-1password.item_usages@package + - logs-1password.item_usages@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-1password.item_usages-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-1password.item_usages-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-1password_x_signin_attempts: + index_sorting: false + index_template: + composed_of: + - logs-1password.signin_attempts@package + - logs-1password.signin_attempts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-1password.signin_attempts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-1password.signin_attempts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-apache_x_access: + index_sorting: false + index_template: + composed_of: + - logs-apache.access@package + - logs-apache.access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-apache.access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-apache.access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-apache_x_error: + index_sorting: false + index_template: + composed_of: + - logs-apache.error@package + - logs-apache.error@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-apache.error-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-apache.error-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-auditd_x_log: + index_sorting: false + index_template: + composed_of: + - logs-auditd.log@package + - logs-auditd.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-auditd.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-auditd.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-auth0_x_logs: + index_sorting: false + index_template: + composed_of: + - logs-auth0.logs@package + - logs-auth0.logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-auth0.logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-auth0.logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_cloudtrail: + index_sorting: false + index_template: + composed_of: + - logs-aws.cloudtrail@package + - logs-aws.cloudtrail@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.cloudtrail-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.cloudtrail-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_cloudwatch_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.cloudwatch_logs@package + - logs-aws.cloudwatch_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.cloudwatch_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.cloudwatch_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_ec2_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.ec2_logs@package + - logs-aws.ec2_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.ec2_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.ec2_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_elb_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.elb_logs@package + - logs-aws.elb_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.elb_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.elb_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_firewall_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.firewall_logs@package + - logs-aws.firewall_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.firewall_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.firewall_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_route53_public_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.route53_public_logs@package + - logs-aws.route53_public_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.route53_public_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.route53_public_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_route53_resolver_logs: + index_sorting: false + index_template: + composed_of: + - logs-aws.route53_resolver_logs@package + - logs-aws.route53_resolver_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.route53_resolver_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.route53_resolver_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_s3access: + index_sorting: false + index_template: + composed_of: + - logs-aws.s3access@package + - logs-aws.s3access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.s3access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.s3access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_vpcflow: + index_sorting: false + index_template: + composed_of: + - logs-aws.vpcflow@package + - logs-aws.vpcflow@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.vpcflow-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.vpcflow-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-aws_x_waf: + index_sorting: false + index_template: + composed_of: + - logs-aws.waf@package + - logs-aws.waf@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-aws.waf-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-aws.waf-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_activitylogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.activitylogs@package + - logs-azure.activitylogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.activitylogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.activitylogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_application_gateway: + index_sorting: false + index_template: + composed_of: + - logs-azure.application_gateway@package + - logs-azure.application_gateway@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.application_gateway-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.application_gateway-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_auditlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.auditlogs@package + - logs-azure.auditlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.auditlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.auditlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_eventhub: + index_sorting: false + index_template: + composed_of: + - logs-azure.eventhub@package + - logs-azure.eventhub@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.eventhub-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.eventhub-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_firewall_logs: + index_sorting: false + index_template: + composed_of: + - logs-azure.firewall_logs@package + - logs-azure.firewall_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.firewall_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.firewall_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_identity_protection: + index_sorting: false + index_template: + composed_of: + - logs-azure.identity_protection@package + - logs-azure.identity_protection@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.identity_protection-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.identity_protection-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_platformlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.platformlogs@package + - logs-azure.platformlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.platformlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.platformlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_provisioning: + index_sorting: false + index_template: + composed_of: + - logs-azure.provisioning@package + - logs-azure.provisioning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.provisioning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.provisioning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_signinlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.signinlogs@package + - logs-azure.signinlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.signinlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.signinlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-azure_x_springcloudlogs: + index_sorting: false + index_template: + composed_of: + - logs-azure.springcloudlogs@package + - logs-azure.springcloudlogs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-azure.springcloudlogs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-azure.springcloudlogs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-barracuda_x_waf: + index_sorting: false + index_template: + composed_of: + - logs-barracuda.waf@package + - logs-barracuda.waf@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-barracuda.waf-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-barracuda.waf-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-carbonblack_edr_x_log: + index_sorting: false + index_template: + composed_of: + - logs-carbonblack_edr.log@package + - logs-carbonblack_edr.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-carbonblack_edr.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-carbonblack_edr.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_asa_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_asa.log@package + - logs-cisco_asa.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_asa.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_asa.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_admin: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.admin@package + - logs-cisco_duo.admin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.admin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.admin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_auth: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.auth@package + - logs-cisco_duo.auth@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.auth-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.auth-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_offline_enrollment: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.offline_enrollment@package + - logs-cisco_duo.offline_enrollment@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.offline_enrollment-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.offline_enrollment-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_summary: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.summary@package + - logs-cisco_duo.summary@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.summary-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.summary-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_duo_x_telephony: + index_sorting: false + index_template: + composed_of: + - logs-cisco_duo.telephony@package + - logs-cisco_duo.telephony@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_duo.telephony-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_duo.telephony-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_meraki_x_events: + index_sorting: false + index_template: + composed_of: + - logs-cisco_meraki.events@package + - logs-cisco_meraki.events@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_meraki.events-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_meraki.events-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_meraki_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_meraki.log@package + - logs-cisco_meraki.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_meraki.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_meraki.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cisco_umbrella_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_umbrella.log@package + - logs-cisco_umbrella.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cisco_umbrella.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cisco_umbrella.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare.audit@package + - logs-cloudflare.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cloudflare.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_x_logpull: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare.logpull@package + - logs-cloudflare.logpull@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-cloudflare.logpull-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare.logpull-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_falcon: + index_sorting: false + index_template: + composed_of: + - logs-crowdstrike.falcon@package + - logs-crowdstrike.falcon@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-crowdstrike.falcon-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-crowdstrike.falcon-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_fdr: + index_sorting: false + index_template: + composed_of: + - logs-crowdstrike.fdr@package + - logs-crowdstrike.fdr@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-crowdstrike.fdr-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-crowdstrike.fdr-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_ai_analyst_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.ai_analyst_alert@package + - logs-darktrace.ai_analyst_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.ai_analyst_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.ai_analyst_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_model_breach_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.model_breach_alert@package + - logs-darktrace.model_breach_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.model_breach_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.model_breach_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-darktrace_x_system_status_alert: + index_sorting: false + index_template: + composed_of: + - logs-darktrace.system_status_alert@package + - logs-darktrace.system_status_alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-darktrace.system_status_alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-darktrace.system_status_alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent@package + - logs-elastic_agent@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_apm_server: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.apm_server@package + - logs-elastic_agent.apm_server@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.apm_server-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.apm_server-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_auditbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.auditbeat@package + - logs-elastic_agent.auditbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.auditbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.auditbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_cloudbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.cloudbeat@package + - logs-elastic_agent.cloudbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + index_patterns: + - logs-elastic_agent.cloudbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.cloudbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_endpoint_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.endpoint_security@package + - logs-elastic_agent.endpoint_security@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.endpoint_security-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.endpoint_security-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_filebeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.filebeat@package + - logs-elastic_agent.filebeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.filebeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.filebeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_fleet_server: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.fleet_server@package + - logs-elastic_agent.fleet_server@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.fleet_server-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.fleet_server-logs + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_heartbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.heartbeat@package + - logs-elastic_agent.heartbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + index_patterns: + - logs-elastic_agent.heartbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.heartbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_metricbeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.metricbeat@package + - logs-elastic_agent.metricbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.metricbeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.metricbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_osquerybeat: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-elastic_agent.osquerybeat@package + - logs-elastic_agent.osquerybeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.osquerybeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-elastic_agent.osquerybeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-elastic_agent_x_packetbeat: + index_sorting: false + index_template: + composed_of: + - logs-elastic_agent.packetbeat@package + - logs-elastic_agent.packetbeat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-elastic_agent.packetbeat-* + priority: 501 + template: + mappings: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + settings: + index: + lifecycle: + name: so-logs-elastic_agent.packetbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_alerts: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.alerts@custom + - logs-endpoint.alerts@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.alerts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.alerts-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_api: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.api@custom + - logs-endpoint.events.api@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.api-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.api-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_file: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.file@custom + - logs-endpoint.events.file@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.file-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.file-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_library: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.library@custom + - logs-endpoint.events.library@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.library-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.library-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_network: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.network@custom + - logs-endpoint.events.network@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.network-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.network-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_process: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.process@custom + - logs-endpoint.events.process@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.process-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.process-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_registry: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.registry@custom + - logs-endpoint.events.registry@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.registry-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.registry-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_events_x_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-endpoint.events.security@custom + - logs-endpoint.events.security@package + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-endpoint.events.security-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.events.security-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-f5_bigip_x_log: + index_sorting: false + index_template: + composed_of: + - logs-f5_bigip.log@package + - logs-f5_bigip.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-f5_bigip.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-f5_bigip.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fim_x_event: + index_sorting: false + index_template: + composed_of: + - logs-fim.event@package + - logs-fim.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fim.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fim.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fireeye_x_nx: + index_sorting: false + index_template: + composed_of: + - logs-fireeye.nx@package + - logs-fireeye.nx@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fireeye.nx-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fireeye.nx-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_fortigate_x_log: + index_sorting: false + index_template: + composed_of: + - logs-fortinet_fortigate.log@package + - logs-fortinet_fortigate.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet_fortigate.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet_fortigate.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_clientendpoint: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.clientendpoint@package + - logs-fortinet.clientendpoint@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.clientendpoint-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.clientendpoint-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.firewall@package + - logs-fortinet.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_fortimail: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.fortimail@package + - logs-fortinet.fortimail@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.fortimail-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.fortimail-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-fortinet_x_fortimanager: + index_sorting: false + index_template: + composed_of: + - logs-fortinet.fortimanager@package + - logs-fortinet.fortimanager@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-fortinet.fortimanager-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-fortinet.fortimanager-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-gcp.audit@package + - logs-gcp.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_dns: + index_sorting: false + index_template: + composed_of: + - logs-gcp.dns@package + - logs-gcp.dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-gcp.firewall@package + - logs-gcp.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_loadbalancing_logs: + index_sorting: false + index_template: + composed_of: + - logs-gcp.loadbalancing_logs@package + - logs-gcp.loadbalancing_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.loadbalancing_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.loadbalancing_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-gcp_x_vpcflow: + index_sorting: false + index_template: + composed_of: + - logs-gcp.vpcflow@package + - logs-gcp.vpcflow@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-gcp.vpcflow-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-gcp.vpcflow-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-github.audit@package + - logs-github.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_code_scanning: + index_sorting: false + index_template: + composed_of: + - logs-github.code_scanning@package + - logs-github.code_scanning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.code_scanning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.code_scanning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_dependabot: + index_sorting: false + index_template: + composed_of: + - logs-github.dependabot@package + - logs-github.dependabot@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.dependabot-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.dependabot-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_issues: + index_sorting: false + index_template: + composed_of: + - logs-github.issues@package + - logs-github.issues@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.issues-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.issues-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-github_x_secret_scanning: + index_sorting: false + index_template: + composed_of: + - logs-github.secret_scanning@package + - logs-github.secret_scanning@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-github.secret_scanning-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-github.secret_scanning-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_access_transparency: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.access_transparency@package + - logs-google_workspace.access_transparency@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.access_transparency-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.access_transparency-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_admin: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.admin@package + - logs-google_workspace.admin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.admin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.admin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.alert@package + - logs-google_workspace.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_context_aware_access: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.context_aware_access@package + - logs-google_workspace.context_aware_access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.context_aware_access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.context_aware_access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_device: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.device@package + - logs-google_workspace.device@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.device-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.device-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_drive: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.drive@package + - logs-google_workspace.drive@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.drive-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.drive-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_gcp: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.gcp@package + - logs-google_workspace.gcp@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.gcp-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.gcp-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_group_enterprise: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.group_enterprise@package + - logs-google_workspace.group_enterprise@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.group_enterprise-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.group_enterprise-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_groups: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.groups@package + - logs-google_workspace.groups@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.groups-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.groups-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_login: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.login@package + - logs-google_workspace.login@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.login-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.login-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_rules: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.rules@package + - logs-google_workspace.rules@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.rules-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.rules-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_saml: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.saml@package + - logs-google_workspace.saml@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.saml-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.saml-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_token: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.token@package + - logs-google_workspace.token@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.token-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.token-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-google_workspace_x_user_accounts: + index_sorting: false + index_template: + composed_of: + - logs-google_workspace.user_accounts@package + - logs-google_workspace.user_accounts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-google_workspace.user_accounts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-google_workspace.user_accounts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-http_endpoint_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-http_endpoint.generic@package + - logs-http_endpoint.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-http_endpoint.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-http_endpoint.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-httpjson_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-httpjson.generic@package + - logs-httpjson.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-httpjson.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-httpjson.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_srx_x_log: + index_sorting: false + index_template: + composed_of: + - logs-juniper_srx.log@package + - logs-juniper_srx.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper_srx.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper_srx.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_junos: + index_sorting: false + index_template: + composed_of: + - logs-juniper.junos@package + - logs-juniper.junos@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.junos-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.junos-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_netscreen: + index_sorting: false + index_template: + composed_of: + - logs-juniper.netscreen@package + - logs-juniper.netscreen@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.netscreen-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.netscreen-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-juniper_x_srx: + index_sorting: false + index_template: + composed_of: + - logs-juniper.srx@package + - logs-juniper.srx@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-juniper.srx-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-juniper.srx-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-kafka_log_x_generic: + index_sorting: false + index_template: + composed_of: + - logs-kafka_log.generic@package + - logs-kafka_log.generic@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-kafka_log.generic-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-kafka_log.generic-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_detailed_shared_folder: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.detailed_shared_folder@package + - logs-lastpass.detailed_shared_folder@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.detailed_shared_folder-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.detailed_shared_folder-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_event_report: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.event_report@package + - logs-lastpass.event_report@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.event_report-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.event_report-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-lastpass_x_user: + index_sorting: false + index_template: + composed_of: + - logs-lastpass.user@package + - logs-lastpass.user@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-lastpass.user-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-lastpass.user-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_event: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.event@package + - logs-m365_defender.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_incident: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.incident@package + - logs-m365_defender.incident@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.incident-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.incident-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-m365_defender_x_log: + index_sorting: false + index_template: + composed_of: + - logs-m365_defender.log@package + - logs-m365_defender.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-m365_defender.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-m365_defender.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-microsoft_defender_endpoint_x_log: + index_sorting: false + index_template: + composed_of: + - logs-microsoft_defender_endpoint.log@package + - logs-microsoft_defender_endpoint.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-microsoft_defender_endpoint.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_defender_endpoint.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-microsoft_dhcp_x_log: + index_sorting: false + index_template: + composed_of: + - logs-microsoft_dhcp.log@package + - logs-microsoft_dhcp.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-microsoft_dhcp.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-microsoft_dhcp.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_audit_events: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.audit_events@package + - logs-mimecast.audit_events@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.audit_events-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.audit_events-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_dlp_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.dlp_logs@package + - logs-mimecast.dlp_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.dlp_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.dlp_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_siem_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.siem_logs@package + - logs-mimecast.siem_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.siem_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.siem_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_threat_intel_malware_customer: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.threat_intel_malware_customer@package + - logs-mimecast.threat_intel_malware_customer@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.threat_intel_malware_customer-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.threat_intel_malware_customer-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_threat_intel_malware_grid: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.threat_intel_malware_grid@package + - logs-mimecast.threat_intel_malware_grid@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.threat_intel_malware_grid-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.threat_intel_malware_grid-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_ap_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_ap_logs@package + - logs-mimecast.ttp_ap_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_ap_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_ap_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_ip_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_ip_logs@package + - logs-mimecast.ttp_ip_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_ip_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_ip_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-mimecast_x_ttp_url_logs: + index_sorting: false + index_template: + composed_of: + - logs-mimecast.ttp_url_logs@package + - logs-mimecast.ttp_url_logs@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-mimecast.ttp_url_logs-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-mimecast.ttp_url_logs-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-netflow_x_log: + index_sorting: false + index_template: + composed_of: + - logs-netflow.log@package + - logs-netflow.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-netflow.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-netflow.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-o365_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-o365.audit@package + - logs-o365.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-o365.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-o365.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-okta_x_system: + index_sorting: false + index_template: + composed_of: + - logs-okta.system@package + - logs-okta.system@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-okta.system-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-okta.system-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-osquery-manager-action_x_responses: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.action.responses + index_patterns: + - .logs-osquery_manager.action.responses* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-osquery-manager-action.responses-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-osquery-manager-actions: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.actions + index_patterns: + - .logs-osquery_manager.actions* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-osquery-manager-actions-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-panw_x_panos: + index_sorting: false + index_template: + composed_of: + - logs-panw.panos@package + - logs-panw.panos@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-panw.panos-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-panw.panos-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-pfsense_x_log: + index_sorting: false + index_template: + composed_of: + - logs-pfsense.log@package + - logs-pfsense.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-pfsense.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-pfsense.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-pulse_connect_secure_x_log: + index_sorting: false + index_template: + composed_of: + - logs-pulse_connect_secure.log@package + - logs-pulse_connect_secure.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-pulse_connect_secure.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-pulse_connect_secure.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_activity: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.activity@package + - logs-sentinel_one.activity@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.activity-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.activity-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_agent: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.agent@package + - logs-sentinel_one.agent@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.agent-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.agent-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.alert@package + - logs-sentinel_one.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_group: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.group@package + - logs-sentinel_one.group@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.group-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.group-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sentinel_one_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-sentinel_one.threat@package + - logs-sentinel_one.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sentinel_one.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sentinel_one.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-snyk_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-snyk.audit@package + - logs-snyk.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-snyk.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-snyk.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-snyk_x_vulnerabilities: + index_sorting: false + index_template: + composed_of: + - logs-snyk.vulnerabilities@package + - logs-snyk.vulnerabilities@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-snyk.vulnerabilities-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-snyk.vulnerabilities-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sonicwall_firewall_x_log: + index_sorting: false + index_template: + composed_of: + - logs-sonicwall_firewall.log@package + - logs-sonicwall_firewall.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sonicwall_firewall.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sonicwall_firewall.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_central_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-sophos_central.alert@package + - logs-sophos_central.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos_central.alert-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos_central.alert-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_central_x_event: + index_sorting: false + index_template: + composed_of: + - logs-sophos_central.event@package + - logs-sophos_central.event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos_central.event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos_central.event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_x_utm: + index_sorting: false + index_template: + composed_of: + - logs-sophos.utm@package + - logs-sophos.utm@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos.utm-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos.utm-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-sophos_x_xg: + index_sorting: false + index_template: + composed_of: + - logs-sophos.xg@package + - logs-sophos.xg@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-sophos.xg-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-sophos.xg-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-symantec_endpoint_x_log: + index_sorting: false + index_template: + composed_of: + - logs-symantec_endpoint.log@package + - logs-symantec_endpoint.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-symantec_endpoint.log-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-symantec_endpoint.log-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_application: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.application@package + - logs-system.application@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.application* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.application-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_auth: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.auth@package + - logs-system.auth@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.auth* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.auth-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_security: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.security@package + - logs-system.security@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.security* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.security-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_syslog: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.syslog@package + - logs-system.syslog@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.syslog* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.syslog-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-system_x_system: + index_sorting: false + index_template: + composed_of: + - event-mappings + - logs-system.system@package + - logs-system.system@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-system.system* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-system.system-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_asset: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.asset@package + - logs-tenable_sc.asset@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.asset-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.asset-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_plugin: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.plugin@package + - logs-tenable_sc.plugin@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.plugin-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.plugin-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-tenable_sc_x_vulnerability: + index_sorting: false + index_template: + composed_of: + - logs-tenable_sc.vulnerability@package + - logs-tenable_sc.vulnerability@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-tenable_sc.vulnerability-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-tenable_sc.vulnerability-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_malware: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.malware@package + - logs-ti_abusech.malware@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.malware-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.malware-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_malwarebazaar: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.malwarebazaar@package + - logs-ti_abusech.malwarebazaar@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.malwarebazaar-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.malwarebazaar-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_threatfox: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.threatfox@package + - logs-ti_abusech.threatfox@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.threatfox-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.threatfox-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_abusech_x_url: + index_sorting: false + index_template: + composed_of: + - logs-ti_abusech.url@package + - logs-ti_abusech.url@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_abusech.url-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_abusech.url-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_misp_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_misp.threat@package + - logs-ti_misp.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_misp.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_misp.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_misp_x_threat_attributes: + index_sorting: false + index_template: + composed_of: + - logs-ti_misp.threat_attributes@package + - logs-ti_misp.threat_attributes@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_misp.threat_attributes-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_misp.threat_attributes-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_otx_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_otx.threat@package + - logs-ti_otx.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_otx.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_otx.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_recordedfuture_x_latest_ioc-template: + index_sorting: false + index_template: + composed_of: + - logs-ti_recordedfuture.latest_ioc-template@package + - logs-ti_recordedfuture.latest_ioc-template@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_recordedfuture.latest_ioc-template-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_recordedfuture.latest_ioc-template-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_recordedfuture_x_threat: + index_sorting: false + index_template: + composed_of: + - logs-ti_recordedfuture.threat@package + - logs-ti_recordedfuture.threat@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-ti_recordedfuture.threat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_recordedfuture.threat-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_forwarded: + index_sorting: false + index_template: + composed_of: + - logs-windows.forwarded@package + - logs-windows.forwarded@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.forwarded* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.forwarded-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_powershell: + index_sorting: false + index_template: + composed_of: + - logs-windows.powershell@package + - logs-windows.powershell@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.powershell-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.powershell-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_powershell_operational: + index_sorting: false + index_template: + composed_of: + - logs-windows.powershell_operational@package + - logs-windows.powershell_operational@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.powershell_operational-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.powershell_operational-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-windows_x_sysmon_operational: + index_sorting: false + index_template: + composed_of: + - logs-windows.sysmon_operational@package + - logs-windows.sysmon_operational@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-windows.sysmon_operational-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-windows.sysmon_operational-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_alerts: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.alerts@package + - logs-zscaler_zia.alerts@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.alerts-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.alerts-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_dns: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.dns@package + - logs-zscaler_zia.dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_firewall: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.firewall@package + - logs-zscaler_zia.firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_tunnel: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.tunnel@package + - logs-zscaler_zia.tunnel@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.tunnel-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.tunnel-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zia_x_web: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zia.web@package + - logs-zscaler_zia.web@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zia.web-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zia.web-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_app_connector_status: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.app_connector_status@package + - logs-zscaler_zpa.app_connector_status@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.app_connector_status-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.app_connector_status-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.audit@package + - logs-zscaler_zpa.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_browser_access: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.browser_access@package + - logs-zscaler_zpa.browser_access@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.browser_access-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.browser_access-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_user_activity: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.user_activity@package + - logs-zscaler_zpa.user_activity@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.user_activity-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.user_activity-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-zscaler_zpa_x_user_status: + index_sorting: false + index_template: + composed_of: + - logs-zscaler_zpa.user_status@package + - logs-zscaler_zpa.user_status@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + index_patterns: + - logs-zscaler_zpa.user_status-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-zscaler_zpa.user_status-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logstash: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - logstash-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + index_patterns: + - logs-logstash-default* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -3891,104 +8572,109 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - logstash-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-redis: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - redis-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings index_patterns: - - logs-redis-default* + - logs-redis-default* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -3996,315 +8682,447 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - redis-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-strelka: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - so-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - so-scan-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-strelka-so* + - logs-strelka-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-strelka-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - so-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - so-scan-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-suricata: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - suricata-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + data_stream: {} + index_patterns: + - logs-suricata-so* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-suricata-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-syslog: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-syslog-so* + - logs-syslog-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: + lifecycle: + name: so-syslog-logs mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-zeek: - index_sorting: False + index_sorting: false index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - syslog-mappings + - dtc-syslog-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - zeek-mappings + - common-settings + - common-dynamic-mappings data_stream: {} index_patterns: - - logs-zeek-so* + - logs-zeek-so* + priority: 500 template: mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string settings: index: lifecycle: @@ -4312,656 +9130,80 @@ elasticsearch: mapping: total_fields: limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 2 number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - zeek-mappings - - common-settings - - common-dynamic-mappings - priority: 500 + number_of_shards: 2 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc policy: phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb cold: - min_age: 30d actions: set_priority: priority: 0 + min_age: 30d delete: - min_age: 365d actions: delete: {} - so-logs-auth0_x_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-auth0.logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-auth0.logs@package" - - "logs-auth0.logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-carbonblack_edr_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-carbonblack_edr.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-carbonblack_edr.log@package" - - "logs-carbonblack_edr.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_admin: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.admin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.admin@package" - - "logs-cisco_duo.admin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_auth: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.auth-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.auth@package" - - "logs-cisco_duo.auth@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_offline_enrollment: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.offline_enrollment-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.offline_enrollment@package" - - "logs-cisco_duo.offline_enrollment@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_summary: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.summary-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.summary@package" - - "logs-cisco_duo.summary@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_duo_x_telephony: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_duo.telephony-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_duo.telephony@package" - - "logs-cisco_duo.telephony@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_meraki_x_events: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_meraki.events-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_meraki.events@package" - - "logs-cisco_meraki.events@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_meraki_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_meraki.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_meraki.log@package" - - "logs-cisco_meraki.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-cisco_umbrella_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-cisco_umbrella.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cisco_umbrella.log@package" - - "logs-cisco_umbrella.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-fireeye_x_nx: - index_sorting: False - index_template: - index_patterns: - - "logs-fireeye.nx-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-fireeye.nx@package" - - "logs-fireeye.nx@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_audit_events: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.audit_events-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.audit_events@package" - - "logs-mimecast.audit_events@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_dlp_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.dlp_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.dlp_logs@package" - - "logs-mimecast.dlp_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_siem_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.siem_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.siem_logs@package" - - "logs-mimecast.siem_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_threat_intel_malware_customer: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.threat_intel_malware_customer-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.threat_intel_malware_customer@package" - - "logs-mimecast.threat_intel_malware_customer@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_threat_intel_malware_grid: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.threat_intel_malware_grid-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.threat_intel_malware_grid@package" - - "logs-mimecast.threat_intel_malware_grid@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_ap_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_ap_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_ap_logs@package" - - "logs-mimecast.ttp_ap_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_ip_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_ip_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_ip_logs@package" - - "logs-mimecast.ttp_ip_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-mimecast_x_ttp_url_logs: - index_sorting: False - index_template: - index_patterns: - - "logs-mimecast.ttp_url_logs-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-mimecast.ttp_url_logs@package" - - "logs-mimecast.ttp_url_logs@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-pulse_connect_secure_x_log: - index_sorting: False - index_template: - index_patterns: - - "logs-pulse_connect_secure.log-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-pulse_connect_secure.log@package" - - "logs-pulse_connect_secure.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-snyk_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-snyk.audit-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-snyk.audit@package" - - "logs-snyk.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-snyk_x_vulnerabilities: - index_sorting: False - index_template: - index_patterns: - - "logs-snyk.vulnerabilities-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-snyk.vulnerabilities@package" - - "logs-snyk.vulnerabilities@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_x_utm: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos.utm-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos.utm@package" - - "logs-sophos.utm@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_x_xg: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos.xg-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos.xg@package" - - "logs-sophos.xg@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_central_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos_central.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos_central.alert@package" - - "logs-sophos_central.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-sophos_central_x_event: - index_sorting: False - index_template: - index_patterns: - - "logs-sophos_central.event-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-sophos_central.event@package" - - "logs-sophos_central.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_asset: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.asset-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.asset@package" - - "logs-tenable_sc.asset@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_plugin: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.plugin-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.plugin@package" - - "logs-tenable_sc.plugin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - so-logs-tenable_sc_x_vulnerability: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_sc.vulnerability-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-tenable_sc.vulnerability@package" - - "logs-tenable_sc.vulnerability@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + retention: + retention_pct: 50 so_roles: - so-manager: - config: - node: - roles: - - master - - data - - remote_cluster_client - - transform - so-managersearch: - config: - node: - roles: - - master - - data_hot - - remote_cluster_client - so-standalone: - config: - node: - roles: - - master - - data_hot - - remote_cluster_client - so-searchnode: - config: - node: - roles: - - data_hot - - ingest - so-heavynode: - config: - node: - roles: - - master - - data - - remote_cluster_client - - ingest so-eval: config: node: roles: [] + so-heavynode: + config: + node: + roles: + - master + - data + - remote_cluster_client + - ingest so-import: config: node: roles: [] + so-manager: + config: + node: + roles: + - master + - data + - remote_cluster_client + - transform + so-managersearch: + config: + node: + roles: + - master + - data_hot + - remote_cluster_client + so-searchnode: + config: + node: + roles: + - data_hot + - ingest + so-standalone: + config: + node: + roles: + - master + - data_hot + - remote_cluster_client From 2e0100fd35da3c97ad3dfd292d224cd8d0814d22 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 26 Oct 2023 12:37:55 -0400 Subject: [PATCH 15/20] Update defaults.yaml --- salt/elasticsearch/defaults.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 9aef09876..721db8d99 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -9193,6 +9193,8 @@ elasticsearch: roles: - master - data_hot + - ingest + - transform - remote_cluster_client so-searchnode: config: @@ -9200,10 +9202,13 @@ elasticsearch: roles: - data_hot - ingest + - transform so-standalone: config: node: roles: - master - data_hot + - ingest + - transform - remote_cluster_client From b37e38e3c3f842de8345858948e2c5d6cc7cd2b2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 26 Oct 2023 16:03:58 -0400 Subject: [PATCH 16/20] Update defaults.yaml --- salt/elasticsearch/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 721db8d99..44cb0ea7d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -9173,6 +9173,7 @@ elasticsearch: roles: - master - data + - data_hot - remote_cluster_client - ingest so-import: @@ -9192,6 +9193,7 @@ elasticsearch: node: roles: - master + - data - data_hot - ingest - transform @@ -9200,6 +9202,7 @@ elasticsearch: config: node: roles: + - data - data_hot - ingest - transform @@ -9208,6 +9211,7 @@ elasticsearch: node: roles: - master + - data - data_hot - ingest - transform From 9fc3a730356b333bce63b33237ceb4fdf09c0256 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Oct 2023 08:58:08 -0400 Subject: [PATCH 17/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index e3d257f11..189471226 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -75,8 +75,8 @@ elasticsearch: helpLink: elasticsearch.html phases: hot: - min_age: - description: Minimum age of index. This determines when the index should be moved to the hot tier. + max_age: + description: Maximum age of index. ex. 7d - This determines when the index should be moved out of the hot tier. global: True helpLink: elasticsearch.html actions: @@ -97,19 +97,29 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. global: True helpLink: elasticsearch.html actions: set_priority: priority: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + global: True + helpLink: elasticsearch.html + warm: + min_age: + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + regex: ^[0-9]d$ + actions: + set_priority: + priority: + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index. This determines when the index should be deleted. + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. global: True helpLink: elasticsearch.html so-logs: &indexSettings From ce1858fe05eedb0ab614e82809cf2e0eccf6532b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Oct 2023 09:02:39 -0400 Subject: [PATCH 18/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 189471226..8bee839c1 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -109,7 +109,7 @@ elasticsearch: warm: min_age: description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. - regex: ^[0-9]d$ + regex: ^\[0-9\]{1-5}d$ actions: set_priority: priority: From 87494f64c78cec81d5633f30b59421f511554100 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Oct 2023 09:06:12 -0400 Subject: [PATCH 19/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 8bee839c1..5b4d63f40 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -109,7 +109,8 @@ elasticsearch: warm: min_age: description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. - regex: ^\[0-9\]{1-5}d$ + regex: ^\[0-9\]{1,5}d$ + global: True actions: set_priority: priority: From 25f1a0251f423b801fe084d83f8085c7fe787b12 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 27 Oct 2023 09:08:07 -0400 Subject: [PATCH 20/20] Annotation changes for warm node --- salt/elasticsearch/soc_elasticsearch.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 5b4d63f40..a5170b776 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -110,6 +110,7 @@ elasticsearch: min_age: description: Minimum age of index. ex. 30d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. regex: ^\[0-9\]{1,5}d$ + forcedType: string global: True actions: set_priority: